suricata
custom-logger.c
Go to the documentation of this file.
1 /* Copyright (C) 2023-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "suricata-plugin.h"
20 
21 #include "output-packet.h"
22 #include "output-flow.h"
23 #include "output-tx.h"
24 #include "util-print.h"
25 #include "output.h"
26 
27 static int CustomPacketLogger(ThreadVars *tv, void *thread_data, const Packet *p)
28 {
29  char src_ip[46] = { 0 }, dst_ip[46] = { 0 };
30 
31  if (PacketIsIPv4(p)) {
32  PrintInet(AF_INET, (const void *)&(p->src.addr_data32[0]), src_ip, sizeof(src_ip));
33  PrintInet(AF_INET, (const void *)&(p->dst.addr_data32[0]), dst_ip, sizeof(dst_ip));
34  } else if (PacketIsIPv6(p)) {
35  PrintInet(AF_INET6, (const void *)&(p->src.address), src_ip, sizeof(src_ip));
36  PrintInet(AF_INET6, (const void *)&(p->dst.address), dst_ip, sizeof(dst_ip));
37  } else {
38  SCLogNotice("Packet is not IP");
39  return 0;
40  }
41  SCLogNotice("Packet: %s -> %s", src_ip, dst_ip);
42  return 0;
43 }
44 
45 static bool CustomPacketLoggerCondition(ThreadVars *tv, void *thread_data, const Packet *)
46 {
47  /* Always true for this example. */
48  return true;
49 }
50 
51 static int CustomFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)
52 {
53  char src_ip[46] = { 0 }, dst_ip[46] = { 0 };
54  Port sp, dp;
55 
56  if ((f->flags & FLOW_DIR_REVERSED) == 0) {
57  if (FLOW_IS_IPV4(f)) {
58  PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), src_ip, sizeof(src_ip));
59  PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dst_ip, sizeof(dst_ip));
60  } else if (FLOW_IS_IPV6(f)) {
61  PrintInet(AF_INET6, (const void *)&(f->src.address), src_ip, sizeof(src_ip));
62  PrintInet(AF_INET6, (const void *)&(f->dst.address), dst_ip, sizeof(dst_ip));
63  }
64  sp = f->sp;
65  dp = f->dp;
66  } else {
67  if (FLOW_IS_IPV4(f)) {
68  PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), src_ip, sizeof(src_ip));
69  PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), dst_ip, sizeof(dst_ip));
70  } else if (FLOW_IS_IPV6(f)) {
71  PrintInet(AF_INET6, (const void *)&(f->dst.address), src_ip, sizeof(src_ip));
72  PrintInet(AF_INET6, (const void *)&(f->src.address), dst_ip, sizeof(dst_ip));
73  }
74  sp = f->dp;
75  dp = f->sp;
76  }
77 
78  SCLogNotice("Flow: %s:%u -> %s:%u", src_ip, sp, dst_ip, dp);
79 
80  return 0;
81 }
82 
83 static int CustomDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state,
84  void *tx, uint64_t tx_id)
85 {
86  SCLogNotice("We have a DNS transaction");
87  return 0;
88 }
89 
90 static TmEcode ThreadInit(ThreadVars *tv, const void *initdata, void **data)
91 {
92  return TM_ECODE_OK;
93 }
94 
95 static TmEcode ThreadDeinit(ThreadVars *tv, void *data)
96 {
97  // Nothing to do. If we allocated data in ThreadInit we would free
98  // it here.
99  return TM_ECODE_OK;
100 }
101 
102 static void OnLoggingReady(void *arg)
103 {
104  SCOutputRegisterPacketLogger(LOGGER_USER, "custom-packet-logger", CustomPacketLogger,
105  CustomPacketLoggerCondition, NULL, ThreadInit, ThreadDeinit);
106  SCOutputRegisterFlowLogger(
107  "custom-flow-logger", CustomFlowLogger, NULL, ThreadInit, ThreadDeinit);
108  SCOutputRegisterTxLogger(LOGGER_USER, "custom-dns-logger", ALPROTO_DNS, CustomDnsLogger, NULL,
109  -1, -1, NULL, ThreadInit, ThreadDeinit);
110 }
111 
112 static void Init(void)
113 {
114  // Register our callback for when logging is ready.
115  SCRegisterOnLoggingReady(OnLoggingReady, NULL);
116 }
117 
118 const SCPlugin PluginRegistration = {
119  .version = SC_API_VERSION,
120  .suricata_version = SC_PACKAGE_VERSION,
121  .name = "CustomLogger",
122  .plugin_version = "1.0.0",
123  .author = "Firstname Lastname",
124  .license = "GPLv2",
125  .Init = Init,
126 };
127 
128 const SCPlugin *SCPluginRegister(void)
129 {
130  return &PluginRegistration;
131 }
suricata-plugin.h
output-tx.h
FLOW_IS_IPV6
#define FLOW_IS_IPV6(f)
Definition: flow.h:172
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
LOGGER_USER
@ LOGGER_USER
Definition: suricata-common.h:515
Flow_
Flow data structure.
Definition: flow.h:356
output-packet.h
SCPlugin_::version
uint64_t version
Definition: suricata-plugin.h:43
Flow_::dp
Port dp
Definition: flow.h:372
SCOutputRegisterFlowLogger
int SCOutputRegisterFlowLogger(const char *name, FlowLogger LogFunc, void *initdata, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Register a flow logger.
Definition: output-flow.c:58
SCRegisterOnLoggingReady
int SCRegisterOnLoggingReady(SCOnLoggingReadyCallback callback, void *arg)
Register a callback to be called when logging is ready.
Definition: output.c:757
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
Flow_::dst
FlowAddress dst
Definition: flow.h:359
util-print.h
FlowAddress_::address
union FlowAddress_::@128 address
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:231
SCOutputRegisterTxLogger
int SCOutputRegisterTxLogger(LoggerId id, const char *name, AppProto alproto, TxLogger LogFunc, void *initdata, int tc_log_progress, int ts_log_progress, TxLoggerCondition LogCondition, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Register a transaction logger.
Definition: output-tx.c:66
FLOW_IS_IPV4
#define FLOW_IS_IPV4(f)
Definition: flow.h:170
Address_::address
union Address_::@30 address
Packet_
Definition: decode.h:501
SCPlugin_
Definition: suricata-plugin.h:41
Port
uint16_t Port
Definition: decode.h:218
TmEcode
TmEcode
Definition: tm-threads-common.h:80
output-flow.h
SCOutputRegisterPacketLogger
int SCOutputRegisterPacketLogger(LoggerId logger_id, const char *name, PacketLogger LogFunc, PacketLogCondition ConditionFunc, void *initdata, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Register a packet logger.
Definition: output-packet.c:55
Flow_::src
FlowAddress src
Definition: flow.h:359
suricata-common.h
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
SCPluginRegister
const SCPlugin * SCPluginRegister(void)
Definition: custom-logger.c:128
SC_PACKAGE_VERSION
#define SC_PACKAGE_VERSION
Definition: suricata-plugin.h:36
Flow_::flags
uint32_t flags
Definition: flow.h:421
PluginRegistration
const SCPlugin PluginRegistration
Definition: custom-logger.c:118
Packet_::dst
Address dst
Definition: decode.h:506
Flow_::sp
Port sp
Definition: flow.h:361
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:243
FLOW_DIR_REVERSED
#define FLOW_DIR_REVERSED
Definition: flow.h:112
Packet_::src
Address src
Definition: decode.h:505
output.h