1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18 /**
19 * \file
20 *
21 * \author Victor Julien <victor@inliniac.net>
22 * \author Ken Steele <suricata@tilera.com>
23 *
24 * Time keeping for offline (non-live) packet handling (pcap files).
25 * And time string generation for alerts.
26 */
27
28 /* Real time vs offline time
29 *
30 * When we run on live traffic, time handling is simple. Packets have a
31 * timestamp set by the capture method. Management threads can simply
32 * use 'gettimeofday' to know the current time. There should never be
33 * any serious gap between the two.
34 *
35 * In offline mode, things are dramatically different. Here we try to keep
36 * the time from the pcap, which means that if the packets are in 2011 the
37 * log output should also reflect this. Multiple issues:
38 * 1. merged pcaps might have huge time jumps or time going backward
39 * 2. slowly recorded pcaps may be processed much faster than their 'realtime'
40 * 3. management threads need a concept of what the 'current' time is for
41 * enforcing timeouts
42 * 4. due to (1) individual threads may have very different views on what
43 * the current time is. E.g. T1 processed packet 1 with TS X, while T2
44 * at the very same time processes packet 2 with TS X+100000s.
45 *
46 * In offline mode we keep the timestamp per thread. If a management thread
47 * needs current time, it will get the minimum of the threads' values. This
48 * is to avoid the problem that T2s time value might already trigger a flow
49 * timeout as the flow lastts + 100000s is almost certainly meaning the flow
50 * would be considered timed out.
51 */
52
53 #ifdef OS_WIN32
54 /* for MinGW we need to set _POSIX_C_SOURCE before including
55 * sys/time.h. */
56 #ifndef _POSIX_C_SOURCE
57 #define _POSIX_C_SOURCE 200809L
58 #endif
59 #endif
60
61 #include "suricata-common.h"
62 #include "detect.h"
63 #include "threads.h"
64 #include "tm-threads.h"
65 #include "util-debug.h"
66
67 #ifdef UNITTESTS
68 static struct timeval current_time = { 0, 0 };
69 #endif
70 //static SCMutex current_time_mutex = SCMUTEX_INITIALIZER;
71 static SCSpinlock current_time_spinlock;
72 static bool live_time_tracking = true;
73
74 struct tm *SCLocalTime(time_t timep, struct tm *result);
75 struct tm *SCUtcTime(time_t timep, struct tm *result);
76
TimeInit(void)77 void TimeInit(void)
78 {
79 SCSpinInit(¤t_time_spinlock, 0);
80
81 /* Initialize Time Zone settings. */
82 tzset();
83 }
84
TimeDeinit(void)85 void TimeDeinit(void)
86 {
87 SCSpinDestroy(¤t_time_spinlock);
88 }
89
TimeModeIsReady(void)90 bool TimeModeIsReady(void)
91 {
92 if (live_time_tracking)
93 return true;
94 return TmThreadsTimeSubsysIsReady();
95 }
96
TimeModeSetLive(void)97 void TimeModeSetLive(void)
98 {
99 live_time_tracking = true;
100 SCLogDebug("live time mode enabled");
101 }
102
TimeModeSetOffline(void)103 void TimeModeSetOffline (void)
104 {
105 live_time_tracking = false;
106 SCLogDebug("offline time mode enabled");
107 }
108
TimeModeIsLive(void)109 bool TimeModeIsLive(void)
110 {
111 return live_time_tracking;
112 }
113
TimeSetByThread(const int thread_id,const struct timeval * tv)114 void TimeSetByThread(const int thread_id, const struct timeval *tv)
115 {
116 if (live_time_tracking)
117 return;
118
119 TmThreadsSetThreadTimestamp(thread_id, tv);
120 }
121
122 #ifdef UNITTESTS
TimeSet(struct timeval * tv)123 void TimeSet(struct timeval *tv)
124 {
125 if (live_time_tracking)
126 return;
127
128 if (tv == NULL)
129 return;
130
131 SCSpinLock(¤t_time_spinlock);
132 current_time.tv_sec = tv->tv_sec;
133 current_time.tv_usec = tv->tv_usec;
134
135 SCLogDebug("time set to %" PRIuMAX " sec, %" PRIuMAX " usec",
136 (uintmax_t)current_time.tv_sec, (uintmax_t)current_time.tv_usec);
137
138 SCSpinUnlock(¤t_time_spinlock);
139 }
140
141 /** \brief set the time to "gettimeofday" meant for testing */
TimeSetToCurrentTime(void)142 void TimeSetToCurrentTime(void)
143 {
144 struct timeval tv;
145 memset(&tv, 0x00, sizeof(tv));
146
147 gettimeofday(&tv, NULL);
148
149 TimeSet(&tv);
150 }
151 #endif
152
TimeGet(struct timeval * tv)153 void TimeGet(struct timeval *tv)
154 {
155 if (tv == NULL)
156 return;
157
158 if (live_time_tracking) {
159 gettimeofday(tv, NULL);
160 } else {
161 #ifdef UNITTESTS
162 if (unlikely(RunmodeIsUnittests())) {
163 SCSpinLock(¤t_time_spinlock);
164 tv->tv_sec = current_time.tv_sec;
165 tv->tv_usec = current_time.tv_usec;
166 SCSpinUnlock(¤t_time_spinlock);
167 } else {
168 #endif
169 TmThreadsGetMinimalTimestamp(tv);
170 #ifdef UNITTESTS
171 }
172 #endif
173 }
174
175 SCLogDebug("time we got is %" PRIuMAX " sec, %" PRIuMAX " usec",
176 (uintmax_t)tv->tv_sec, (uintmax_t)tv->tv_usec);
177 }
178
179 #ifdef UNITTESTS
180 /** \brief increment the time in the engine
181 * \param tv_sec seconds to increment the time with */
TimeSetIncrementTime(uint32_t tv_sec)182 void TimeSetIncrementTime(uint32_t tv_sec)
183 {
184 struct timeval tv;
185 memset(&tv, 0x00, sizeof(tv));
186 TimeGet(&tv);
187
188 tv.tv_sec += tv_sec;
189
190 TimeSet(&tv);
191 }
192 #endif
193
194 #ifdef OS_WIN32
195 /** \internal
196 * \brief wrapper around strftime on Windows to provide output
197 * compatible with posix %z
198 */
WinStrftime(const struct timeval * ts,const struct tm * t,char * str,size_t size)199 static inline void WinStrftime(const struct timeval *ts, const struct tm *t, char *str, size_t size)
200 {
201 char time_fmt[64] = { 0 };
202 char tz[6] = { 0 };
203 const long int tzdiff = -_timezone;
204 const int h = abs(_timezone) / 3600 + _daylight;
205 const int m = (abs(_timezone) % 3600) / 60;
206 snprintf(tz, sizeof(tz), "%c%02d%02d", tzdiff < 0 ? '-' : '+', h, m);
207 strftime(time_fmt, sizeof(time_fmt), "%Y-%m-%dT%H:%M:%S.%%06u", t);
208 snprintf(str, size, time_fmt, ts->tv_usec);
209 strlcat(str, tz, size); // append our timezone
210 }
211 #endif
212
CreateIsoTimeString(const struct timeval * ts,char * str,size_t size)213 void CreateIsoTimeString (const struct timeval *ts, char *str, size_t size)
214 {
215 time_t time = ts->tv_sec;
216 struct tm local_tm;
217 memset(&local_tm, 0, sizeof(local_tm));
218 struct tm *t = (struct tm*)SCLocalTime(time, &local_tm);
219
220 if (likely(t != NULL)) {
221 #ifdef OS_WIN32
222 WinStrftime(ts, t, str, size);
223 #else
224 char time_fmt[64] = { 0 };
225 strftime(time_fmt, sizeof(time_fmt), "%Y-%m-%dT%H:%M:%S.%%06u%z", t);
226 snprintf(str, size, time_fmt, ts->tv_usec);
227 #endif
228 } else {
229 snprintf(str, size, "ts-error");
230 }
231 }
232
CreateUtcIsoTimeString(const struct timeval * ts,char * str,size_t size)233 void CreateUtcIsoTimeString (const struct timeval *ts, char *str, size_t size)
234 {
235 time_t time = ts->tv_sec;
236 struct tm local_tm;
237 memset(&local_tm, 0, sizeof(local_tm));
238 struct tm *t = (struct tm*)SCUtcTime(time, &local_tm);
239 char time_fmt[64] = { 0 };
240
241 if (likely(t != NULL)) {
242 strftime(time_fmt, sizeof(time_fmt), "%Y-%m-%dT%H:%M:%S", t);
243 snprintf(str, size, time_fmt, ts->tv_usec);
244 } else {
245 snprintf(str, size, "ts-error");
246 }
247 }
248
CreateFormattedTimeString(const struct tm * t,const char * fmt,char * str,size_t size)249 void CreateFormattedTimeString (const struct tm *t, const char *fmt, char *str, size_t size)
250 {
251 if (likely(t != NULL && fmt != NULL && str != NULL)) {
252 strftime(str, size, fmt, t);
253 } else {
254 snprintf(str, size, "ts-error");
255 }
256 }
257
SCUtcTime(time_t timep,struct tm * result)258 struct tm *SCUtcTime(time_t timep, struct tm *result)
259 {
260 return gmtime_r(&timep, result);
261 }
262
263 /*
264 * Time Caching code
265 */
266
267 #ifndef TLS
268 /* OpenBSD does not support thread_local, so don't use time caching on BSD
269 */
SCLocalTime(time_t timep,struct tm * result)270 struct tm *SCLocalTime(time_t timep, struct tm *result)
271 {
272 return localtime_r(&timep, result);
273 }
274
CreateTimeString(const struct timeval * ts,char * str,size_t size)275 void CreateTimeString (const struct timeval *ts, char *str, size_t size)
276 {
277 time_t time = ts->tv_sec;
278 struct tm local_tm;
279 struct tm *t = (struct tm*)SCLocalTime(time, &local_tm);
280
281 if (likely(t != NULL)) {
282 snprintf(str, size, "%02d/%02d/%02d-%02d:%02d:%02d.%06u",
283 t->tm_mon + 1, t->tm_mday, t->tm_year + 1900, t->tm_hour,
284 t->tm_min, t->tm_sec, (uint32_t) ts->tv_usec);
285 } else {
286 snprintf(str, size, "ts-error");
287 }
288 }
289
290 #else
291
292 /* On systems supporting thread_local, use Per-thread values for caching
293 * in CreateTimeString */
294
295 /* The maximum possible length of the time string.
296 * "%02d/%02d/%02d-%02d:%02d:%02d.%06u"
297 * Or "01/01/2013-15:42:21.123456", which is 26, so round up to 32. */
298 #define MAX_LOCAL_TIME_STRING 32
299
300 static thread_local int mru_time_slot; /* Most recently used cached value */
301 static thread_local time_t last_local_time[2];
302 static thread_local short int cached_local_time_len[2];
303 static thread_local char cached_local_time[2][MAX_LOCAL_TIME_STRING];
304
305 /* Per-thread values for caching SCLocalTime() These cached values are
306 * independent from the CreateTimeString cached values. */
307 static thread_local int mru_tm_slot; /* Most recently used local tm */
308 static thread_local time_t cached_minute_start[2];
309 static thread_local struct tm cached_local_tm[2];
310
311 /** \brief Convert time_t into Year, month, day, hour and minutes.
312 * \param timep Time in seconds since defined date.
313 * \param result The structure into which the broken down time it put.
314 *
315 * To convert a time in seconds into year, month, day, hours, minutes
316 * and seconds, call localtime_r(), which uses the current time zone
317 * to compute these values. Note, glibc's localtime_r() aquires a lock
318 * each time it is called, which limits parallelism. To call
319 * localtime_r() less often, the values returned are cached for the
320 * current and previous minute and then seconds are adjusted to
321 * compute the returned result. This is valid as long as the
322 * difference between the start of the current minute and the current
323 * time is less than 60 seconds. Once the minute value changes, all
324 * the other values could change.
325 *
326 * Two values are cached to prevent thrashing when changing from one
327 * minute to the next. The two cached minutes are independent and are
328 * not required to be M and M+1. If more than two minutes are
329 * requested, the least-recently-used cached value is updated more
330 * often, the results are still correct, but performance will be closer
331 * to previous performance.
332 */
SCLocalTime(time_t timep,struct tm * result)333 struct tm *SCLocalTime(time_t timep, struct tm *result)
334 {
335 /* Only get a new local time when the time crosses into a new
336 * minute. */
337 int mru = mru_tm_slot;
338 int lru = 1 - mru;
339 int mru_seconds = timep - cached_minute_start[mru];
340 int lru_seconds = timep - cached_minute_start[lru];
341 int new_seconds;
342 if (cached_minute_start[mru]==0 && cached_minute_start[lru]==0) {
343 localtime_r(&timep, &cached_local_tm[lru]);
344 /* Subtract seconds to get back to the start of the minute. */
345 new_seconds = cached_local_tm[lru].tm_sec;
346 cached_minute_start[lru] = timep - new_seconds;
347 mru = lru;
348 mru_tm_slot = mru;
349 } else if (lru_seconds > 0 && (mru_seconds >= 0 && mru_seconds <= 59)) {
350 /* Use most-recently cached time, adjusting the seconds. */
351 new_seconds = mru_seconds;
352 } else if (mru_seconds > 0 && (lru_seconds >= 0 && lru_seconds <= 59)) {
353 /* Use least-recently cached time, update to most recently used. */
354 new_seconds = lru_seconds;
355 mru = lru;
356 mru_tm_slot = mru;
357 } else {
358 /* Update least-recent cached time. */
359 if (localtime_r(&timep, &cached_local_tm[lru]) == NULL)
360 return NULL;
361 /* Subtract seconds to get back to the start of the minute. */
362 new_seconds = cached_local_tm[lru].tm_sec;
363 cached_minute_start[lru] = timep - new_seconds;
364 mru = lru;
365 mru_tm_slot = mru;
366 }
367 memcpy(result, &cached_local_tm[mru], sizeof(struct tm));
368 result->tm_sec = new_seconds;
369
370 return result;
371 }
372
373 /* Update the cached time string in cache index N, for the current minute. */
UpdateCachedTime(int n,time_t time)374 static int UpdateCachedTime(int n, time_t time)
375 {
376 struct tm local_tm;
377 struct tm *t = (struct tm *)SCLocalTime(time, &local_tm);
378 int cached_len = snprintf(cached_local_time[n], MAX_LOCAL_TIME_STRING,
379 "%02d/%02d/%02d-%02d:%02d:",
380 t->tm_mon + 1, t->tm_mday, t->tm_year + 1900,
381 t->tm_hour, t->tm_min);
382 cached_local_time_len[n] = cached_len;
383 /* Store the time of the beginning of the minute. */
384 last_local_time[n] = time - t->tm_sec;
385 mru_time_slot = n;
386
387 return t->tm_sec;
388 }
389
390 /** \brief Return a formatted string for the provided time.
391 *
392 * Cache the Month/Day/Year - Hours:Min part of the time string for
393 * the current minute. Copy that result into the the return string and
394 * then only print the seconds for each call.
395 */
CreateTimeString(const struct timeval * ts,char * str,size_t size)396 void CreateTimeString (const struct timeval *ts, char *str, size_t size)
397 {
398 time_t time = ts->tv_sec;
399 int seconds;
400
401 /* Only get a new local time when the time crosses into a new
402 * minute */
403 int mru = mru_time_slot;
404 int lru = 1 - mru;
405 int mru_seconds = time - last_local_time[mru];
406 int lru_seconds = time - last_local_time[lru];
407 if (last_local_time[mru]==0 && last_local_time[lru]==0) {
408 /* First time here, update both caches */
409 UpdateCachedTime(mru, time);
410 seconds = UpdateCachedTime(lru, time);
411 } else if (mru_seconds >= 0 && mru_seconds <= 59) {
412 /* Use most-recently cached time. */
413 seconds = mru_seconds;
414 } else if (lru_seconds >= 0 && lru_seconds <= 59) {
415 /* Use least-recently cached time. Change this slot to Most-recent */
416 seconds = lru_seconds;
417 mru_time_slot = lru;
418 } else {
419 /* Update least-recent cached time. Lock accessing local time
420 * function because it keeps any internal non-spin lock. */
421 seconds = UpdateCachedTime(lru, time);
422 }
423
424 /* Copy the string up to the current minute then print the seconds
425 into the return string buffer. */
426 char *cached_str = cached_local_time[mru_time_slot];
427 int cached_len = cached_local_time_len[mru_time_slot];
428 if (cached_len >= (int)size)
429 cached_len = size;
430 memcpy(str, cached_str, cached_len);
431 snprintf(str + cached_len, size - cached_len,
432 "%02d.%06u",
433 seconds, (uint32_t) ts->tv_usec);
434 }
435
436 #endif /* defined(__OpenBSD__) */
437
438 /**
439 * \brief Convert broken-down time to seconds since Unix epoch.
440 *
441 * This function is based on: http://www.catb.org/esr/time-programming
442 * (released to the public domain).
443 *
444 * \param tp Pointer to broken-down time.
445 *
446 * \retval Seconds since Unix epoch.
447 */
SCMkTimeUtc(struct tm * tp)448 time_t SCMkTimeUtc (struct tm *tp)
449 {
450 time_t result;
451 long year;
452 #define MONTHSPERYEAR 12
453 static const int mdays[MONTHSPERYEAR] =
454 { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 };
455
456 year = 1900 + tp->tm_year + tp->tm_mon / MONTHSPERYEAR;
457 result = (year - 1970) * 365 + mdays[tp->tm_mon % MONTHSPERYEAR];
458 result += (year - 1968) / 4;
459 result -= (year - 1900) / 100;
460 result += (year - 1600) / 400;
461 if ((year % 4) == 0 && ((year % 100) != 0 || (year % 400) == 0) &&
462 (tp->tm_mon % MONTHSPERYEAR) < 2)
463 result--;
464 result += tp->tm_mday - 1;
465 result *= 24;
466 result += tp->tm_hour;
467 result *= 60;
468 result += tp->tm_min;
469 result *= 60;
470 result += tp->tm_sec;
471 #ifndef OS_WIN32
472 if (tp->tm_gmtoff)
473 result -= tp->tm_gmtoff;
474 #endif
475 return result;
476 }
477
478 /**
479 * \brief Parse a date string based on specified patterns.
480 *
481 * This function is based on GNU C library getdate.
482 *
483 * \param string Date string to parse.
484 * \param patterns String array containing patterns.
485 * \param num_patterns Number of patterns to check.
486 * \param tp Pointer to broken-down time.
487 *
488 * \retval 0 on success.
489 * \retval 1 on failure.
490 */
SCStringPatternToTime(char * string,const char ** patterns,int num_patterns,struct tm * tp)491 int SCStringPatternToTime (char *string, const char **patterns, int num_patterns,
492 struct tm *tp)
493 {
494 char *result = NULL;
495 int i = 0;
496
497 /* Do the pattern matching */
498 for (i = 0; i < num_patterns; i++)
499 {
500 if (patterns[i] == NULL)
501 continue;
502
503 tp->tm_hour = tp->tm_min = tp->tm_sec = 0;
504 tp->tm_year = tp->tm_mon = tp->tm_mday = tp->tm_wday = INT_MIN;
505 tp->tm_isdst = -1;
506 #ifndef OS_WIN32
507 tp->tm_gmtoff = 0;
508 tp->tm_zone = NULL;
509 #endif
510 result = strptime(string, patterns[i], tp);
511
512 if (result && *result == '\0')
513 break;
514 }
515
516 /* Return if no patterns matched */
517 if (result == NULL || *result != '\0')
518 return 1;
519
520 /* Return if no date is given */
521 if (tp->tm_year == INT_MIN && tp->tm_mon == INT_MIN &&
522 tp->tm_mday == INT_MIN)
523 return 1;
524
525 /* The first of the month is assumed, if only year and
526 month is given */
527 if (tp->tm_year != INT_MIN && tp->tm_mon != INT_MIN &&
528 tp->tm_mday <= 0)
529 tp->tm_mday = 1;
530
531 return 0;
532 }
533
534 /**
535 * \brief Convert epoch time to string pattern.
536 *
537 * This function converts epoch time to a string based on a pattern.
538 *
539 * \param epoch Epoch time.
540 * \param pattern String pattern.
541 * \param str Formated string.
542 * \param size Size of allocated string.
543 *
544 * \retval 0 on success.
545 * \retval 1 on failure.
546 */
SCTimeToStringPattern(time_t epoch,const char * pattern,char * str,size_t size)547 int SCTimeToStringPattern (time_t epoch, const char *pattern, char *str, size_t size)
548 {
549 struct tm tm;
550 memset(&tm, 0, sizeof(tm));
551 struct tm *tp = (struct tm *)SCLocalTime(epoch, &tm);
552 char buffer[PATH_MAX] = { 0 };
553
554 if (unlikely(tp == NULL)) {
555 return 1;
556 }
557
558 int r = strftime(buffer, sizeof(buffer), pattern, tp);
559 if (r == 0) {
560 return 1;
561 }
562
563 strlcpy(str, buffer, size);
564
565 return 0;
566 }
567
568 /**
569 * \brief Parse string containing time size (1m, 1h, etc).
570 *
571 * \param str String to parse.
572 *
573 * \retval size on success.
574 * \retval 0 on failure.
575 */
SCParseTimeSizeString(const char * str)576 uint64_t SCParseTimeSizeString (const char *str)
577 {
578 uint64_t size = 0;
579 uint64_t modifier = 1;
580 char last = str[strlen(str)-1];
581
582 switch (last)
583 {
584 case '0' ... '9':
585 break;
586 /* seconds */
587 case 's':
588 break;
589 /* minutes */
590 case 'm':
591 modifier = 60;
592 break;
593 /* hours */
594 case 'h':
595 modifier = 60 * 60;
596 break;
597 /* days */
598 case 'd':
599 modifier = 60 * 60 * 24;
600 break;
601 /* weeks */
602 case 'w':
603 modifier = 60 * 60 * 24 * 7;
604 break;
605 /* invalid */
606 default:
607 return 0;
608 }
609
610 errno = 0;
611 size = strtoumax(str, NULL, 10);
612 if (errno) {
613 return 0;
614 }
615
616 return (size * modifier);
617 }
618
619 /**
620 * \brief Get seconds until a time unit changes.
621 *
622 * \param str String containing time type (minute, hour, etc).
623 * \param epoch Epoch time.
624 *
625 * \retval seconds.
626 */
SCGetSecondsUntil(const char * str,time_t epoch)627 uint64_t SCGetSecondsUntil (const char *str, time_t epoch)
628 {
629 uint64_t seconds = 0;
630 struct tm tm;
631 memset(&tm, 0, sizeof(tm));
632 struct tm *tp = (struct tm *)SCLocalTime(epoch, &tm);
633
634 if (strcmp(str, "minute") == 0)
635 seconds = 60 - tp->tm_sec;
636 else if (strcmp(str, "hour") == 0)
637 seconds = (60 * (60 - tp->tm_min)) + (60 - tp->tm_sec);
638 else if (strcmp(str, "day") == 0)
639 seconds = (3600 * (24 - tp->tm_hour)) + (60 * (60 - tp->tm_min)) +
640 (60 - tp->tm_sec);
641
642 return seconds;
643 }
644
SCTimespecAsEpochMillis(const struct timespec * ts)645 uint64_t SCTimespecAsEpochMillis(const struct timespec* ts)
646 {
647 return ts->tv_sec * 1000L + ts->tv_nsec / 1000000L;
648 }
649