suricata
alert-prelude.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pierre Chifflier <chifflier@edenwall.com>
22  * \author Yoann Vandoorselaere <yoann.v@prelude-ids.com>
23  *
24  * Logs alerts to the Prelude system, using IDMEF (RFC 4765) messages.
25  *
26  * Each message contains the alert description and reference (using
27  * the SID/GID), and a normalized description (assessment, impact,
28  * sources etc.)
29  *
30  * libprelude handles the connection with the manager (collecting component),
31  * spooling and sending the event asynchronously. It also offers transport
32  * security (using TLS and trusted certificates) and reliability (events
33  * are retransmitted if not sent successfully).
34  *
35  * This modules requires a Prelude profile to work (see man prelude-admin
36  * and the Prelude Handbook for help).
37  */
38 
39 #include "suricata-common.h"
40 #include "debug.h"
41 #include "detect.h"
42 #include "flow.h"
43 #include "conf.h"
44 
45 #include "threads.h"
46 #include "threadvars.h"
47 #include "tm-threads.h"
48 
49 #include "util-unittest.h"
50 #include "util-time.h"
51 #include "util-debug.h"
52 #include "util-error.h"
53 #include "util-print.h"
54 
55 #include "output.h"
56 #include "output-json.h"
57 #include "output-json-http.h"
58 #include "output-json-tls.h"
59 #include "output-json-ssh.h"
60 #include "output-json-smtp.h"
62 
63 #include "util-privs.h"
64 #include "util-optimize.h"
65 
66 #include "stream.h"
67 
68 #include "alert-prelude.h"
69 
70 #ifndef PRELUDE
71 
72 /* Handle the case where no PRELUDE support is compiled in. */
73 
74 void AlertPreludeRegister(void)
75 {
76  SCLogDebug("Can't register Prelude output thread - Prelude support was disabled during build.");
77 }
78 
79 #else /* implied we do have PRELUDE support */
80 
81 #include <libprelude/prelude.h>
82 
83 #define ANALYZER_CLASS "NIDS"
84 #define ANALYZER_MODEL "Suricata"
85 #define ANALYZER_MANUFACTURER "http://www.openinfosecfoundation.org/"
86 #define ANALYZER_SID_URL "http://www.snort.org/search/sid/"
87 
88 #define SNORT_MAX_OWNED_SID 1000000
89 #define DEFAULT_ANALYZER_NAME "suricata"
90 
91 #define DEFAULT_PRELUDE_PROFILE "suricata"
92 
93 static unsigned int info_priority = 4;
94 static unsigned int low_priority = 3;
95 static unsigned int mid_priority = 2;
96 
97 /**
98  * This holds global structures and variables. Since libprelude is thread-safe,
99  * there is no need to store a mutex.
100  */
101 typedef struct AlertPreludeCtx_ {
102  /** The client (which has the send function) */
103  prelude_client_t *client;
107 
108 /**
109  * This holds per-thread specific structures and variables.
110  */
111 typedef struct AlertPreludeThread_ {
112  /** Pointer to the global context */
114  idmef_analyzer_t *analyzer;
116 
117 
118 /**
119  * \brief Initialize analyzer description
120  *
121  * \return 0 if ok
122  */
123 static int SetupAnalyzer(idmef_analyzer_t *analyzer)
124 {
125  int ret;
126  prelude_string_t *string;
127 
128  SCEnter();
129 
130  ret = idmef_analyzer_new_model(analyzer, &string);
131  if (unlikely(ret < 0)) {
132  SCLogDebug("%s: error creating analyzer model: %s.",
133  prelude_strsource(ret), prelude_strerror(ret));
134  SCReturnInt(ret);
135  }
136  ret = prelude_string_set_constant(string, ANALYZER_MODEL);
137  if (unlikely(ret < 0)) {
138  SCLogDebug("%s: error setting analyzer model: %s.",
139  prelude_strsource(ret), prelude_strerror(ret));
140  SCReturnInt(ret);
141  }
142 
143  ret = idmef_analyzer_new_class(analyzer, &string);
144  if (unlikely(ret < 0)) {
145  SCLogDebug("%s: error creating analyzer class: %s.",
146  prelude_strsource(ret), prelude_strerror(ret));
147  SCReturnInt(ret);
148  }
149  ret = prelude_string_set_constant(string, ANALYZER_CLASS);
150  if (unlikely(ret < 0)) {
151  SCLogDebug("%s: error setting analyzer class: %s.",
152  prelude_strsource(ret), prelude_strerror(ret));
153  SCReturnInt(ret);
154  }
155 
156  ret = idmef_analyzer_new_manufacturer(analyzer, &string);
157  if (unlikely(ret < 0)) {
158  SCLogDebug("%s: error creating analyzer manufacturer: %s.",
159  prelude_strsource(ret), prelude_strerror(ret));
160  SCReturnInt(ret);
161  }
162  ret = prelude_string_set_constant(string, ANALYZER_MANUFACTURER);
163  if (unlikely(ret < 0)) {
164  SCLogDebug("%s: error setting analyzer manufacturer: %s.",
165  prelude_strsource(ret), prelude_strerror(ret));
166  SCReturnInt(ret);
167  }
168 
169  ret = idmef_analyzer_new_version(analyzer, &string);
170  if (unlikely(ret < 0)) {
171  SCLogDebug("%s: error creating analyzer version: %s.",
172  prelude_strsource(ret), prelude_strerror(ret));
173  SCReturnInt(ret);
174  }
175  ret = prelude_string_set_constant(string, VERSION);
176  if (unlikely(ret < 0)) {
177  SCLogDebug("%s: error setting analyzer version: %s.",
178  prelude_strsource(ret), prelude_strerror(ret));
179  SCReturnInt(ret);
180  }
181 
182  SCReturnInt(0);
183 }
184 
185 /**
186  * \brief Create event impact description (see section
187  * 4.2.6.1 of RFC 4765).
188  * The impact contains the severity, completion (succeeded or failed)
189  * and basic classification of the attack type.
190  * Here, we don't set the completion since we don't know it (default
191  * is unknown).
192  *
193  * \return 0 if ok
194  */
195 static int EventToImpact(const PacketAlert *pa, const Packet *p, idmef_alert_t *alert)
196 {
197  int ret;
198  prelude_string_t *str;
199  idmef_impact_t *impact;
200  idmef_assessment_t *assessment;
201  idmef_impact_severity_t severity;
202 
203  SCEnter();
204 
205  ret = idmef_alert_new_assessment(alert, &assessment);
206  if (unlikely(ret < 0)) {
207  SCLogDebug("%s: error creating assessment: %s.",
208  prelude_strsource(ret), prelude_strerror(ret));
209  SCReturnInt(ret);
210  }
211 
212  ret = idmef_assessment_new_impact(assessment, &impact);
213  if (unlikely(ret < 0)) {
214  SCLogDebug("%s: error creating assessment impact: %s.",
215  prelude_strsource(ret), prelude_strerror(ret));
216  SCReturnInt(ret);
217  }
218 
219  if ( (unsigned int)pa->s->prio < mid_priority )
220  severity = IDMEF_IMPACT_SEVERITY_HIGH;
221 
222  else if ( (unsigned int)pa->s->prio < low_priority )
223  severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
224 
225  else if ( (unsigned int)pa->s->prio < info_priority )
226  severity = IDMEF_IMPACT_SEVERITY_LOW;
227 
228  else
229  severity = IDMEF_IMPACT_SEVERITY_INFO;
230 
231  idmef_impact_set_severity(impact, severity);
232 
237  idmef_action_t *action;
238 
239  ret = idmef_action_new(&action);
240  if (unlikely(ret < 0))
241  SCReturnInt(ret);
242 
243  idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED);
244  idmef_assessment_set_action(assessment, action, 0);
245  }
246 
247  if (pa->s->msg) {
248  ret = idmef_impact_new_description(impact, &str);
249  if (unlikely(ret < 0))
250  SCReturnInt(ret);
251 
252  prelude_string_set_ref(str, pa->s->msg);
253  }
254 
255  SCReturnInt(0);
256 }
257 
258 /**
259  * \brief Add Source and Target fields to the IDMEF alert.
260  * These objects contains IP addresses, source and destination
261  * ports (see sections 4.2.4.3 and 4.2.4.4 of RFC 4765).
262  *
263  * \return 0 if ok
264  */
265 static int EventToSourceTarget(const PacketAlert *pa, const Packet *p,
266  idmef_alert_t *alert)
267 {
268  int ret;
269  idmef_node_t *node;
270  idmef_source_t *source;
271  idmef_target_t *target;
272  idmef_address_t *address;
273  idmef_service_t *service;
274  prelude_string_t *string;
275  static char saddr[128], daddr[128];
276  uint8_t ip_vers;
277  uint8_t ip_proto;
278  uint16_t sp, dp;
279  uint8_t invert = 0;
280 
281  SCEnter();
282 
283  if ( !p )
284  SCReturnInt(0);
285 
286  if ( ! IPH_IS_VALID(p) )
287  SCReturnInt(0);
288 
289  if (pa->s->flags & SIG_FLAG_HAS_TARGET) {
290  if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
291  invert = 1;
292  } else {
293  invert = 0;
294  }
295  } else {
296  invert = 0;
297  }
298 
299  if (PKT_IS_IPV4(p)) {
300  ip_vers = 4;
301  ip_proto = IPV4_GET_RAW_IPPROTO(p->ip4h);
302  if (invert) {
303  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), saddr, sizeof(saddr));
304  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), daddr, sizeof(daddr));
305  sp = p->dp;
306  dp = p->sp;
307  } else {
308  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), saddr, sizeof(saddr));
309  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), daddr, sizeof(daddr));
310  sp = p->sp;
311  dp = p->dp;
312 
313  }
314  } else if (PKT_IS_IPV6(p)) {
315  ip_vers = 6;
316  ip_proto = IPV6_GET_L4PROTO(p);
317  if (invert) {
318  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), saddr, sizeof(saddr));
319  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), daddr, sizeof(daddr));
320  sp = p->dp;
321  dp = p->sp;
322  } else {
323  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), saddr, sizeof(saddr));
324  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), daddr, sizeof(daddr));
325  sp = p->sp;
326  dp = p->dp;
327  }
328  } else
329  SCReturnInt(0);
330 
331  ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
332  if (unlikely(ret < 0))
333  SCReturnInt(ret);
334 
335  ret = idmef_source_new_service(source, &service);
336  if (unlikely(ret < 0))
337  SCReturnInt(ret);
338 
339  if ( p->tcph || p->udph )
340  idmef_service_set_port(service, sp);
341 
342  idmef_service_set_ip_version(service, ip_vers);
343  idmef_service_set_iana_protocol_number(service, ip_proto);
344 
345  ret = idmef_source_new_node(source, &node);
346  if (unlikely(ret < 0))
347  SCReturnInt(ret);
348 
349  ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
350  if (unlikely(ret < 0))
351  SCReturnInt(ret);
352 
353  ret = idmef_address_new_address(address, &string);
354  if (unlikely(ret < 0))
355  SCReturnInt(ret);
356 
357  prelude_string_set_ref(string, saddr);
358 
359  ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
360  if (unlikely(ret < 0))
361  SCReturnInt(ret);
362 
363  ret = idmef_target_new_service(target, &service);
364  if (unlikely(ret < 0))
365  SCReturnInt(ret);
366 
367  if ( p->tcph || p->udph )
368  idmef_service_set_port(service, dp);
369 
370  idmef_service_set_ip_version(service, ip_vers);
371  idmef_service_set_iana_protocol_number(service, ip_proto);
372 
373  ret = idmef_target_new_node(target, &node);
374  if (unlikely(ret < 0))
375  SCReturnInt(ret);
376 
377  ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
378  if (unlikely(ret < 0))
379  SCReturnInt(ret);
380 
381  ret = idmef_address_new_address(address, &string);
382  if (unlikely(ret < 0))
383  SCReturnInt(ret);
384 
385  prelude_string_set_ref(string, daddr);
386 
387  SCReturnInt(0);
388 }
389 
390 /**
391  * \brief Add binary data, to be stored in the Additional Data
392  * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
393  *
394  * \return 0 if ok
395  */
396 static int AddByteData(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size)
397 {
398  int ret;
399  prelude_string_t *str;
400  idmef_additional_data_t *ad;
401 
402  SCEnter();
403 
404  if ( ! data || ! size )
405  SCReturnInt(0);
406 
407  ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
408  if (unlikely(ret < 0))
409  SCReturnInt(0);
410 
411  ret = idmef_additional_data_set_byte_string_ref(ad, data, size);
412  if (unlikely(ret < 0)) {
413  SCLogDebug("%s: error setting byte string data: %s.",
414  prelude_strsource(ret), prelude_strerror(ret));
415  SCReturnInt(-1);
416  }
417 
418  ret = idmef_additional_data_new_meaning(ad, &str);
419  if (unlikely(ret < 0)) {
420  SCLogDebug("%s: error creating additional-data meaning: %s.",
421  prelude_strsource(ret), prelude_strerror(ret));
422  SCReturnInt(-1);
423  }
424 
425  ret = prelude_string_set_ref(str, meaning);
426  if (unlikely(ret < 0)) {
427  SCLogDebug("%s: error setting byte string data meaning: %s.",
428  prelude_strsource(ret), prelude_strerror(ret));
429  SCReturnInt(-1);
430  }
431 
432  SCReturnInt(0);
433 }
434 
435 /**
436  * \brief Add integer data, to be stored in the Additional Data
437  * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
438  *
439  * \return 0 if ok
440  */
441 static int AddIntData(idmef_alert_t *alert, const char *meaning, uint32_t data)
442 {
443  int ret;
444  prelude_string_t *str;
445  idmef_additional_data_t *ad;
446 
447  SCEnter();
448 
449  ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
450  if (unlikely(ret < 0))
451  SCReturnInt(ret);
452 
453  idmef_additional_data_set_integer(ad, data);
454 
455  ret = idmef_additional_data_new_meaning(ad, &str);
456  if (unlikely(ret < 0)) {
457  SCLogDebug("%s: error creating additional-data meaning: %s.",
458  prelude_strsource(ret), prelude_strerror(ret));
459  SCReturnInt(-1);
460  }
461 
462  ret = prelude_string_set_ref(str, meaning);
463  if (unlikely(ret < 0)) {
464  SCLogDebug("%s: error setting integer data meaning: %s.",
465  prelude_strsource(ret), prelude_strerror(ret));
466  SCReturnInt(-1);
467  }
468 
469  SCReturnInt(0);
470 }
471 
472 /**
473  * \brief Add string data, to be stored in the Additional Data
474  * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
475  * \param alert IDMEF alert where to add additional data
476  * \param meaning Name of the value to add to IDMEF alert
477  * \param data String to add to IDMEF alert
478  * \return 0 if ok, else < 0
479  */
480 static int AddStringData(idmef_alert_t *alert, const char *meaning, const char *data)
481 {
482  int ret;
483  idmef_additional_data_t *ad;
484  prelude_string_t * p_str;
485 
486  SCEnter();
487 
488  ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
489  if (unlikely(ret < 0))
490  SCReturnInt(ret);
491 
492  ret = idmef_additional_data_new_meaning(ad, &p_str);
493  if (ret < 0) {
494  idmef_additional_data_destroy(ad);
495  SCReturnInt(ret);
496  }
497 
498  ret = prelude_string_ncat(p_str, meaning, strlen(meaning));
499  if (ret < 0) {
500  idmef_additional_data_destroy(ad);
501  SCReturnInt(ret);
502  }
503 
504  ret = prelude_string_new(&p_str);
505  if (ret < 0) {
506  idmef_additional_data_destroy(ad);
507  SCReturnInt(ret);
508  }
509 
510  ret = prelude_string_ncat(p_str, data, strlen(data));
511  if (ret < 0) {
512  prelude_string_destroy(p_str);
513  idmef_additional_data_destroy(ad);
514  SCReturnInt(ret);
515  }
516 
517  ret = idmef_additional_data_set_string_dup_fast(ad, prelude_string_get_string(p_str), prelude_string_get_len(p_str));
518 
519  prelude_string_destroy(p_str);
520 
521  if (ret < 0) {
522  idmef_additional_data_destroy(ad);
523  SCReturnInt(ret);
524  }
525  SCReturnInt(0);
526 }
527 
528 /**
529  * \brief Add real data, to be stored in the Additional Data
530  * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
531  * \param alert IDMEF alert where to add additional data
532  * \param meaning Name of the value to add to IDMEF alert
533  * \param data Real to add to IDMEF alert
534  * \return 0 if ok
535  */
536 static int AddRealData(idmef_alert_t *alert, const char *meaning, uint32_t data)
537 {
538  int ret;
539  prelude_string_t *str;
540  idmef_additional_data_t *ad;
541 
542  SCEnter();
543 
544  ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
545  if (unlikely(ret < 0))
546  SCReturnInt(ret);
547 
548  idmef_additional_data_set_real(ad, data);
549 
550  ret = idmef_additional_data_new_meaning(ad, &str);
551  if (unlikely(ret < 0)) {
552  SCLogDebug("%s: error creating additional-data meaning: %s.",
553  prelude_strsource(ret), prelude_strerror(ret));
554  SCReturnInt(-1);
555  }
556 
557  ret = prelude_string_set_ref(str, meaning);
558  if (unlikely(ret < 0)) {
559  SCLogDebug("%s: error setting integer data meaning: %s.",
560  prelude_strsource(ret), prelude_strerror(ret));
561  SCReturnInt(-1);
562  }
563 
564  SCReturnInt(0);
565 }
566 
567 /**
568  * \brief Add IPv4 header data, to be stored in the Additional Data
569  * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
570  *
571  * \return 0 if ok
572  */
573 static int PacketToDataV4(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
574 {
575  SCEnter();
576 
577  AddIntData(alert, "ip_ver", IPV4_GET_RAW_VER(p->ip4h));
578  AddIntData(alert, "ip_hlen", IPV4_GET_RAW_HLEN(p->ip4h));
579  AddIntData(alert, "ip_tos", IPV4_GET_RAW_IPTOS(p->ip4h));
580  AddIntData(alert, "ip_len", SCNtohs(IPV4_GET_RAW_IPLEN(p->ip4h)));
581 
582  AddIntData(alert, "ip_id", SCNtohs(IPV4_GET_RAW_IPID(p->ip4h)));
583 
584  AddIntData(alert, "ip_off", SCNtohs(IPV4_GET_RAW_IPOFFSET(p->ip4h)));
585 
586  AddIntData(alert, "ip_ttl", IPV4_GET_RAW_IPTTL(p->ip4h));
587  AddIntData(alert, "ip_proto", IPV4_GET_RAW_IPPROTO(p->ip4h));
588 
589  AddIntData(alert, "ip_sum", SCNtohs(p->ip4h->ip_csum));
590 
591  SCReturnInt(0);
592 }
593 
594 /**
595  * \brief Add IPv6 header data, to be stored in the Additional Data
596  * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
597  *
598  * \return 0 if ok
599  */
600 static int PacketToDataV6(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
601 {
602  SCEnter();
603 
604  AddIntData(alert, "ip_ver", IPV6_GET_VER(p));
605  AddIntData(alert, "ip_class", IPV6_GET_CLASS(p));
606  AddIntData(alert, "ip_flow", IPV6_GET_FLOW(p));
607  AddIntData(alert, "ip_nh", IPV6_GET_NH(p));
608  AddIntData(alert, "ip_plen", IPV6_GET_PLEN(p));
609  AddIntData(alert, "ip_hlim", IPV6_GET_HLIM(p));
610  AddIntData(alert, "ip_proto", IPV6_GET_L4PROTO(p));
611 
612  SCReturnInt(0);
613 }
614 
615 /**
616  * \brief Convert JSON object to Prelude additional data with
617  * the right type of data. Browse the JSON object to get
618  * the key=value information.
619  * \param key Name of the JSON value
620  * \param value JSON object to add to the IDMEF alert
621  * \param alert IDMEF alert
622  * \return 0 if ok
623  */
624 static int JsonToAdditionalData(const char * key, json_t * value, idmef_alert_t *alert)
625 {
626  SCEnter();
627 
628  int ret = 0;
629  const char *key_js;
630  char local_key[128];
631  json_t *value_js;
632  size_t index;
633 
634  if (!json_is_object(value) && key == NULL)
635  SCReturnInt(-1);
636 
637  if (json_is_object(value)) {
638  json_object_foreach(value, key_js, value_js) {
639  if (key != NULL) {
640  snprintf(local_key, sizeof(local_key), "%s_%s", key, key_js);
641  } else {
642  snprintf(local_key, sizeof(local_key), "%s", key_js);
643  }
644  ret = JsonToAdditionalData(local_key, value_js, alert);
645  }
646  } else if (json_is_array(value)) {
647  json_array_foreach(value, index, value_js) {
648  ret = snprintf(local_key, sizeof(local_key), "%s_%ju", key, (uintmax_t)index);
649  if (ret < 0 || (size_t)ret >= sizeof(local_key)) {
650  SCLogError(SC_ERR_SPRINTF,"failed to construct key");
651  continue;
652  }
653  ret = JsonToAdditionalData(local_key, value_js, alert);
654  }
655  } else if (json_is_integer(value)) {
656  ret = AddIntData(alert, key, json_integer_value(value));
657  } else if (json_is_real(value)) {
658  ret = AddRealData(alert, key, json_real_value(value));
659  } else if (json_is_boolean(value)) {
660  ret = AddIntData(alert, key, json_is_true(value));
661  } else if (json_is_string(value)) {
662  ret = AddStringData(alert, key, json_string_value(value));
663  } else {
664  ret = AddStringData(alert, key, json_dumps(value, 0));
665  }
666  SCReturnInt(ret);
667 }
668 
669 /**
670  * \brief Handle ALPROTO_HTTP JSON information
671  * \param p Packet where to extract data
672  * \param pa Packet alert information
673  * \param alert IDMEF alert
674  * \return void
675  */
676 static void PacketToDataProtoHTTP(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
677 {
678  json_t *js;
679 
680  js = JsonHttpAddMetadata(p->flow, pa->tx_id);
681  if (js == NULL)
682  return;
683 
684  JsonToAdditionalData(NULL, js, alert);
685 
686  json_decref(js);
687 
688 }
689 
690 /**
691  * \brief Handle ALPROTO_HTTP2 JSON information
692  * \param p Packet where to extract data
693  * \param pa Packet alert information
694  * \param alert IDMEF alert
695  * \return void
696  */
697 static void PacketToDataProtoHTTP2(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
698 {
699  void *http2_state = FlowGetAppState(f);
700  if (http2_state) {
701  void *tx_ptr = rs_http2_state_get_tx(http2_state, pa->tx_id);
702  json_t *js = rs_http2_log_json(tx_ptr);
703  if (unlikely(js == NULL))
704  return;
705  JsonToAdditionalData(NULL, js, alert);
706  json_decref(js);
707  }
708 }
709 
710 /**
711  * \brief Handle ALPROTO_TLS JSON information
712  * \param p Packet where to extract data
713  * \param pa Packet alert information
714  * \param alert IDMEF alert
715  * \return void
716  */
717 static void PacketToDataProtoTLS(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
718 {
719  json_t *js;
720  SSLState *ssl_state = (SSLState *)FlowGetAppState(p->flow);
721 
722  if (ssl_state == NULL)
723  return;
724 
725  js = json_object();
726  if (js == NULL)
727  return;
728 
729  JsonTlsLogJSONBasic(js, ssl_state);
730  JsonTlsLogJSONExtended(js, ssl_state);
731  JsonToAdditionalData(NULL, js, alert);
732 
733  json_decref(js);
734 
735 }
736 
737 /**
738  * \brief Handle ALPROTO_SSH JSON information
739  * \param p Packet where to extract data
740  * \param pa Packet alert information
741  * \param alert IDMEF alert
742  * \return void
743  */
744 static void PacketToDataProtoSSH(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
745 {
746  json_t *js, *s_js;
747  void *ssh_state = FlowGetAppState(p->flow);
748 
749  if (ssh_state == NULL)
750  return;
751 
752  void *tx_ptr = rs_ssh_state_get_tx(ssh_state, 0);
753  BUG_ON(tx_ptr == NULL);
754  js = rs_ssh_log_json(tx_ptr);
755  if (unlikely(js == NULL))
756  return;
757 
758  s_js = json_object_get(js, "server");
759  if (s_js != NULL) {
760  JsonToAdditionalData(NULL, s_js, alert);
761  }
762 
763  s_js = json_object_get(js, "client");
764  if (s_js != NULL) {
765  JsonToAdditionalData(NULL, s_js, alert);
766  }
767 
768  json_decref(js);
769 
770 }
771 
772 /**
773  * \brief Handle ALPROTO_SMTP JSON information
774  * \param p Packet where to extract data
775  * \param pa Packet alert information
776  * \param alert IDMEF alert
777  * \return void
778  */
779 static void PacketToDataProtoSMTP(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
780 {
781  json_t *js;
782 
783  js = JsonSMTPAddMetadata(p->flow, pa->tx_id);
784  if (js == NULL)
785  return;
786 
787  JsonToAdditionalData(NULL, js, alert);
788 
789  json_decref(js);
790 
791 }
792 
793 /**
794  * \brief Handle ALPROTO_(SMTP|IMAP) Email JSON information
795  * \param p Packet where to extract data
796  * \param pa Packet alert information
797  * \param alert IDMEF alert
798  * \return void
799  */
800 static void PacketToDataProtoEmail(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert)
801 {
802  json_t *js;
803 
804  js = JsonEmailAddMetadata(p->flow, pa->tx_id);
805  if (js == NULL)
806  return;
807 
808  JsonToAdditionalData(NULL, js, alert);
809 
810  json_decref(js);
811 
812 }
813 
814 /**
815  * \brief Convert IP packet to an IDMEF alert (RFC 4765).
816  * This function stores the alert SID (description and reference),
817  * the payload of the packet, and pre-processed data.
818  *
819  * \return 0 if ok
820  */
821 static int PacketToData(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert, AlertPreludeCtx *ctx)
822 {
823  SCEnter();
824 
825  if (unlikely(p == NULL))
826  SCReturnInt(0);
827 
828  if (p->flow != NULL) {
829  uint16_t proto = FlowGetAppProtocol(p->flow);
830  switch (proto) {
831  case ALPROTO_HTTP:
832  PacketToDataProtoHTTP(p, pa, alert);
833  break;
834  case ALPROTO_HTTP2:
835  PacketToDataProtoHTTP(p, pa, alert);
836  break;
837  case ALPROTO_TLS:
838  PacketToDataProtoTLS(p, pa, alert);
839  break;
840  case ALPROTO_SSH:
841  PacketToDataProtoSSH(p, pa, alert);
842  break;
843  case ALPROTO_SMTP:
844  case ALPROTO_IMAP:
845  PacketToDataProtoSMTP(p, pa, alert);
846  PacketToDataProtoEmail(p, pa, alert);
847  break;
848  }
849  }
850 
851  AddIntData(alert, "snort_rule_sid", pa->s->id);
852  AddIntData(alert, "snort_rule_rev", pa->s->rev);
853 
854  if (ctx->log_packet_header) {
855  if ( PKT_IS_IPV4(p) )
856  PacketToDataV4(p, pa, alert);
857 
858  else if ( PKT_IS_IPV6(p) )
859  PacketToDataV6(p, pa, alert);
860 
861  if ( PKT_IS_TCP(p) ) {
862  AddIntData(alert, "tcp_seq", TCP_GET_SEQ(p));
863  AddIntData(alert, "tcp_ack", TCP_GET_ACK(p));
864 
865  AddIntData(alert, "tcp_off", TCP_GET_OFFSET(p));
866  AddIntData(alert, "tcp_res", TCP_GET_X2(p));
867  AddIntData(alert, "tcp_flags", TCP_GET_FLAGS(p));
868 
869  AddIntData(alert, "tcp_win", TCP_GET_WINDOW(p));
870  AddIntData(alert, "tcp_sum", TCP_GET_SUM(p));
871  AddIntData(alert, "tcp_urp", TCP_GET_URG_POINTER(p));
872  if (p->tcpvars.ts_val != 0) {
873  AddIntData(alert, "tcp_tsval", TCP_GET_TSVAL(p));
874  }
875  if (p->tcpvars.ts_ecr != 0) {
876  AddIntData(alert, "tcp_tsecr", TCP_GET_TSECR(p));
877  }
878  if (p->tcph != NULL) {
879  AddIntData(alert, "tcp_wscale", TCP_GET_WSCALE(p));
880  }
881  if (TCP_HAS_SACKOK(p)) {
882  AddIntData(alert, "tcp_sackok", TCP_GET_SACKOK(p));
883  }
884  if (TCP_HAS_SACK(p)) {
885  AddIntData(alert, "tcp_sack_cnt", TCP_GET_SACK_CNT(p));
886  }
887  AddIntData(alert, "tcp_hlen", TCP_GET_HLEN(p));
888  }
889 
890  else if ( PKT_IS_UDP(p) ) {
891  AddIntData(alert, "udp_len", UDP_GET_LEN(p));
892  AddIntData(alert, "udp_sum", UDP_GET_SUM(p));
893  }
894 
895  else if ( PKT_IS_ICMPV4(p) ) {
896  AddIntData(alert, "icmp_type", ICMPV4_GET_TYPE(p));
897  AddIntData(alert, "icmp_code", ICMPV4_GET_CODE(p));
898  AddIntData(alert, "icmp_sum", ICMPV4_GET_RAW_CSUM(p));
899 
900  }
901 
902  else if ( PKT_IS_ICMPV6(p) ) {
903  AddIntData(alert, "icmp_type", ICMPV6_GET_TYPE(p));
904  AddIntData(alert, "icmp_code", ICMPV6_GET_CODE(p));
905  AddIntData(alert, "icmp_csum", ICMPV6_GET_RAW_CSUM(p));
906  }
907  }
908 
909  if (ctx->log_packet_content)
910  AddByteData(alert, "payload", p->payload, p->payload_len);
911 
912  SCReturnInt(0);
913 }
914 
915 /**
916  * \brief Store reference on rule (SID and GID) in the IDMEF alert,
917  * and embed an URL pointing to the rule description.
918  *
919  * \return 0 if ok
920  */
921 static int AddSnortReference(idmef_classification_t *class, int gen_id, int sig_id)
922 {
923  int ret;
924  prelude_string_t *str;
925  idmef_reference_t *ref;
926 
927  SCEnter();
928 
929  if ( sig_id >= SNORT_MAX_OWNED_SID )
930  SCReturnInt(0);
931 
932  ret = idmef_classification_new_reference(class, &ref, IDMEF_LIST_APPEND);
933  if (unlikely(ret < 0))
934  SCReturnInt(ret);
935 
936  ret = idmef_reference_new_name(ref, &str);
937  if (unlikely(ret < 0))
938  SCReturnInt(ret);
939 
940  idmef_reference_set_origin(ref, IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC);
941 
942  if ( gen_id == 0 )
943  ret = prelude_string_sprintf(str, "%u", sig_id);
944  else
945  ret = prelude_string_sprintf(str, "%u:%u", gen_id, sig_id);
946 
947  if (unlikely(ret < 0))
948  SCReturnInt(ret);
949 
950  ret = idmef_reference_new_meaning(ref, &str);
951  if (unlikely(ret < 0))
952  SCReturnInt(ret);
953 
954  ret = prelude_string_sprintf(str, "Snort Signature ID");
955  if (unlikely(ret < 0))
956  SCReturnInt(ret);
957 
958  ret = idmef_reference_new_url(ref, &str);
959  if (unlikely(ret < 0))
960  SCReturnInt(ret);
961 
962  if ( gen_id == 0 )
963  ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u", sig_id);
964  else
965  ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u-%u", gen_id, sig_id);
966 
967  SCReturnInt(ret);
968 }
969 
970 /**
971  * \brief Create event classification description (see section
972  * 4.2.4.2 of RFC 4765).
973  * The classification is the "name" of the alert, identification of the
974  * rule signature, and additional information on the rule.
975  *
976  * \return 0 if ok
977  */
978 static int EventToReference(const PacketAlert *pa, const Packet *p, idmef_classification_t *class)
979 {
980  int ret;
981  prelude_string_t *str;
982 
983  SCEnter();
984 
985  ret = idmef_classification_new_ident(class, &str);
986  if (unlikely(ret < 0))
987  SCReturnInt(ret);
988 
989  if ( pa->s->gid == 0 )
990  ret = prelude_string_sprintf(str, "%u", pa->s->id);
991  else
992  ret = prelude_string_sprintf(str, "%u:%u", pa->s->gid, pa->s->id);
993  if (unlikely(ret < 0))
994  SCReturnInt(ret);
995 
996  ret = AddSnortReference(class, pa->s->gid, pa->s->id);
997  if (unlikely(ret < 0))
998  SCReturnInt(ret);
999 
1000  SCReturnInt(0);
1001 }
1002 
1003 static int PreludePrintStreamSegmentCallback(const Packet *p, void *data, const uint8_t *buf, uint32_t buflen)
1004 {
1005  int ret;
1006 
1007  ret = AddByteData((idmef_alert_t *)data, "stream-segment", buf, buflen);
1008  if (ret == 0)
1009  return 1;
1010  else
1011  return -1;
1012 }
1013 
1014 /**
1015  * \brief Initialize thread-specific data. Each thread structure contains
1016  * a pointer to the \a AlertPreludeCtx context.
1017  *
1018  * \return TM_ECODE_OK if ok, else TM_ECODE_FAILED
1019  */
1020 static TmEcode AlertPreludeThreadInit(ThreadVars *t, const void *initdata, void **data)
1021 {
1022  int ret;
1023  AlertPreludeThread *aun;
1024 
1025  SCEnter();
1026 
1027  if (unlikely(initdata == NULL)) {
1029  "Error getting context for Prelude. \"initdata\" argument NULL");
1031  }
1032 
1033  aun = SCMalloc(sizeof(AlertPreludeThread));
1034  if (unlikely(aun == NULL))
1036  memset(aun, 0, sizeof(AlertPreludeThread));
1037 
1038  /* Use the Ouput Context */
1039  aun->ctx = ((OutputCtx *)initdata)->data;
1040 
1041  /* Create a per-thread idmef analyzer */
1042  ret = idmef_analyzer_clone(prelude_client_get_analyzer(aun->ctx->client), &aun->analyzer);
1043  if (unlikely(ret < 0)) {
1045  "Error creating idmef analyzer for Prelude.");
1046 
1047  SCFree(aun);
1049  }
1050 
1051  *data = (void *)aun;
1053 }
1054 
1055 /**
1056  * \brief Free thread-specific data.
1057  *
1058  * \return TM_ECODE_OK if ok, else TM_ECODE_FAILED
1059  */
1060 static TmEcode AlertPreludeThreadDeinit(ThreadVars *t, void *data)
1061 {
1062  AlertPreludeThread *aun = (AlertPreludeThread *)data;
1063 
1064  SCEnter();
1065 
1066  if (unlikely(aun == NULL)) {
1067  SCLogDebug("AlertPreludeThreadDeinit done (error)");
1069  }
1070 
1071  /* clear memory */
1072  idmef_analyzer_destroy(aun->analyzer);
1073  memset(aun, 0, sizeof(AlertPreludeThread));
1074  SCFree(aun);
1075 
1077 }
1078 
1079 static void AlertPreludeDeinitCtx(OutputCtx *output_ctx)
1080 {
1081  AlertPreludeCtx *ctx = (AlertPreludeCtx *)output_ctx->data;
1082 
1083  prelude_client_destroy(ctx->client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1084  SCFree(output_ctx);
1085 }
1086 
1087 /** \brief Initialize the Prelude logging module: initialize
1088  * library, create the client and try to establish the connection
1089  * to the Prelude Manager.
1090  * Client flags are set to force asynchronous (non-blocking) mode for
1091  * both alerts and heartbeats.
1092  * This function requires an existing Prelude profile to work.
1093  *
1094  * \return A newly allocated AlertPreludeCtx structure, or NULL
1095  */
1096 static OutputInitResult AlertPreludeInitCtx(ConfNode *conf)
1097 {
1098  int ret;
1099  prelude_client_t *client;
1100  AlertPreludeCtx *ctx;
1101  const char *prelude_profile_name;
1102  const char *log_packet_content;
1103  const char *log_packet_header;
1104  OutputInitResult result = { NULL, false };
1105  OutputCtx *output_ctx;
1106 
1107  SCEnter();
1108 
1109  ret = prelude_init(0, NULL);
1110  if (unlikely(ret < 0)) {
1111  prelude_perror(ret, "unable to initialize the prelude library");
1112  SCReturnCT(result, "OutputInitResult");
1113  }
1114 
1115  prelude_profile_name = ConfNodeLookupChildValue(conf, "profile");
1116  if (prelude_profile_name == NULL)
1117  prelude_profile_name = DEFAULT_PRELUDE_PROFILE;
1118 
1119  log_packet_content = ConfNodeLookupChildValue(conf, "log-packet-content");
1120  log_packet_header = ConfNodeLookupChildValue(conf, "log-packet-header");
1121 
1122  ret = prelude_client_new(&client, prelude_profile_name);
1123  if ( unlikely(ret < 0 || client == NULL )) {
1124  prelude_perror(ret, "Unable to create a prelude client object");
1125  prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1126  SCReturnCT(result, "OutputInitResult");
1127  }
1128 
1129  ret = prelude_client_set_flags(client, prelude_client_get_flags(client) | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER|PRELUDE_CLIENT_FLAGS_ASYNC_SEND);
1130  if (unlikely(ret < 0)) {
1131  SCLogDebug("Unable to set asynchronous send and timer.");
1132  prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1133  SCReturnCT(result, "OutputInitResult");
1134  }
1135 
1136  ret = SetupAnalyzer(prelude_client_get_analyzer(client));
1137  if (ret < 0) {
1138  SCLogDebug("Unable to setup prelude client analyzer.");
1139  prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1140  SCReturnCT(result, "OutputInitResult");
1141  }
1142 
1143  ret = prelude_client_start(client);
1144  if (unlikely(ret < 0)) {
1145  prelude_perror(ret, "Unable to start prelude client");
1146  prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1147  SCReturnCT(result, "OutputInitResult");
1148  }
1149 
1150  ctx = SCMalloc(sizeof(AlertPreludeCtx));
1151  if (unlikely(ctx == NULL)) {
1152  prelude_perror(ret, "Unable to allocate memory");
1153  prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1154  SCReturnCT(result, "OutputInitResult");
1155  }
1156 
1157  ctx->client = client;
1158  ctx->log_packet_content = 0;
1159  ctx->log_packet_header = 1;
1160  if (log_packet_content && ConfValIsTrue(log_packet_content))
1161  ctx->log_packet_content = 1;
1162  if (log_packet_header && ConfValIsFalse(log_packet_header))
1163  ctx->log_packet_header = 0;
1164 
1165  output_ctx = SCMalloc(sizeof(OutputCtx));
1166  if (unlikely(output_ctx == NULL)) {
1167  SCFree(ctx);
1168  prelude_perror(ret, "Unable to allocate memory");
1169  prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
1170  SCReturnCT(result, "OutputInitResult");
1171  }
1172 
1173  output_ctx->data = ctx;
1174  output_ctx->DeInit = AlertPreludeDeinitCtx;
1175 
1176  result.ctx = output_ctx;
1177  result.ok = true;
1178  SCReturnCT(result, "OutputInitResult");
1179 }
1180 
1181 static int AlertPreludeCondition(ThreadVars *tv, const Packet *p)
1182 {
1183  if (p->alerts.cnt == 0)
1184  return FALSE;
1185  if (!IPH_IS_VALID(p))
1186  return FALSE;
1187  return TRUE;
1188 }
1189 
1190 /**
1191  * \brief Handle Suricata alert: convert it to and IDMEF alert (see RFC 4765)
1192  * and send it asynchronously (so, this function does not block and returns
1193  * immediately).
1194  * If the destination Prelude Manager is not available, the alert is spooled
1195  * (and the function also returns immediately).
1196  * An IDMEF object is created, and all available information is added: IP packet
1197  * header and data, rule signature ID, additional data like URL pointing to
1198  * rule description, CVE, etc.
1199  * The IDMEF alert has a reference to all created objects, so freeing it will
1200  * automatically free all allocated memory.
1201  *
1202  * \note This function is thread safe.
1203  *
1204  * \return TM_ECODE_OK if ok, else TM_ECODE_FAILED
1205  */
1206 static int AlertPreludeLogger(ThreadVars *tv, void *thread_data, const Packet *p)
1207 {
1208  AlertPreludeThread *apn = (AlertPreludeThread *)thread_data;
1209  int ret;
1210  idmef_time_t *time;
1211  idmef_alert_t *alert;
1212  prelude_string_t *str;
1213  idmef_message_t *idmef = NULL;
1214  idmef_classification_t *class;
1215  const PacketAlert *pa;
1216 
1217  SCEnter();
1218 
1219  if (unlikely(apn == NULL || apn->ctx == NULL)) {
1221  }
1222 
1223  if (p->alerts.cnt == 0)
1225 
1226  if ( !IPH_IS_VALID(p) )
1228 
1229  /* XXX which one to add to this alert? Lets see how Snort solves this.
1230  * For now just take last alert. */
1231  pa = &p->alerts.alerts[p->alerts.cnt-1];
1232  if (unlikely(pa->s == NULL))
1233  goto err;
1234 
1235  ret = idmef_message_new(&idmef);
1236  if (unlikely(ret < 0))
1238 
1239  ret = idmef_message_new_alert(idmef, &alert);
1240  if (unlikely(ret < 0))
1241  goto err;
1242 
1243  ret = idmef_alert_new_classification(alert, &class);
1244  if (unlikely(ret < 0))
1245  goto err;
1246 
1247  if (pa->s->class_msg) {
1248  ret = idmef_classification_new_text(class, &str);
1249  if (unlikely(ret < 0))
1250  goto err;
1251 
1252  prelude_string_set_ref(str, pa->s->class_msg);
1253  }
1254 
1255  ret = EventToImpact(pa, p, alert);
1256  if (unlikely(ret < 0))
1257  goto err;
1258 
1259  ret = EventToReference(pa, p, class);
1260  if (unlikely(ret < 0))
1261  goto err;
1262 
1263  ret = EventToSourceTarget(pa, p, alert);
1264  if (unlikely(ret < 0))
1265  goto err;
1266 
1267  ret = PacketToData(p, pa, alert, apn->ctx);
1268  if (unlikely(ret < 0))
1269  goto err;
1270 
1271  if (PKT_IS_TCP(p) && (pa->flags & PACKET_ALERT_FLAG_STATE_MATCH)) {
1272  uint8_t flag;
1273  if (p->flowflags & FLOW_PKT_TOSERVER) {
1274  flag = FLOW_PKT_TOCLIENT;
1275  } else {
1276  flag = FLOW_PKT_TOSERVER;
1277  }
1278  ret = StreamSegmentForEach(p, flag,
1279  PreludePrintStreamSegmentCallback,
1280  (void *)alert);
1281  }
1282  if (unlikely(ret < 0))
1283  goto err;
1284 
1285  ret = idmef_alert_new_detect_time(alert, &time);
1286  if (unlikely(ret < 0))
1287  goto err;
1288  idmef_time_set_from_timeval(time, &p->ts);
1289 
1290  ret = idmef_time_new_from_gettimeofday(&time);
1291  if (unlikely(ret < 0))
1292  goto err;
1293  idmef_alert_set_create_time(alert, time);
1294 
1295  idmef_alert_set_analyzer(alert, idmef_analyzer_ref(apn->analyzer), IDMEF_LIST_PREPEND);
1296 
1297  /* finally, send event */
1298  prelude_client_send_idmef(apn->ctx->client, idmef);
1299  idmef_message_destroy(idmef);
1300 
1302 
1303 err:
1304  if (idmef != NULL)
1305  idmef_message_destroy(idmef);
1307 }
1308 
1310 {
1311  OutputRegisterPacketModule(LOGGER_PRELUDE, "AlertPrelude", "alert-prelude",
1312  AlertPreludeInitCtx, AlertPreludeLogger, AlertPreludeCondition,
1313  AlertPreludeThreadInit, AlertPreludeThreadDeinit, NULL);
1314 }
1315 #endif /* PRELUDE */
IPV6_GET_VER
#define IPV6_GET_VER(p)
Definition: decode-ipv6.h:80
PKT_IS_UDP
#define PKT_IS_UDP(p)
Definition: decode.h:260
tm-threads.h
TCP_GET_OFFSET
#define TCP_GET_OFFSET(p)
Definition: decode-tcp.h:107
IPV4_GET_RAW_IPID
#define IPV4_GET_RAW_IPID(ip4h)
Definition: decode-ipv4.h:98
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:233
ICMPV4_GET_CODE
#define ICMPV4_GET_CODE(p)
Definition: decode-icmpv4.h:237
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:279
DEFAULT_PRELUDE_PROFILE
#define DEFAULT_PRELUDE_PROFILE
Definition: alert-prelude.c:91
IPV4_GET_RAW_IPPROTO
#define IPV4_GET_RAW_IPPROTO(ip4h)
Definition: decode-ipv4.h:101
ANALYZER_MANUFACTURER
#define ANALYZER_MANUFACTURER
Definition: alert-prelude.c:85
JsonTlsLogJSONBasic
void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
Definition: output-json-tls.c:293
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:258
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
PacketAlerts_::alerts
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:300
StreamSegmentForEach
int StreamSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
Run callback for all segments.
Definition: stream.c:39
Packet_::payload
uint8_t * payload
Definition: decode.h:549
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:299
threads.h
output-json-tls.h
ICMPV6_GET_RAW_CSUM
#define ICMPV6_GET_RAW_CSUM(p)
Definition: decode-icmpv6.h:106
ICMPV6_GET_CODE
#define ICMPV6_GET_CODE(p)
Definition: decode-icmpv6.h:104
IPV4_GET_RAW_IPOFFSET
#define IPV4_GET_RAW_IPOFFSET(ip4h)
Definition: decode-ipv4.h:99
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
IPV6_GET_L4PROTO
#define IPV6_GET_L4PROTO(p)
Definition: decode-ipv6.h:93
util-privs.h
Packet_::tcpvars
TCPVars tcpvars
Definition: decode.h:523
proto
uint8_t proto
Definition: decode-template.h:0
TCP_GET_SACKOK
#define TCP_GET_SACKOK(p)
Definition: decode-tcp.h:102
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:34
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:445
AlertPreludeThread
struct AlertPreludeThread_ AlertPreludeThread
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:550
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:226
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:564
util-unittest.h
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:565
FlowGetAppState
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1102
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TCP_GET_X2
#define TCP_GET_X2(p)
Definition: decode-tcp.h:108
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
TCP_GET_WSCALE
#define TCP_GET_WSCALE(p)
Definition: decode-tcp.h:98
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:280
OutputCtx_
Definition: tm-modules.h:78
IPV6_GET_PLEN
#define IPV6_GET_PLEN(p)
Definition: decode-ipv6.h:88
TCP_GET_WINDOW
#define TCP_GET_WINDOW(p)
Definition: decode-tcp.h:114
Signature_::gid
uint32_t gid
Definition: detect.h:562
ACTION_REJECT_DST
#define ACTION_REJECT_DST
Definition: action-globals.h:32
PKT_IS_TCP
#define PKT_IS_TCP(p)
Definition: decode.h:259
TCP_GET_TSVAL
#define TCP_GET_TSVAL(p)
Definition: decode-tcp.h:85
TCPVars_::ts_ecr
uint32_t ts_ecr
Definition: decode-tcp.h:157
util-debug.h
util-error.h
GET_IPV4_DST_ADDR_PTR
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:221
IPV4_GET_RAW_IPTOS
#define IPV4_GET_RAW_IPTOS(ip4h)
Definition: decode-ipv4.h:96
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:44
output-json.h
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
ICMPV4_GET_TYPE
#define ICMPV4_GET_TYPE(p)
Definition: decode-icmpv4.h:235
AlertPreludeThread_
Definition: alert-prelude.c:111
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
AlertPreludeCtx_
Definition: alert-prelude.c:101
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:271
TCP_GET_SUM
#define TCP_GET_SUM(p)
Definition: decode-tcp.h:116
Packet_::sp
Port sp
Definition: decode.h:421
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:95
TCP_GET_TSECR
#define TCP_GET_TSECR(p)
Definition: decode-tcp.h:88
output-json-email-common.h
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:45
IPV6_GET_NH
#define IPV6_GET_NH(p)
Definition: decode-ipv6.h:86
TRUE
#define TRUE
Definition: suricata-common.h:33
ANALYZER_CLASS
#define ANALYZER_CLASS
Definition: alert-prelude.c:83
PKT_IS_ICMPV6
#define PKT_IS_ICMPV6(p)
Definition: decode.h:262
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:282
TCP_GET_SEQ
#define TCP_GET_SEQ(p)
Definition: decode-tcp.h:112
FALSE
#define FALSE
Definition: suricata-common.h:34
Signature_::flags
uint32_t flags
Definition: detect.h:529
AlertPreludeRegister
void AlertPreludeRegister(void)
Definition: alert-prelude.c:1309
stream.h
AlertPreludeThread_::analyzer
idmef_analyzer_t * analyzer
Definition: alert-prelude.c:114
Packet_
Definition: decode.h:414
TCP_GET_SACK_CNT
#define TCP_GET_SACK_CNT(p)
Definition: decode-tcp.h:104
IPV4_GET_RAW_IPTTL
#define IPV4_GET_RAW_IPTTL(ip4h)
Definition: decode-ipv4.h:100
SC_ERR_SPRINTF
@ SC_ERR_SPRINTF
Definition: util-error.h:42
ALPROTO_IMAP
@ ALPROTO_IMAP
Definition: app-layer-protos.h:35
conf.h
AlertPreludeThread_::ctx
AlertPreludeCtx * ctx
Definition: alert-prelude.c:113
TCP_HAS_SACK
#define TCP_HAS_SACK(p)
Definition: decode-tcp.h:91
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:509
IPV4_GET_RAW_VER
#define IPV4_GET_RAW_VER(ip4h)
Definition: decode-ipv4.h:94
SIG_FLAG_HAS_TARGET
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:253
TmEcode
TmEcode
Definition: tm-threads-common.h:79
SIG_FLAG_SRC_IS_TARGET
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:249
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:59
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:220
alert-prelude.h
AlertPreludeCtx_::log_packet_header
int log_packet_header
Definition: alert-prelude.c:105
Signature_::class_msg
char * class_msg
Definition: detect.h:589
TCPVars_::ts_val
uint32_t ts_val
Definition: decode-tcp.h:156
PacketAlert_::flags
uint8_t flags
Definition: decode.h:278
ACTION_REJECT_BOTH
#define ACTION_REJECT_BOTH
Definition: action-globals.h:33
IPV6_GET_FLOW
#define IPV6_GET_FLOW(p)
Definition: decode-ipv6.h:84
TCP_HAS_SACKOK
#define TCP_HAS_SACKOK(p)
Definition: decode-tcp.h:92
OutputInitResult_
Definition: output.h:43
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
UDP_GET_LEN
#define UDP_GET_LEN(p)
Definition: decode-udp.h:35
IPV6_GET_CLASS
#define IPV6_GET_CLASS(p)
Definition: decode-ipv6.h:82
AlertPreludeCtx_::log_packet_content
int log_packet_content
Definition: alert-prelude.c:104
GET_IPV4_SRC_ADDR_PTR
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:220
Packet_::ts
struct timeval ts
Definition: decode.h:457
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:400
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:531
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
Signature_::rev
uint32_t rev
Definition: detect.h:563
AlertPreludeCtx
struct AlertPreludeCtx_ AlertPreludeCtx
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
Signature_::prio
int prio
Definition: detect.h:564
PKT_IS_ICMPV4
#define PKT_IS_ICMPV4(p)
Definition: decode.h:261
util-optimize.h
OutputRegisterPacketModule
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:174
threadvars.h
FlowGetAppProtocol
AppProto FlowGetAppProtocol(const Flow *f)
Definition: flow.c:1097
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
str
#define str(s)
Definition: suricata-common.h:273
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:225
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
Signature_::id
uint32_t id
Definition: detect.h:561
ICMPV6_GET_TYPE
#define ICMPV6_GET_TYPE(p)
Definition: decode-icmpv6.h:102
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:590
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
address
uint8_t address
Definition: decode-ppp.h:0
IPV6_GET_HLIM
#define IPV6_GET_HLIM(p)
Definition: decode-ipv6.h:90
output-json-ssh.h
IPV4Hdr_::ip_csum
uint16_t ip_csum
Definition: decode-ipv4.h:79
TCP_GET_HLEN
#define TCP_GET_HLEN(p)
Definition: decode-tcp.h:109
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:314
Packet_::udph
UDPHdr * udph
Definition: decode.h:533
ICMPV4_GET_RAW_CSUM
#define ICMPV4_GET_RAW_CSUM(p)
Definition: decode-icmpv4.h:239
TCP_GET_URG_POINTER
#define TCP_GET_URG_POINTER(p)
Definition: decode-tcp.h:115
PacketAlert_
Definition: decode.h:275
TCP_GET_FLAGS
#define TCP_GET_FLAGS(p)
Definition: decode-tcp.h:117
SNORT_MAX_OWNED_SID
#define SNORT_MAX_OWNED_SID
Definition: alert-prelude.c:88
ANALYZER_SID_URL
#define ANALYZER_SID_URL
Definition: alert-prelude.c:86
IPV4_GET_RAW_IPLEN
#define IPV4_GET_RAW_IPLEN(ip4h)
Definition: decode-ipv4.h:97
TCP_GET_ACK
#define TCP_GET_ACK(p)
Definition: decode-tcp.h:113
SC_ERR_INITIALIZATION
@ SC_ERR_INITIALIZATION
Definition: util-error.h:75
LOGGER_PRELUDE
@ LOGGER_PRELUDE
Definition: suricata-common.h:490
output-json-smtp.h
output-json-http.h
Signature_::msg
char * msg
Definition: detect.h:586
flow.h
JsonTlsLogJSONExtended
void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState *state)
Definition: output-json-tls.c:361
Packet_::dp
Port dp
Definition: decode.h:429
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
IPH_IS_VALID
#define IPH_IS_VALID(p)
Definition: decode.h:266
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:257
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:288
debug.h
AlertPreludeCtx_::client
prelude_client_t * client
Definition: alert-prelude.c:103
UDP_GET_SUM
#define UDP_GET_SUM(p)
Definition: decode-udp.h:38
output.h
ANALYZER_MODEL
#define ANALYZER_MODEL
Definition: alert-prelude.c:84
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:870
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:842