suricata
custom-logger.c
Go to the documentation of this file.
1 /* Copyright (C) 2023-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "suricata-plugin.h"
20 
21 #include "output-packet.h"
22 #include "output-flow.h"
23 #include "output-tx.h"
24 #include "util-print.h"
25 
26 static int CustomPacketLogger(ThreadVars *tv, void *thread_data, const Packet *p)
27 {
28  char src_ip[46] = { 0 }, dst_ip[46] = { 0 };
29 
30  if (PacketIsIPv4(p)) {
31  PrintInet(AF_INET, (const void *)&(p->src.addr_data32[0]), src_ip, sizeof(src_ip));
32  PrintInet(AF_INET, (const void *)&(p->dst.addr_data32[0]), dst_ip, sizeof(dst_ip));
33  } else if (PacketIsIPv6(p)) {
34  PrintInet(AF_INET6, (const void *)&(p->src.address), src_ip, sizeof(src_ip));
35  PrintInet(AF_INET6, (const void *)&(p->dst.address), dst_ip, sizeof(dst_ip));
36  } else {
37  SCLogNotice("Packet is not IP");
38  return 0;
39  }
40  SCLogNotice("Packet: %s -> %s", src_ip, dst_ip);
41  return 0;
42 }
43 
44 static bool CustomPacketLoggerCondition(ThreadVars *tv, void *thread_data, const Packet *)
45 {
46  /* Always true for this example. */
47  return true;
48 }
49 
50 static int CustomFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)
51 {
52  char src_ip[46] = { 0 }, dst_ip[46] = { 0 };
53  Port sp, dp;
54 
55  if ((f->flags & FLOW_DIR_REVERSED) == 0) {
56  if (FLOW_IS_IPV4(f)) {
57  PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), src_ip, sizeof(src_ip));
58  PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dst_ip, sizeof(dst_ip));
59  } else if (FLOW_IS_IPV6(f)) {
60  PrintInet(AF_INET6, (const void *)&(f->src.address), src_ip, sizeof(src_ip));
61  PrintInet(AF_INET6, (const void *)&(f->dst.address), dst_ip, sizeof(dst_ip));
62  }
63  sp = f->sp;
64  dp = f->dp;
65  } else {
66  if (FLOW_IS_IPV4(f)) {
67  PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), src_ip, sizeof(src_ip));
68  PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), dst_ip, sizeof(dst_ip));
69  } else if (FLOW_IS_IPV6(f)) {
70  PrintInet(AF_INET6, (const void *)&(f->dst.address), src_ip, sizeof(src_ip));
71  PrintInet(AF_INET6, (const void *)&(f->src.address), dst_ip, sizeof(dst_ip));
72  }
73  sp = f->dp;
74  dp = f->sp;
75  }
76 
77  SCLogNotice("Flow: %s:%u -> %s:%u", src_ip, sp, dst_ip, dp);
78 
79  return 0;
80 }
81 
82 #if 0
83 static int CustomDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state,
84  void *tx, uint64_t tx_id)
85 {
86  SCLogNotice("We have a DNS transaction");
87  return 0;
88 }
89 #endif
90 
91 static TmEcode ThreadInit(ThreadVars *tv, const void *initdata, void **data)
92 {
93  return TM_ECODE_OK;
94 }
95 
96 static TmEcode ThreadDeinit(ThreadVars *tv, void *data)
97 {
98  // Nothing to do. If we allocated data in ThreadInit we would free
99  // it here.
100  return TM_ECODE_OK;
101 }
102 
103 static void Init(void)
104 {
105  SCOutputRegisterPacketLogger(LOGGER_USER, "custom-packet-logger", CustomPacketLogger,
106  CustomPacketLoggerCondition, NULL, ThreadInit, ThreadDeinit);
107  SCOutputRegisterFlowLogger(
108  "custom-flow-logger", CustomFlowLogger, NULL, ThreadInit, ThreadDeinit);
109 
110  /* Register a custom DNS transaction logger.
111  *
112  * Currently disabled due to https://redmine.openinfosecfoundation.org/issues/7236.
113  */
114 #if 0
115  OutputRegisterTxLogger(LOGGER_USER, "custom-dns-logger", ALPROTO_DNS, CustomDnsLogger, NULL, -1,
116  -1, NULL, ThreadInit, ThreadDeinit);
117 #endif
118 }
119 
120 const SCPlugin PluginRegistration = {
121  .name = "CustomLogger",
122  .author = "Firstname Lastname",
123  .license = "GPLv2",
124  .Init = Init,
125 };
126 
127 const SCPlugin *SCPluginRegister(void)
128 {
129  return &PluginRegistration;
130 }
suricata-plugin.h
output-tx.h
FLOW_IS_IPV6
#define FLOW_IS_IPV6(f)
Definition: flow.h:171
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
LOGGER_USER
@ LOGGER_USER
Definition: suricata-common.h:498
Flow_
Flow data structure.
Definition: flow.h:356
Address_::address
union Address_::@26 address
output-packet.h
Flow_::dp
Port dp
Definition: flow.h:372
SCOutputRegisterFlowLogger
int SCOutputRegisterFlowLogger(const char *name, FlowLogger LogFunc, void *initdata, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Register a flow logger.
Definition: output-flow.c:58
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
Flow_::dst
FlowAddress dst
Definition: flow.h:359
util-print.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:230
FLOW_IS_IPV4
#define FLOW_IS_IPV4(f)
Definition: flow.h:169
Packet_
Definition: decode.h:473
SCPlugin_
Definition: suricata-plugin.h:35
Port
uint16_t Port
Definition: decode.h:214
TmEcode
TmEcode
Definition: tm-threads-common.h:79
output-flow.h
SCOutputRegisterPacketLogger
int SCOutputRegisterPacketLogger(LoggerId logger_id, const char *name, PacketLogger LogFunc, PacketLogCondition ConditionFunc, void *initdata, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Register a packet logger.
Definition: output-packet.c:55
Flow_::src
FlowAddress src
Definition: flow.h:359
suricata-common.h
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
SCPluginRegister
const SCPlugin * SCPluginRegister(void)
Definition: custom-logger.c:127
Flow_::flags
uint32_t flags
Definition: flow.h:426
PluginRegistration
const SCPlugin PluginRegistration
Definition: custom-logger.c:120
Packet_::dst
Address dst
Definition: decode.h:478
SCPlugin_::name
const char * name
Definition: suricata-plugin.h:36
Flow_::sp
Port sp
Definition: flow.h:361
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:237
FLOW_DIR_REVERSED
#define FLOW_DIR_REVERSED
Definition: flow.h:111
Packet_::src
Address src
Definition: decode.h:477
FlowAddress_::address
union FlowAddress_::@113 address