suricata
alert-prelude.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pierre Chifflier <chifflier@edenwall.com>
22  * \author Yoann Vandoorselaere <yoann.v@prelude-ids.com>
23  *
24  * Logs alerts to the Prelude system, using IDMEF (RFC 4765) messages.
25  *
26  * Each message contains the alert description and reference (using
27  * the SID/GID), and a normalized description (assessment, impact,
28  * sources etc.)
29  *
30  * libprelude handles the connection with the manager (collecting component),
31  * spooling and sending the event asynchronously. It also offers transport
32  * security (using TLS and trusted certificates) and reliability (events
33  * are retransmitted if not sent successfully).
34  *
35  * This modules requires a Prelude profile to work (see man prelude-admin
36  * and the Prelude Handbook for help).
37  */
38 
39 #include "suricata-common.h"
40 #include "debug.h"
41 #include "detect.h"
42 #include "flow.h"
43 #include "conf.h"
44 
45 #include "threads.h"
46 #include "threadvars.h"
47 #include "tm-threads.h"
48 
49 #include "util-unittest.h"
50 #include "util-time.h"
51 #include "util-debug.h"
52 #include "util-error.h"
53 #include "util-print.h"
54 
55 #include "output.h"
56 #include "output-json.h"
57 #include "output-json-http.h"
58 #include "output-json-tls.h"
59 #include "output-json-ssh.h"
60 #include "output-json-smtp.h"
62 
63 #include "util-privs.h"
64 #include "util-optimize.h"
65 
66 #include "stream.h"
67 
68 #include "alert-prelude.h"
69 
70 #ifndef PRELUDE
71 
72 /* Handle the case where no PRELUDE support is compiled in. */
73 
74 void AlertPreludeRegister(void)
75 {
76  SCLogDebug("Can't register Prelude output thread - Prelude support was disabled during build.");
77 }
78 
79 #else /* implied we do have PRELUDE support */
80 
81 #include <libprelude/prelude.h>
82 
83 #define ANALYZER_CLASS "NIDS"
84 #define ANALYZER_MODEL "Suricata"
85 #define ANALYZER_MANUFACTURER "http://www.openinfosecfoundation.org/"
86 #define ANALYZER_SID_URL "http://www.snort.org/search/sid/"
87 
88 #define SNORT_MAX_OWNED_SID 1000000
89 #define DEFAULT_ANALYZER_NAME "suricata"
90 
91 #define DEFAULT_PRELUDE_PROFILE "suricata"
92 
93 static unsigned int info_priority = 4;
94 static unsigned int low_priority = 3;
95 static unsigned int mid_priority = 2;
96 
97 /**
98  * This holds global structures and variables. Since libprelude is thread-safe,
99  * there is no need to store a mutex.
100  */
101 typedef struct AlertPreludeCtx_ {
102  /** The client (which has the send function) */
103  prelude_client_t *client;
107 
108 /**
109  * This holds per-thread specific structures and variables.
110  */
111 typedef struct AlertPreludeThread_ {
112  /** Pointer to the global context */
114  idmef_analyzer_t *analyzer;
116 
117 
118 /**
119  * \brief Initialize analyzer description
120  *
121  * \return 0 if ok
122  */
123 static int SetupAnalyzer(idmef_analyzer_t *analyzer)
124 {
125  int ret;
126  prelude_string_t *string;
127 
128  SCEnter();
129 
130  ret = idmef_analyzer_new_model(analyzer, &string);
131  if (unlikely(ret < 0)) {
132  SCLogDebug("%s: error creating analyzer model: %s.",
133  prelude_strsource(ret), prelude_strerror(ret));
134  SCReturnInt(ret);
135  }
136  ret = prelude_string_set_constant(string, ANALYZER_MODEL);
137  if (unlikely(ret < 0)) {
138  SCLogDebug("%s: error setting analyzer model: %s.",
139  prelude_strsource(ret), prelude_strerror(ret));
140  SCReturnInt(ret);
141  }
142 
143  ret = idmef_analyzer_new_class(analyzer, &string);
144  if (unlikely(ret < 0)) {
145  SCLogDebug("%s: error creating analyzer class: %s.",
146  prelude_strsource(ret), prelude_strerror(ret));
147  SCReturnInt(ret);
148  }
149  ret = prelude_string_set_constant(string, ANALYZER_CLASS);
150  if (unlikely(ret < 0)) {
151  SCLogDebug("%s: error setting analyzer class: %s.",
152  prelude_strsource(ret), prelude_strerror(ret));
153  SCReturnInt(ret);
154  }
155 
156  ret = idmef_analyzer_new_manufacturer(analyzer, &string);
157  if (unlikely(ret < 0)) {
158  SCLogDebug("%s: error creating analyzer manufacturer: %s.",
159  prelude_strsource(ret), prelude_strerror(ret));
160  SCReturnInt(ret);
161  }
162  ret = prelude_string_set_constant(string, ANALYZER_MANUFACTURER);
163  if (unlikely(ret < 0)) {
164  SCLogDebug("%s: error setting analyzer manufacturer: %s.",
165  prelude_strsource(ret), prelude_strerror(ret));
166  SCReturnInt(ret);
167  }
168 
169  ret = idmef_analyzer_new_version(analyzer, &string);
170  if (unlikely(ret < 0)) {
171  SCLogDebug("%s: error creating analyzer version: %s.",
172  prelude_strsource(ret), prelude_strerror(ret));
173  SCReturnInt(ret);
174  }
175  ret = prelude_string_set_constant(string, VERSION);
176  if (unlikely(ret < 0)) {
177  SCLogDebug("%s: error setting analyzer version: %s.",
178  prelude_strsource(ret), prelude_strerror(ret));
179  SCReturnInt(ret);
180  }
181 
182  SCReturnInt(0);
183 }
184 
185 /**
186  * \brief Create event impact description (see section
187  * 4.2.6.1 of RFC 4765).
188  * The impact contains the severity, completion (succeeded or failed)
189  * and basic classification of the attack type.
190  * Here, we don't set the completion since we don't know it (default
191  * is unknown).
192  *
193  * \return 0 if ok
194  */
195 static int EventToImpact(const PacketAlert *pa, const Packet *p, idmef_alert_t *alert)
196 {
197  int ret;
198  prelude_string_t *str;
199  idmef_impact_t *impact;
200  idmef_assessment_t *assessment;
201  idmef_impact_severity_t severity;
202 
203  SCEnter();
204 
205  ret = idmef_alert_new_assessment(alert, &assessment);
206  if (unlikely(ret < 0)) {
207  SCLogDebug("%s: error creating assessment: %s.",
208  prelude_strsource(ret), prelude_strerror(ret));
209  SCReturnInt(ret);
210  }
211 
212  ret = idmef_assessment_new_impact(assessment, &impact);
213  if (unlikely(ret < 0)) {
214  SCLogDebug("%s: error creating assessment impact: %s.",
215  prelude_strsource(ret), prelude_strerror(ret));
216  SCReturnInt(ret);
217  }
218 
219  if ( (unsigned int)pa->s->prio < mid_priority )
220  severity = IDMEF_IMPACT_SEVERITY_HIGH;
221 
222  else if ( (unsigned int)pa->s->prio < low_priority )
223  severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
224 
225  else if ( (unsigned int)pa->s->prio < info_priority )
226  severity = IDMEF_IMPACT_SEVERITY_LOW;
227 
228  else
229  severity = IDMEF_IMPACT_SEVERITY_INFO;
230 
231  idmef_impact_set_severity(impact, severity);
232 
237  idmef_action_t *action;
238 
239  ret = idmef_action_new(&action);
240  if (unlikely(ret < 0))
241  SCReturnInt(ret);
242 
243  idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED);
244  idmef_assessment_set_action(assessment, action, 0);
245  }
246 
247  if (pa->s->msg) {
248  ret = idmef_impact_new_description(impact, &str);
249  if (unlikely(ret < 0))
250  SCReturnInt(ret);
251 
252  prelude_string_set_ref(str, pa->s->msg);
253  }
254 
255  SCReturnInt(0);
256 }
257 
258 /**
259  * \brief Add Source and Target fields to the IDMEF alert.
260  * These objects contains IP addresses, source and destination
261  * ports (see sections 4.2.4.3 and 4.2.4.4 of RFC 4765).
262  *
263  * \return 0 if ok
264  */
265 static int EventToSourceTarget(const PacketAlert *pa, const Packet *p,
266  idmef_alert_t *alert)
267 {
268  int ret;
269  idmef_node_t *node;
270  idmef_source_t *source;
271  idmef_target_t *target;
272  idmef_address_t *address;
273  idmef_service_t *service;
274  prelude_string_t *string;
275  static char saddr[128], daddr[128];
276  uint8_t ip_vers;
277  uint8_t ip_proto;
278  uint16_t sp, dp;
279  uint8_t invert = 0;
280 
281  SCEnter();
282 
283  if ( !p )
284  SCReturnInt(0);
285 
286  if ( ! IPH_IS_VALID(p) )
287  SCReturnInt(0);
288 
289  if (pa->s->flags & SIG_FLAG_HAS_TARGET) {
290  if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
291  invert = 1;
292  } else {
293  invert = 0;
294  }
295  } else {
296  invert = 0;
297  }
298 
299  if (PKT_IS_IPV4(p)) {
300  ip_vers = 4;
301  ip_proto = IPV4_GET_RAW_IPPROTO(p->ip4h);
302  if (invert) {
303  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), saddr, sizeof(saddr));
304  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), daddr, sizeof(daddr));
305  sp = p->dp;
306  dp = p->sp;
307  } else {
308  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), saddr, sizeof(saddr));
309  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), daddr, sizeof(daddr));
310  sp = p->sp;
311  dp = p->dp;
312 
313  }
314  } else if (PKT_IS_IPV6(p)) {
315  ip_vers = 6;
316  ip_proto = IPV6_GET_L4PROTO(p);
317  if (invert) {
318  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), saddr, sizeof(saddr));
319  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), daddr, sizeof(daddr));
320  sp = p->dp;
321  dp = p->sp;
322  } else {
323  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), saddr, sizeof(saddr));
324  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), daddr, sizeof(daddr));
325  sp = p->sp;
326  dp = p->dp;
327  }
328  } else
329  SCReturnInt(0);
330 
331  ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
332  if (unlikely(ret < 0))
333  SCReturnInt(ret);
334 
335  ret = idmef_source_new_service(source, &service);
336  if (unlikely(ret < 0))
337  SCReturnInt(ret);
338 
339  if ( p->tcph || p->udph )
340  idmef_service_set_port(service, sp);
341 
342  idmef_service_set_ip_version(service, ip_vers);
343  idmef_service_set_iana_protocol_number(service, ip_proto);
344 
345  ret = idmef_source_new_node(source, &node);
346  if (unlikely(ret < 0))
347  SCReturnInt(ret);
348 
349  ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
350  if (unlikely(ret < 0))
351  SCReturnInt(ret);
352 
353  ret = idmef_address_new_address(address, &string);
354  if (unlikely(ret < 0))
355  SCReturnInt(ret);
356 
357  prelude_string_set_ref(string, saddr);
358 
359  ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
360  if (unlikely(ret < 0))
361  SCReturnInt(ret);
362 
363  ret = idmef_target_new_service(target, &service);
364  if (unlikely(ret < 0))
365  SCReturnInt(ret);
366 
367  if ( p->tcph || p->udph )
368  idmef_service_set_port(service, dp);
369 
370  idmef_service_set_ip_version(service, ip_vers);
371  idmef_service_set_iana_protocol_number(service, ip_proto);
372 
373  ret = idmef_target_new_node(target, &node);
374  if (unlikely(ret < 0))
375  SCReturnInt(ret);
376 
377  ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
378  if (unlikely(ret < 0))
379  SCReturnInt(ret);
380 
381  ret = idmef_address_new_address(address, &string);
382  if (unlikely(ret < 0))
383  SCReturnInt(ret);
384 
385  prelude_string_set_ref(string, daddr);
386 
387  SCReturnInt(0);
388 }
389 
390 /**
391  * \brief Add binary data, to be stored in the Additional Data
392  * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
393  *
394  * \return 0 if ok
395  */
396 static int AddByteData(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size)
397 {
398  int ret;
399  prelude_string_t *str;
400  idmef_additional_data_t *ad;
401 
402  SCEnter();
403 
404  if ( ! data || ! size )
405  SCReturnInt(0);
406 
407  ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
408  if (unlikely(ret < 0))
409  SCReturnInt(0);
410 
411  ret = idmef_additional_data_set_byte_string_ref(ad, data, size);
412  if (unlikely(ret < 0)) {
413  SCLogDebug("%s: error setting byte string data: %s.",
414  prelude_strsource(ret), prelude_strerror(ret));
415  SCReturnInt(-1);
416  }
417 
418  ret = idmef_additional_data_new_meaning(ad, &str);
419  if (unlikely(ret < 0)) {
420  SCLogDebug("%s: error creating additional-data meaning: %s.",
421  prelude_strsource(ret), prelude_strerror(ret));
422  SCReturnInt(-1);
423  }
424 
425  ret = prelude_string_set_ref(str, meaning);
426  if (unlikely(ret < 0)) {
427  SCLogDebug("%s: error setting byte string data meaning: %s.",
428  prelude_strsource(ret), prelude_strerror(ret));
429  SCReturnInt(-1);
430  }
431 
432  SCReturnInt(0);
433 }
434 
435 /**
436  * \brief Add integer data, to be stored in the Additional Data
437  * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
438  *
439  * \return 0 if ok
440  */
441 static int AddIntData(idmef_alert_t *alert, const char *meaning, uint32_t data)
442 {
443  int ret;
444  prelude_string_t *str;
445  idmef_additional_data_t *ad;
446 
447  SCEnter();
448 
449  ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
450  if (unlikely(ret < 0))
451  SCReturnInt(ret);
452 
453  idmef_additional_data_set_integer(ad, data);
454 
455  ret = idmef_additional_data_new_meaning(ad, &str);
456  if (unlikely(ret < 0)) {
457  SCLogDebug("%s: error creating additional-data meaning: %s.",
458  prelude_strsource(ret), prelude_strerror(ret));
459  SCReturnInt(-1);
460  }
461 
462  ret = prelude_string_set_ref(str, meaning);
463  if (unlikely(ret < 0)) {
464  SCLogDebug("%s: error setting integer data meaning: %s.",
465  prelude_strsource(ret), prelude_strerror(ret));
466  SCReturnInt(-1);
467  }
468 
469  SCReturnInt(0);
470 }
471 
472 /**
473  * \brief Add string data, to be stored in the Additional Data
474  * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
475  * \param alert IDMEF alert where to add additional data
476  * \param meaning Name of the value to add to IDMEF alert
477  * \param data String to add to IDMEF alert
478  * \return 0 if ok, else < 0
479  */
480 static int AddStringData(idmef_alert_t *alert, const char *meaning, const char *data)
481 {
482  int ret;
483  idmef_additional_data_t *ad;
484  prelude_string_t * p_str;
485 
486  SCEnter();
487 
488  ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
489  if (unlikely(ret < 0))
490  SCReturnInt(ret);
491 
492  ret = idmef_additional_data_new_meaning(ad, &p_str);
493  if (ret < 0) {
494  idmef_additional_data_destroy(ad);
495  SCReturnInt(ret);
496  }
497 
498  ret = prelude_string_ncat(p_str, meaning, strlen(meaning));
499  if (ret < 0) {
500  idmef_additional_data_destroy(ad);
501  SCReturnInt(ret);
502  }
503 
504  ret = prelude_string_new(&p_str);
505  if (ret < 0) {
506  idmef_additional_data_destroy(ad);
507  SCReturnInt(ret);
508  }
509 
510  ret = prelude_string_ncat(p_str, data, strlen(data));
511  if (ret < 0) {
512  prelude_string_destroy(p_str);
513  idmef_additional_data_destroy(ad);
514  SCReturnInt(ret);
515  }
516 
517  ret = idmef_additional_data_set_string_dup_fast(ad, prelude_string_get_string(p_str), prelude_string_get_len(p_str));
518 
519  prelude_string_destroy(p_str);
520 
521  if (ret < 0) {
522  idmef_additional_data_destroy(ad);
523  SCReturnInt(ret);
524  }
525  SCReturnInt(0);
526 }
527 
528 /**
529  * \brief Add real data, to be stored in the Additional Data
530  * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
531  * \param alert IDMEF alert where to add additional data
532  * \param meaning Name of the value to add to IDMEF alert
533  * \param data Real to add to IDMEF alert
534  * \return 0 if ok
535  */
536 static int AddRealData(idmef_alert_t *alert, const char *meaning, uint32_t data)
537 {
538  int ret;
539  prelude_string_t *str;
540  idmef_additional_data_t *ad;
541 
542  SCEnter();
543 
544  ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
545  if (unlikely(ret < 0))
546  SCReturnInt(ret);
547 
548  idmef_additional_data_set_real(ad, data);
549 
550  ret = idmef_additional_data_new_meaning(ad, &str);
551  if (unlikely(ret < 0)) {
552  SCLogDebug("%s: error creating additional-data meaning: %s.",
553  prelude_strsource(ret), prelude_strerror(ret));
554  SCReturnInt(-1);
555  }
556 
557  ret = prelude_string_set_ref(str, meaning);
558  if (unlikely(ret < 0)) {
559  SCLogDebug("%s: error setting integer data meaning: %s.",
560  prelude_strsource(ret), prelude_strerror(ret));
561  SCReturnInt(-1);
562  }
563 
564  SCReturnInt(0);
565 }
566 
567 /**
568  * \brief Add IPv4 header data, to be stored in the Additional Data
569  * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
570  *
571  * \return 0 if ok
572  */
573 static int PacketToDataV4(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
574 {
575  SCEnter();
576 
577  AddIntData(alert, "ip_ver", IPV4_GET_RAW_VER(p->ip4h));
578  AddIntData(alert, "ip_hlen", IPV4_GET_RAW_HLEN(p->ip4h));
579  AddIntData(alert, "ip_tos", IPV4_GET_RAW_IPTOS(p->ip4h));
580  AddIntData(alert, "ip_len", SCNtohs(IPV4_GET_RAW_IPLEN(p->ip4h)));
581 
582  AddIntData(alert, "ip_id", SCNtohs(IPV4_GET_RAW_IPID(p->ip4h)));
583 
584  AddIntData(alert, "ip_off", SCNtohs(IPV4_GET_RAW_IPOFFSET(p->ip4h)));
585 
586  AddIntData(alert, "ip_ttl", IPV4_GET_RAW_IPTTL(p->ip4h));
587  AddIntData(alert, "ip_proto", IPV4_GET_RAW_IPPROTO(p->ip4h));
588 
589  AddIntData(alert, "ip_sum", SCNtohs(p->ip4h->ip_csum));
590 
591  SCReturnInt(0);
592 }
593 
594 /**
595  * \brief Add IPv6 header data, to be stored in the Additional Data
596  * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
597  *
598  * \return 0 if ok
599  */
600 static int PacketToDataV6(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
601 {
602  SCEnter();
603 
604  AddIntData(alert, "ip_ver", IPV6_GET_VER(p));
605  AddIntData(alert, "ip_class", IPV6_GET_CLASS(p));
606  AddIntData(alert, "ip_flow", IPV6_GET_FLOW(p));
607  AddIntData(alert, "ip_nh", IPV6_GET_NH(p));
608  AddIntData(alert, "ip_plen", IPV6_GET_PLEN(p));
609  AddIntData(alert, "ip_hlim", IPV6_GET_HLIM(p));
610  AddIntData(alert, "ip_proto", IPV6_GET_L4PROTO(p));
611 
612  SCReturnInt(0);
613 }
614 
615 /**
616  * \brief Convert JSON object to Prelude additional data with
617  * the right type of data. Browse the JSON object to get
618  * the key=value information.
619  * \param key Name of the JSON value
620  * \param value JSON object to add to the IDMEF alert
621  * \param alert IDMEF alert
622  * \return 0 if ok
623  */
624 static int JsonToAdditionalData(const char * key, json_t * value, idmef_alert_t *alert)
625 {
626  SCEnter();
627 
628  int ret = 0;
629  const char *key_js;
630  char local_key[128];
631  json_t *value_js;
632  size_t index;
633 
634  if (!json_is_object(value) && key == NULL)
635  SCReturnInt(-1);
636 
637  if (json_is_object(value)) {
638  json_object_foreach(value, key_js, value_js) {
639  if (key != NULL) {
640  snprintf(local_key, sizeof(local_key), "%s_%s", key, key_js);
641  } else {
642  snprintf(local_key, sizeof(local_key), "%s", key_js);
643  }
644  ret = JsonToAdditionalData(local_key, value_js, alert);
645  }
646  } else if (json_is_array(value)) {
647  json_array_foreach(value, index, value_js) {
648  ret = snprintf(local_key, sizeof(local_key), "%s_%ju", key, (uintmax_t)index);
649  if (ret < 0 || (size_t)ret >= sizeof(local_key)) {
650  SCLogError(SC_ERR_SPRINTF,"failed to construct key");
651  continue;
652  }
653  ret = JsonToAdditionalData(local_key, value_js, alert);
654  }
655  } else if (json_is_integer(value)) {
656  ret = AddIntData(alert, key, json_integer_value(value));
657  } else if (json_is_real(value)) {
658  ret = AddRealData(alert, key, json_real_value(value));
659  } else if (json_is_boolean(value)) {
660  ret = AddIntData(alert, key, json_is_true(value));
661  } else if (json_is_string(value)) {
662  ret = AddStringData(alert, key, json_string_value(value));
663  } else {
664  ret = AddStringData(alert, key, json_dumps(value, 0));
665  }
666  SCReturnInt(ret);
667 }
668 
669 /**
670  * \brief Handle ALPROTO_HTTP JSON information
671  * \param p Packet where to extract data
672  * \param pa Packet alert information
673  * \param alert IDMEF alert
674  * \return void
675  */
676 static void PacketToDataProtoHTTP(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
677 {
678  json_t *js;
679 
680  js = JsonHttpAddMetadata(p->flow, pa->tx_id);
681  if (js == NULL)
682  return;
683 
684  JsonToAdditionalData(NULL, js, alert);
685 
686  json_decref(js);
687 
688 }
689 
690 /**
691  * \brief Handle ALPROTO_TLS JSON information
692  * \param p Packet where to extract data
693  * \param pa Packet alert information
694  * \param alert IDMEF alert
695  * \return void
696  */
697 static void PacketToDataProtoTLS(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
698 {
699  json_t *js;
700  SSLState *ssl_state = (SSLState *)FlowGetAppState(p->flow);
701 
702  if (ssl_state == NULL)
703  return;
704 
705  js = json_object();
706  if (js == NULL)
707  return;
708 
709  JsonTlsLogJSONBasic(js, ssl_state);
710  JsonTlsLogJSONExtended(js, ssl_state);
711  JsonToAdditionalData(NULL, js, alert);
712 
713  json_decref(js);
714 
715 }
716 
717 /**
718  * \brief Handle ALPROTO_SSH JSON information
719  * \param p Packet where to extract data
720  * \param pa Packet alert information
721  * \param alert IDMEF alert
722  * \return void
723  */
724 static void PacketToDataProtoSSH(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
725 {
726  json_t *js, *s_js;
727  SshState *ssh_state = (SshState *)FlowGetAppState(p->flow);
728 
729  if (ssh_state == NULL)
730  return;
731 
732  js = json_object();
733  if (js == NULL)
734  return;
735 
736  JsonSshLogJSON(js, ssh_state);
737 
738  s_js = json_object_get(js, "server");
739  if (s_js != NULL) {
740  JsonToAdditionalData(NULL, s_js, alert);
741  }
742 
743  s_js = json_object_get(js, "client");
744  if (s_js != NULL) {
745  JsonToAdditionalData(NULL, s_js, alert);
746  }
747 
748  json_decref(js);
749 
750 }
751 
752 /**
753  * \brief Handle ALPROTO_SMTP JSON information
754  * \param p Packet where to extract data
755  * \param pa Packet alert information
756  * \param alert IDMEF alert
757  * \return void
758  */
759 static void PacketToDataProtoSMTP(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
760 {
761  json_t *js;
762 
763  js = JsonSMTPAddMetadata(p->flow, pa->tx_id);
764  if (js == NULL)
765  return;
766 
767  JsonToAdditionalData(NULL, js, alert);
768 
769  json_decref(js);
770 
771 }
772 
773 /**
774  * \brief Handle ALPROTO_(SMTP|IMAP) Email JSON information
775  * \param p Packet where to extract data
776  * \param pa Packet alert information
777  * \param alert IDMEF alert
778  * \return void
779  */
780 static void PacketToDataProtoEmail(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
781 {
782  json_t *js;
783 
784  js = JsonEmailAddMetadata(p->flow, pa->tx_id);
785  if (js == NULL)
786  return;
787 
788  JsonToAdditionalData(NULL, js, alert);
789 
790  json_decref(js);
791 
792 }
793 
794 /**
795  * \brief Convert IP packet to an IDMEF alert (RFC 4765).
796  * This function stores the alert SID (description and reference),
797  * the payload of the packet, and pre-processed data.
798  *
799  * \return 0 if ok
800  */
801 static int PacketToData(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert, AlertPreludeCtx *ctx)
802 {
803  SCEnter();
804 
805  if (unlikely(p == NULL))
806  SCReturnInt(0);
807 
808  if (p->flow != NULL) {
809  uint16_t proto = FlowGetAppProtocol(p->flow);
810  switch (proto) {
811  case ALPROTO_HTTP:
812  PacketToDataProtoHTTP(p, pa, alert);
813  break;
814  case ALPROTO_TLS:
815  PacketToDataProtoTLS(p, pa, alert);
816  break;
817  case ALPROTO_SSH:
818  PacketToDataProtoSSH(p, pa, alert);
819  break;
820  case ALPROTO_SMTP:
821  case ALPROTO_IMAP:
822  PacketToDataProtoSMTP(p, pa, alert);
823  PacketToDataProtoEmail(p, pa, alert);
824  break;
825  }
826  }
827 
828  AddIntData(alert, "snort_rule_sid", pa->s->id);
829  AddIntData(alert, "snort_rule_rev", pa->s->rev);
830 
831  if (ctx->log_packet_header) {
832  if ( PKT_IS_IPV4(p) )
833  PacketToDataV4(p, pa, alert);
834 
835  else if ( PKT_IS_IPV6(p) )
836  PacketToDataV6(p, pa, alert);
837 
838  if ( PKT_IS_TCP(p) ) {
839  AddIntData(alert, "tcp_seq", TCP_GET_SEQ(p));
840  AddIntData(alert, "tcp_ack", TCP_GET_ACK(p));
841 
842  AddIntData(alert, "tcp_off", TCP_GET_OFFSET(p));
843  AddIntData(alert, "tcp_res", TCP_GET_X2(p));
844  AddIntData(alert, "tcp_flags", TCP_GET_FLAGS(p));
845 
846  AddIntData(alert, "tcp_win", TCP_GET_WINDOW(p));
847  AddIntData(alert, "tcp_sum", TCP_GET_SUM(p));
848  AddIntData(alert, "tcp_urp", TCP_GET_URG_POINTER(p));
849  if (p->tcpvars.ts_val != 0) {
850  AddIntData(alert, "tcp_tsval", TCP_GET_TSVAL(p));
851  }
852  if (p->tcpvars.ts_ecr != 0) {
853  AddIntData(alert, "tcp_tsecr", TCP_GET_TSECR(p));
854  }
855  if (p->tcph != NULL) {
856  AddIntData(alert, "tcp_wscale", TCP_GET_WSCALE(p));
857  }
858  if (TCP_HAS_SACKOK(p)) {
859  AddIntData(alert, "tcp_sackok", TCP_GET_SACKOK(p));
860  }
861  if (TCP_HAS_SACK(p)) {
862  AddIntData(alert, "tcp_sack_cnt", TCP_GET_SACK_CNT(p));
863  }
864  AddIntData(alert, "tcp_hlen", TCP_GET_HLEN(p));
865  }
866 
867  else if ( PKT_IS_UDP(p) ) {
868  AddIntData(alert, "udp_len", UDP_GET_LEN(p));
869  AddIntData(alert, "udp_sum", UDP_GET_SUM(p));
870  }
871 
872  else if ( PKT_IS_ICMPV4(p) ) {
873  AddIntData(alert, "icmp_type", ICMPV4_GET_TYPE(p));
874  AddIntData(alert, "icmp_code", ICMPV4_GET_CODE(p));
875  AddIntData(alert, "icmp_sum", ICMPV4_GET_RAW_CSUM(p));
876 
877  }
878 
879  else if ( PKT_IS_ICMPV6(p) ) {
880  AddIntData(alert, "icmp_type", ICMPV6_GET_TYPE(p));
881  AddIntData(alert, "icmp_code", ICMPV6_GET_CODE(p));
882  AddIntData(alert, "icmp_csum", ICMPV6_GET_RAW_CSUM(p));
883  }
884  }
885 
886  if (ctx->log_packet_content)
887  AddByteData(alert, "payload", p->payload, p->payload_len);
888 
889  SCReturnInt(0);
890 }
891 
892 /**
893  * \brief Store reference on rule (SID and GID) in the IDMEF alert,
894  * and embed an URL pointing to the rule description.
895  *
896  * \return 0 if ok
897  */
898 static int AddSnortReference(idmef_classification_t *class, int gen_id, int sig_id)
899 {
900  int ret;
901  prelude_string_t *str;
902  idmef_reference_t *ref;
903 
904  SCEnter();
905 
906  if ( sig_id >= SNORT_MAX_OWNED_SID )
907  SCReturnInt(0);
908 
909  ret = idmef_classification_new_reference(class, &ref, IDMEF_LIST_APPEND);
910  if (unlikely(ret < 0))
911  SCReturnInt(ret);
912 
913  ret = idmef_reference_new_name(ref, &str);
914  if (unlikely(ret < 0))
915  SCReturnInt(ret);
916 
917  idmef_reference_set_origin(ref, IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC);
918 
919  if ( gen_id == 0 )
920  ret = prelude_string_sprintf(str, "%u", sig_id);
921  else
922  ret = prelude_string_sprintf(str, "%u:%u", gen_id, sig_id);
923 
924  if (unlikely(ret < 0))
925  SCReturnInt(ret);
926 
927  ret = idmef_reference_new_meaning(ref, &str);
928  if (unlikely(ret < 0))
929  SCReturnInt(ret);
930 
931  ret = prelude_string_sprintf(str, "Snort Signature ID");
932  if (unlikely(ret < 0))
933  SCReturnInt(ret);
934 
935  ret = idmef_reference_new_url(ref, &str);
936  if (unlikely(ret < 0))
937  SCReturnInt(ret);
938 
939  if ( gen_id == 0 )
940  ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u", sig_id);
941  else
942  ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u-%u", gen_id, sig_id);
943 
944  SCReturnInt(ret);
945 }
946 
947 /**
948  * \brief Create event classification description (see section
949  * 4.2.4.2 of RFC 4765).
950  * The classification is the "name" of the alert, identification of the
951  * rule signature, and additional information on the rule.
952  *
953  * \return 0 if ok
954  */
955 static int EventToReference(const PacketAlert *pa, const Packet *p, idmef_classification_t *class)
956 {
957  int ret;
958  prelude_string_t *str;
959 
960  SCEnter();
961 
962  ret = idmef_classification_new_ident(class, &str);
963  if (unlikely(ret < 0))
964  SCReturnInt(ret);
965 
966  if ( pa->s->gid == 0 )
967  ret = prelude_string_sprintf(str, "%u", pa->s->id);
968  else
969  ret = prelude_string_sprintf(str, "%u:%u", pa->s->gid, pa->s->id);
970  if (unlikely(ret < 0))
971  SCReturnInt(ret);
972 
973  ret = AddSnortReference(class, pa->s->gid, pa->s->id);
974  if (unlikely(ret < 0))
975  SCReturnInt(ret);
976 
977  SCReturnInt(0);
978 }
979 
980 static int PreludePrintStreamSegmentCallback(const Packet *p, void *data, const uint8_t *buf, uint32_t buflen)
981 {
982  int ret;
983 
984  ret = AddByteData((idmef_alert_t *)data, "stream-segment", buf, buflen);
985  if (ret == 0)
986  return 1;
987  else
988  return -1;
989 }
990 
991 /**
992  * \brief Initialize thread-specific data. Each thread structure contains
993  * a pointer to the \a AlertPreludeCtx context.
994  *
995  * \return TM_ECODE_OK if ok, else TM_ECODE_FAILED
996  */
997 static TmEcode AlertPreludeThreadInit(ThreadVars *t, const void *initdata, void **data)
998 {
999  int ret;
1000  AlertPreludeThread *aun;
1001 
1002  SCEnter();
1003 
1004  if (unlikely(initdata == NULL)) {
1006  "Error getting context for Prelude. \"initdata\" argument NULL");
1008  }
1009 
1010  aun = SCMalloc(sizeof(AlertPreludeThread));
1011  if (unlikely(aun == NULL))
1013  memset(aun, 0, sizeof(AlertPreludeThread));
1014 
1015  /* Use the Ouput Context */
1016  aun->ctx = ((OutputCtx *)initdata)->data;
1017 
1018  /* Create a per-thread idmef analyzer */
1019  ret = idmef_analyzer_clone(prelude_client_get_analyzer(aun->ctx->client), &aun->analyzer);
1020  if (unlikely(ret < 0)) {
1022  "Error creating idmef analyzer for Prelude.");
1023 
1024  SCFree(aun);
1026  }
1027 
1028  *data = (void *)aun;
1030 }
1031 
1032 /**
1033  * \brief Free thread-specific data.
1034  *
1035  * \return TM_ECODE_OK if ok, else TM_ECODE_FAILED
1036  */
1037 static TmEcode AlertPreludeThreadDeinit(ThreadVars *t, void *data)
1038 {
1039  AlertPreludeThread *aun = (AlertPreludeThread *)data;
1040 
1041  SCEnter();
1042 
1043  if (unlikely(aun == NULL)) {
1044  SCLogDebug("AlertPreludeThreadDeinit done (error)");
1046  }
1047 
1048  /* clear memory */
1049  idmef_analyzer_destroy(aun->analyzer);
1050  memset(aun, 0, sizeof(AlertPreludeThread));
1051  SCFree(aun);
1052 
1054 }
1055 
1056 static void AlertPreludeDeinitCtx(OutputCtx *output_ctx)
1057 {
1058  AlertPreludeCtx *ctx = (AlertPreludeCtx *)output_ctx->data;
1059 
1060  prelude_client_destroy(ctx->client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1061  SCFree(output_ctx);
1062 }
1063 
1064 /** \brief Initialize the Prelude logging module: initialize
1065  * library, create the client and try to establish the connection
1066  * to the Prelude Manager.
1067  * Client flags are set to force asynchronous (non-blocking) mode for
1068  * both alerts and heartbeats.
1069  * This function requires an existing Prelude profile to work.
1070  *
1071  * \return A newly allocated AlertPreludeCtx structure, or NULL
1072  */
1073 static OutputInitResult AlertPreludeInitCtx(ConfNode *conf)
1074 {
1075  int ret;
1076  prelude_client_t *client;
1077  AlertPreludeCtx *ctx;
1078  const char *prelude_profile_name;
1079  const char *log_packet_content;
1080  const char *log_packet_header;
1081  OutputInitResult result = { NULL, false };
1082  OutputCtx *output_ctx;
1083 
1084  SCEnter();
1085 
1086  ret = prelude_init(0, NULL);
1087  if (unlikely(ret < 0)) {
1088  prelude_perror(ret, "unable to initialize the prelude library");
1089  SCReturnCT(result, "OutputInitResult");
1090  }
1091 
1092  prelude_profile_name = ConfNodeLookupChildValue(conf, "profile");
1093  if (prelude_profile_name == NULL)
1094  prelude_profile_name = DEFAULT_PRELUDE_PROFILE;
1095 
1096  log_packet_content = ConfNodeLookupChildValue(conf, "log-packet-content");
1097  log_packet_header = ConfNodeLookupChildValue(conf, "log-packet-header");
1098 
1099  ret = prelude_client_new(&client, prelude_profile_name);
1100  if ( unlikely(ret < 0 || client == NULL )) {
1101  prelude_perror(ret, "Unable to create a prelude client object");
1102  prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1103  SCReturnCT(result, "OutputInitResult");
1104  }
1105 
1106  ret = prelude_client_set_flags(client, prelude_client_get_flags(client) | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER|PRELUDE_CLIENT_FLAGS_ASYNC_SEND);
1107  if (unlikely(ret < 0)) {
1108  SCLogDebug("Unable to set asynchronous send and timer.");
1109  prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1110  SCReturnCT(result, "OutputInitResult");
1111  }
1112 
1113  ret = SetupAnalyzer(prelude_client_get_analyzer(client));
1114  if (ret < 0) {
1115  SCLogDebug("Unable to setup prelude client analyzer.");
1116  prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1117  SCReturnCT(result, "OutputInitResult");
1118  }
1119 
1120  ret = prelude_client_start(client);
1121  if (unlikely(ret < 0)) {
1122  prelude_perror(ret, "Unable to start prelude client");
1123  prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1124  SCReturnCT(result, "OutputInitResult");
1125  }
1126 
1127  ctx = SCMalloc(sizeof(AlertPreludeCtx));
1128  if (unlikely(ctx == NULL)) {
1129  prelude_perror(ret, "Unable to allocate memory");
1130  prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1131  SCReturnCT(result, "OutputInitResult");
1132  }
1133 
1134  ctx->client = client;
1135  ctx->log_packet_content = 0;
1136  ctx->log_packet_header = 1;
1137  if (log_packet_content && ConfValIsTrue(log_packet_content))
1138  ctx->log_packet_content = 1;
1139  if (log_packet_header && ConfValIsFalse(log_packet_header))
1140  ctx->log_packet_header = 0;
1141 
1142  output_ctx = SCMalloc(sizeof(OutputCtx));
1143  if (unlikely(output_ctx == NULL)) {
1144  SCFree(ctx);
1145  prelude_perror(ret, "Unable to allocate memory");
1146  prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1147  SCReturnCT(result, "OutputInitResult");
1148  }
1149 
1150  output_ctx->data = ctx;
1151  output_ctx->DeInit = AlertPreludeDeinitCtx;
1152 
1153  result.ctx = output_ctx;
1154  result.ok = true;
1155  SCReturnCT(result, "OutputInitResult");
1156 }
1157 
1158 static int AlertPreludeCondition(ThreadVars *tv, const Packet *p)
1159 {
1160  if (p->alerts.cnt == 0)
1161  return FALSE;
1162  if (!IPH_IS_VALID(p))
1163  return FALSE;
1164  return TRUE;
1165 }
1166 
1167 /**
1168  * \brief Handle Suricata alert: convert it to and IDMEF alert (see RFC 4765)
1169  * and send it asynchronously (so, this function does not block and returns
1170  * immediately).
1171  * If the destination Prelude Manager is not available, the alert is spooled
1172  * (and the function also returns immediately).
1173  * An IDMEF object is created, and all available information is added: IP packet
1174  * header and data, rule signature ID, additional data like URL pointing to
1175  * rule description, CVE, etc.
1176  * The IDMEF alert has a reference to all created objects, so freeing it will
1177  * automatically free all allocated memory.
1178  *
1179  * \note This function is thread safe.
1180  *
1181  * \return TM_ECODE_OK if ok, else TM_ECODE_FAILED
1182  */
1183 static int AlertPreludeLogger(ThreadVars *tv, void *thread_data, const Packet *p)
1184 {
1185  AlertPreludeThread *apn = (AlertPreludeThread *)thread_data;
1186  int ret;
1187  idmef_time_t *time;
1188  idmef_alert_t *alert;
1189  prelude_string_t *str;
1190  idmef_message_t *idmef = NULL;
1191  idmef_classification_t *class;
1192  const PacketAlert *pa;
1193 
1194  SCEnter();
1195 
1196  if (unlikely(apn == NULL || apn->ctx == NULL)) {
1198  }
1199 
1200  if (p->alerts.cnt == 0)
1202 
1203  if ( !IPH_IS_VALID(p) )
1205 
1206  /* XXX which one to add to this alert? Lets see how Snort solves this.
1207  * For now just take last alert. */
1208  pa = &p->alerts.alerts[p->alerts.cnt-1];
1209  if (unlikely(pa->s == NULL))
1210  goto err;
1211 
1212  ret = idmef_message_new(&idmef);
1213  if (unlikely(ret < 0))
1215 
1216  ret = idmef_message_new_alert(idmef, &alert);
1217  if (unlikely(ret < 0))
1218  goto err;
1219 
1220  ret = idmef_alert_new_classification(alert, &class);
1221  if (unlikely(ret < 0))
1222  goto err;
1223 
1224  if (pa->s->class_msg) {
1225  ret = idmef_classification_new_text(class, &str);
1226  if (unlikely(ret < 0))
1227  goto err;
1228 
1229  prelude_string_set_ref(str, pa->s->class_msg);
1230  }
1231 
1232  ret = EventToImpact(pa, p, alert);
1233  if (unlikely(ret < 0))
1234  goto err;
1235 
1236  ret = EventToReference(pa, p, class);
1237  if (unlikely(ret < 0))
1238  goto err;
1239 
1240  ret = EventToSourceTarget(pa, p, alert);
1241  if (unlikely(ret < 0))
1242  goto err;
1243 
1244  ret = PacketToData(p, pa, alert, apn->ctx);
1245  if (unlikely(ret < 0))
1246  goto err;
1247 
1248  if (PKT_IS_TCP(p) && (pa->flags & PACKET_ALERT_FLAG_STATE_MATCH)) {
1249  uint8_t flag;
1250  if (p->flowflags & FLOW_PKT_TOSERVER) {
1251  flag = FLOW_PKT_TOCLIENT;
1252  } else {
1253  flag = FLOW_PKT_TOSERVER;
1254  }
1255  ret = StreamSegmentForEach(p, flag,
1256  PreludePrintStreamSegmentCallback,
1257  (void *)alert);
1258  }
1259  if (unlikely(ret < 0))
1260  goto err;
1261 
1262  ret = idmef_alert_new_detect_time(alert, &time);
1263  if (unlikely(ret < 0))
1264  goto err;
1265  idmef_time_set_from_timeval(time, &p->ts);
1266 
1267  ret = idmef_time_new_from_gettimeofday(&time);
1268  if (unlikely(ret < 0))
1269  goto err;
1270  idmef_alert_set_create_time(alert, time);
1271 
1272  idmef_alert_set_analyzer(alert, idmef_analyzer_ref(apn->analyzer), IDMEF_LIST_PREPEND);
1273 
1274  /* finally, send event */
1275  prelude_client_send_idmef(apn->ctx->client, idmef);
1276  idmef_message_destroy(idmef);
1277 
1279 
1280 err:
1281  if (idmef != NULL)
1282  idmef_message_destroy(idmef);
1284 }
1285 
1287 {
1288  OutputRegisterPacketModule(LOGGER_PRELUDE, "AlertPrelude", "alert-prelude",
1289  AlertPreludeInitCtx, AlertPreludeLogger, AlertPreludeCondition,
1290  AlertPreludeThreadInit, AlertPreludeThreadDeinit, NULL);
1291 }
1292 #endif /* PRELUDE */
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:214
json_t * JsonSMTPAddMetadata(const Flow *f, uint64_t tx_id)
#define ANALYZER_SID_URL
Definition: alert-prelude.c:86
uint32_t ts_ecr
Definition: decode-tcp.h:158
#define ANALYZER_MODEL
Definition: alert-prelude.c:84
int StreamSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
Run callback for all segments.
Definition: stream.c:39
#define ANALYZER_MANUFACTURER
Definition: alert-prelude.c:85
UDPHdr * udph
Definition: decode.h:524
#define SCLogDebug(...)
Definition: util-debug.h:335
struct Flow_ * flow
Definition: decode.h:445
#define ACTION_REJECT_DST
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:857
uint32_t flags
Definition: detect.h:523
char * msg
Definition: detect.h:580
#define DEFAULT_PRELUDE_PROFILE
Definition: alert-prelude.c:91
uint32_t id
Definition: detect.h:555
#define FALSE
void JsonTlsLogJSONExtended(json_t *tjs, SSLState *state)
#define unlikely(expr)
Definition: util-optimize.h:35
#define TCP_GET_OFFSET(p)
Definition: decode-tcp.h:108
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:215
Port sp
Definition: decode.h:415
#define TCP_GET_SACKOK(p)
Definition: decode-tcp.h:103
struct AlertPreludeCtx_ AlertPreludeCtx
int prio
Definition: detect.h:558
Port dp
Definition: decode.h:423
#define ACTION_REJECT
idmef_analyzer_t * analyzer
#define IPV6_GET_HLIM(p)
Definition: decode-ipv6.h:90
#define PKT_IS_IPV6(p)
Definition: decode.h:252
#define TCP_GET_WINDOW(p)
Definition: decode-tcp.h:115
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
AppProto FlowGetAppProtocol(const Flow *f)
Definition: flow.c:1063
#define TCP_GET_TSVAL(p)
Definition: decode-tcp.h:86
TCPHdr * tcph
Definition: decode.h:522
uint32_t ts_val
Definition: decode-tcp.h:157
#define IPV4_GET_RAW_IPTTL(ip4h)
Definition: decode-ipv4.h:100
#define ICMPV4_GET_TYPE(p)
#define TRUE
#define IPV4_GET_RAW_VER(ip4h)
Definition: decode-ipv4.h:94
#define PKT_IS_IPV4(p)
Definition: decode.h:251
#define TCP_GET_X2(p)
Definition: decode-tcp.h:109
json_t * JsonHttpAddMetadata(const Flow *f, uint64_t tx_id)
#define SCReturnCT(x, type)
Definition: util-debug.h:351
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:249
#define IPV4_GET_RAW_IPLEN(ip4h)
Definition: decode-ipv4.h:97
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:294
const struct Signature_ * s
Definition: decode.h:273
SSLv[2.0|3.[0|1|2|3]] state structure.
void AlertPreludeRegister(void)
#define ICMPV6_GET_RAW_CSUM(p)
#define ICMPV6_GET_CODE(p)
#define str(s)
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843
#define TCP_GET_SEQ(p)
Definition: decode-tcp.h:113
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:163
#define IPV6_GET_PLEN(p)
Definition: decode-ipv6.h:88
#define IPV4_GET_RAW_IPTOS(ip4h)
Definition: decode-ipv4.h:96
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:220
json_t * JsonEmailAddMetadata(const Flow *f, uint32_t tx_id)
#define ACTION_REJECT_BOTH
#define TCP_HAS_SACK(p)
Definition: decode-tcp.h:92
#define IPV6_GET_VER(p)
Definition: decode-ipv6.h:80
#define ANALYZER_CLASS
Definition: alert-prelude.c:83
#define TCP_GET_WSCALE(p)
Definition: decode-tcp.h:99
#define TCP_GET_TSECR(p)
Definition: decode-tcp.h:89
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
prelude_client_t * client
#define PKT_IS_ICMPV6(p)
Definition: decode.h:256
#define IPV6_GET_FLOW(p)
Definition: decode-ipv6.h:84
#define IPV4_GET_RAW_IPID(ip4h)
Definition: decode-ipv4.h:98
#define SCEnter(...)
Definition: util-debug.h:337
uint8_t flowflags
Definition: decode.h:439
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:591
#define IPV4_GET_RAW_IPPROTO(ip4h)
Definition: decode-ipv4.h:101
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
#define IPV6_GET_CLASS(p)
Definition: decode-ipv6.h:82
#define UDP_GET_LEN(p)
Definition: decode-udp.h:35
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:267
#define IPV6_GET_NH(p)
Definition: decode-ipv6.h:86
uint32_t gid
Definition: detect.h:556
uint8_t proto
#define TCP_GET_SUM(p)
Definition: decode-tcp.h:117
#define SCReturnInt(x)
Definition: util-debug.h:341
uint64_t tx_id
Definition: decode.h:274
#define IPV6_GET_L4PROTO(p)
Definition: decode-ipv6.h:93
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
IPV4Hdr * ip4h
Definition: decode.h:500
char * class_msg
Definition: detect.h:583
struct AlertPreludeThread_ AlertPreludeThread
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:95
Definition: conf.h:32
OutputCtx * ctx
Definition: output.h:42
#define TCP_GET_SACK_CNT(p)
Definition: decode-tcp.h:105
#define SCMalloc(a)
Definition: util-mem.h:222
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:219
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:253
#define SCFree(a)
Definition: util-mem.h:322
#define SCNtohs(x)
uint8_t address
Definition: decode-ppp.h:312
#define PKT_IS_TCP(p)
Definition: decode.h:253
void JsonTlsLogJSONBasic(json_t *js, SSLState *ssl_state)
void JsonSshLogJSON(json_t *tjs, SshState *ssh_state)
uint8_t flags
Definition: decode.h:272
#define ICMPV6_GET_TYPE(p)
void * data
Definition: tm-modules.h:81
#define TCP_HAS_SACKOK(p)
Definition: decode-tcp.h:93
#define PKT_IS_ICMPV4(p)
Definition: decode.h:255
uint32_t rev
Definition: detect.h:557
PacketAlerts alerts
Definition: decode.h:555
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1068
#define IPH_IS_VALID(p)
Definition: decode.h:260
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:282
#define TCP_GET_URG_POINTER(p)
Definition: decode-tcp.h:116
#define TCP_GET_FLAGS(p)
Definition: decode-tcp.h:118
uint16_t ip_csum
Definition: decode-ipv4.h:79
#define TCP_GET_HLEN(p)
Definition: decode-tcp.h:110
uint16_t cnt
Definition: decode.h:293
TCPVars tcpvars
Definition: decode.h:514
#define PKT_IS_UDP(p)
Definition: decode.h:254
Per thread variable structure.
Definition: threadvars.h:57
struct timeval ts
Definition: decode.h:451
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
#define ACTION_DROP
#define ICMPV4_GET_RAW_CSUM(p)
#define TCP_GET_ACK(p)
Definition: decode-tcp.h:114
uint16_t payload_len
Definition: decode.h:541
#define SNORT_MAX_OWNED_SID
Definition: alert-prelude.c:88
uint8_t * payload
Definition: decode.h:540
#define UDP_GET_SUM(p)
Definition: decode-udp.h:38
#define IPV4_GET_RAW_IPOFFSET(ip4h)
Definition: decode-ipv4.h:99
AlertPreludeCtx * ctx
#define ICMPV4_GET_CODE(p)