suricata
datasets-context-json.c
Go to the documentation of this file.
1 /* Copyright (C) 2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Eric Leblond <el@stamus-networks.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 #include "rust.h"
27 #include "datasets.h"
28 #include "datasets-context-json.h"
29 #include "datasets-ipv4.h"
30 #include "datasets-ipv6.h"
31 #include "datasets-md5.h"
32 #include "datasets-sha256.h"
33 #include "datasets-string.h"
34 #include "util-byte.h"
35 #include "util-ip.h"
36 #include "util-debug.h"
37 
38 static int DatajsonAdd(
39  Dataset *set, const uint8_t *data, const uint32_t data_len, DataJsonType *json);
40 
41 static inline void DatajsonUnlockData(THashData *d)
42 {
43  (void)THashDecrUsecnt(d);
44  THashDataUnlock(d);
45 }
46 
47 void DatajsonUnlockElt(DataJsonResultType *r)
48 {
49  if (r->hashdata) {
50  DatajsonUnlockData(r->hashdata);
51  }
52 }
53 
54 int DatajsonCopyJson(DataJsonType *dst, DataJsonType *src)
55 {
56  dst->len = src->len;
57  dst->value = SCMalloc(dst->len + 1);
58  if (dst->value == NULL)
59  return -1;
60  memcpy(dst->value, src->value, dst->len);
61  dst->value[dst->len] = '\0'; // Ensure null-termination
62  return 0;
63 }
64 
65 /* return true if number is a float or an integer */
66 static bool IsFloat(const char *in, size_t ins)
67 {
68  char *endptr;
69  float val = strtof(in, &endptr);
70  const char *end_ins = in + ins - 1;
71  if (val != 0 && (endptr == end_ins)) {
72  return true;
73  }
74  /* if value is 0 then we need to check if some parsing has been done */
75  return val != 0 || endptr != in;
76 }
77 
78 static int ParseJsonLine(const char *in, size_t ins, DataJsonType *rep_out)
79 {
80  if (ins > DATAJSON_JSON_LENGTH) {
81  SCLogError("dataset: json string too long: %s", in);
82  return -1;
83  }
84 
85  json_error_t jerror;
86  json_t *msg = json_loads(in, 0, &jerror);
87  if (msg == NULL) {
88  /* JANSSON does not see an integer, float or a string as valid JSON.
89  So we need to exclude them from failure. */
90  if (!IsFloat(in, ins) && !((in[0] == '"') && (in[ins - 1] == '"'))) {
91  SCLogError("dataset: Invalid json: %s: '%s'", jerror.text, in);
92  return -1;
93  }
94  } else {
95  json_decref(msg);
96  }
97  rep_out->len = (uint16_t)ins;
98  rep_out->value = SCStrndup(in, ins);
99  if (rep_out->value == NULL) {
100  return -1;
101  }
102  return 0;
103 }
104 
105 static json_t *GetSubObjectByKey(json_t *json, const char *key)
106 {
107  if (!json || !key || !json_is_object(json)) {
108  return NULL;
109  }
110  if (strlen(key) > SIG_JSON_CONTENT_KEY_LEN) {
111  DEBUG_VALIDATE_BUG_ON(strlen(key) > SIG_JSON_CONTENT_KEY_LEN);
112  return NULL;
113  }
114 
115  const char *current_key = key;
116  json_t *current = json;
117  while (current_key) {
118  const char *dot = strchr(current_key, '.');
119 
120  size_t key_len = dot ? (size_t)(dot - current_key) : strlen(current_key);
121  char key_buffer[key_len + 1];
122  strlcpy(key_buffer, current_key, key_len + 1);
123 
124  if (json_is_object(current) == false) {
125  return NULL;
126  }
127  current = json_object_get(current, key_buffer);
128  if (current == NULL) {
129  return NULL;
130  }
131  current_key = dot ? dot + 1 : NULL;
132  }
133  return current;
134 }
135 
136 static int ParseJsonFile(const char *file, json_t **array, char *key)
137 {
138  json_t *json;
139  json_error_t error;
140  /* assume we have one single JSON element in FILE */
141  json = json_load_file(file, 0, &error);
142  if (json == NULL) {
143  FatalErrorOnInit("can't load JSON, error on line %d: %s", error.line, error.text);
144  return -1;
145  }
146 
147  if (key == NULL || strlen(key) == 0) {
148  *array = json;
149  } else {
150  *array = GetSubObjectByKey(json, key);
151  if (*array == NULL) {
152  SCLogError("dataset: %s failed to get key '%s'", file, key);
153  json_decref(json);
154  return -1;
155  }
156  json_incref(*array);
157  json_decref(json);
158  }
159  if (!json_is_array(*array)) {
160  FatalErrorOnInit("not an array");
161  json_decref(*array);
162  return -1;
163  }
164  return 0;
165 }
166 
167 static int DatajsonSetValue(
168  Dataset *set, const uint8_t *val, uint16_t val_len, json_t *value, const char *json_key)
169 {
170  DataJsonType elt = { .value = NULL, .len = 0 };
171  if (set->remove_key) {
172  json_object_del(value, json_key);
173  }
174 
175  elt.value = json_dumps(value, JSON_COMPACT);
176  if (elt.value == NULL) {
177  FatalErrorOnInit("json_dumps failed for %s/%s", set->name, set->load);
178  return 0;
179  }
180  if (strlen(elt.value) > DATAJSON_JSON_LENGTH) {
181  SCLogError("dataset: json string too long: %s/%s", set->name, set->load);
182  SCFree(elt.value);
183  elt.value = NULL;
184  return 0;
185  }
186  elt.len = (uint16_t)strlen(elt.value);
187 
188  int add_ret = DatajsonAdd(set, val, val_len, &elt);
189  if (add_ret < 0) {
190  FatalErrorOnInit("datajson data add failed %s/%s", set->name, set->load);
191  return 0;
192  }
193  return add_ret;
194 }
195 
196 /**
197  * \retval 1 data was added to the hash
198  * \retval 0 data was not added to the hash as it is already there
199  * \retval -1 failed to add data to the hash
200  */
201 static int DatajsonAddString(
202  Dataset *set, const uint8_t *data, const uint32_t data_len, const DataJsonType *json)
203 {
204  StringType lookup = { .ptr = (uint8_t *)data, .len = data_len, .json = *json };
205  struct THashDataGetResult res = THashGetFromHash(set->hash, &lookup);
206  if (res.data) {
207  DatajsonUnlockData(res.data);
208  return res.is_new ? 1 : 0;
209  }
210  return -1;
211 }
212 
213 static int DatajsonAddMd5(
214  Dataset *set, const uint8_t *data, const uint32_t data_len, const DataJsonType *json)
215 {
216  if (data_len != SC_MD5_LEN)
217  return -2;
218 
219  Md5Type lookup = { .json = *json };
220  memcpy(lookup.md5, data, SC_MD5_LEN);
221  struct THashDataGetResult res = THashGetFromHash(set->hash, &lookup);
222  if (res.data) {
223  DatajsonUnlockData(res.data);
224  return res.is_new ? 1 : 0;
225  }
226  return -1;
227 }
228 
229 static int DatajsonAddSha256(
230  Dataset *set, const uint8_t *data, const uint32_t data_len, const DataJsonType *json)
231 {
232  if (data_len != SC_SHA256_LEN)
233  return -2;
234 
235  Sha256Type lookup = { .json = *json };
236  memcpy(lookup.sha256, data, SC_SHA256_LEN);
237  struct THashDataGetResult res = THashGetFromHash(set->hash, &lookup);
238  if (res.data) {
239  DatajsonUnlockData(res.data);
240  return res.is_new ? 1 : 0;
241  }
242  return -1;
243 }
244 
245 static int DatajsonAddIPv4(
246  Dataset *set, const uint8_t *data, const uint32_t data_len, const DataJsonType *json)
247 {
248  if (data_len < SC_IPV4_LEN)
249  return -2;
250 
251  IPv4Type lookup = { .json = *json };
252  memcpy(lookup.ipv4, data, SC_IPV4_LEN);
253  struct THashDataGetResult res = THashGetFromHash(set->hash, &lookup);
254  if (res.data) {
255  DatajsonUnlockData(res.data);
256  return res.is_new ? 1 : 0;
257  }
258  return -1;
259 }
260 
261 static int DatajsonAddIPv6(
262  Dataset *set, const uint8_t *data, const uint32_t data_len, const DataJsonType *json)
263 {
264  if (data_len != SC_IPV6_LEN)
265  return -2;
266 
267  IPv6Type lookup = { .json = *json };
268  memcpy(lookup.ipv6, data, SC_IPV6_LEN);
269  struct THashDataGetResult res = THashGetFromHash(set->hash, &lookup);
270  if (res.data) {
271  DatajsonUnlockData(res.data);
272  return res.is_new ? 1 : 0;
273  }
274  return -1;
275 }
276 
277 /*
278  * \brief Add data to the dataset from a JSON object.
279  *
280  * \param set The dataset to add data to.
281  * \param data The data to add.
282  * \param data_len The length of the data.
283  * \param json The JSON object containing additional information.
284  *
285  * Memory allocated for the `json` parameter will be freed if the data
286  * is not added to the hash.
287  *
288  * \retval 1 Data was added to the hash.
289  * \retval 0 Data was not added to the hash as it is already there.
290  * \retval -1 Failed to add data to the hash.
291  */
292 static int DatajsonAdd(
293  Dataset *set, const uint8_t *data, const uint32_t data_len, DataJsonType *json)
294 {
295  if (json == NULL)
296  return -1;
297  if (json->value == NULL)
298  return -1;
299 
300  if (set == NULL) {
301  if (json->value != NULL) {
302  SCFree(json->value);
303  json->value = NULL;
304  }
305  return -1;
306  }
307 
308  int add_ret = 0;
309  switch (set->type) {
310  case DATASET_TYPE_STRING:
311  add_ret = DatajsonAddString(set, data, data_len, json);
312  break;
313  case DATASET_TYPE_MD5:
314  add_ret = DatajsonAddMd5(set, data, data_len, json);
315  break;
316  case DATASET_TYPE_SHA256:
317  add_ret = DatajsonAddSha256(set, data, data_len, json);
318  break;
319  case DATASET_TYPE_IPV4:
320  add_ret = DatajsonAddIPv4(set, data, data_len, json);
321  break;
322  case DATASET_TYPE_IPV6:
323  add_ret = DatajsonAddIPv6(set, data, data_len, json);
324  break;
325  default:
326  add_ret = -1;
327  break;
328  }
329 
330  SCFree(json->value);
331  json->value = NULL;
332 
333  return add_ret;
334 }
335 
336 static int DatajsonLoadTypeFromJSON(Dataset *set, char *json_key, char *array_key,
337  uint32_t (*DatajsonAddTypeElement)(Dataset *, json_t *, char *, bool *))
338 {
339  if (strlen(set->load) == 0)
340  return 0;
341 
342  SCLogConfig("dataset: %s loading from '%s'", set->name, set->load);
343 
344  uint32_t cnt = 0;
345  json_t *json;
346  bool found = false;
347  SCLogDebug("dataset: array_key '%s' %p", array_key, array_key);
348  if (ParseJsonFile(set->load, &json, array_key) == -1) {
349  SCLogError("dataset: %s failed to parse from '%s'", set->name, set->load);
350  return -1;
351  }
352 
353  size_t index;
354  json_t *value;
355  json_array_foreach (json, index, value) {
356  cnt += DatajsonAddTypeElement(set, value, json_key, &found);
357  }
358  json_decref(json);
359 
360  if (found == false) {
361  FatalErrorOnInit(
362  "No valid entries for key '%s' found in the file '%s'", json_key, set->load);
363  return -1;
364  }
365  THashConsolidateMemcap(set->hash);
366 
367  SCLogConfig("dataset: %s loaded %u records", set->name, cnt);
368  return 0;
369 }
370 
371 static uint32_t DatajsonLoadTypeFromJsonline(Dataset *set, char *json_key,
372  uint32_t (*DatajsonAddTypeElement)(Dataset *, json_t *, char *, bool *))
373 {
374  uint32_t cnt = 0;
375  FILE *fp = fopen(set->load, "r");
376  bool found = false;
377 
378  if (fp == NULL) {
379  SCLogError("dataset: %s failed to open file '%s'", set->name, set->load);
380  return 0;
381  }
382 
383  char line[DATAJSON_JSON_LENGTH];
384  while (fgets(line, sizeof(line), fp) != NULL) {
385  json_t *json = json_loads(line, 0, NULL);
386  if (json == NULL) {
387  SCLogError("dataset: %s failed to parse line '%s'", set->name, line);
388  goto out_err;
389  }
390  cnt += DatajsonAddTypeElement(set, json, json_key, &found);
391  json_decref(json);
392  }
393  int close_op = fclose(fp);
394  if (close_op != 0) {
395  SCLogError("dataset: %s failed to close file '%s'", set->name, set->load);
396  return 0;
397  }
398 
399  if (found == false) {
400  FatalErrorOnInit(
401  "No valid entries for key '%s' found in the file '%s'", json_key, set->load);
402  return 0;
403  }
404  return cnt;
405 out_err:
406  close_op = fclose(fp);
407  if (close_op != 0) {
408  SCLogError("dataset: %s failed to close file '%s'", set->name, set->load);
409  }
410  return 0;
411 }
412 
413 static uint32_t DatajsonAddStringElement(Dataset *set, json_t *value, char *json_key, bool *found)
414 {
415  json_t *key = GetSubObjectByKey(value, json_key);
416  if (key == NULL) {
417  /* ignore error as it can be a working mode where some entries
418  are not in the same format */
419  return 0;
420  }
421 
422  *found = true;
423  if (!json_is_string(key)) {
424  FatalErrorOnInit("dataset: %s failed to get value because it is not a string", set->name);
425  return 0;
426  }
427 
428  const char *val_key = json_string_value(key);
429  if (val_key == NULL) {
430  FatalErrorOnInit("dataset: %s failed to get value for key '%s'", set->name, json_key);
431  return 0;
432  }
433  size_t val_len = strlen(val_key);
434 
435  json_incref(key);
436  int ret = DatajsonSetValue(set, (const uint8_t *)val_key, (uint16_t)val_len, value, json_key);
437  json_decref(key);
438  if (ret < 0) {
439  FatalErrorOnInit("datajson data add failed %s/%s", set->name, set->load);
440  return 0;
441  }
442  return ret;
443 }
444 
445 static int DatajsonLoadString(Dataset *set, char *json_key, char *array_key, DatasetFormats format)
446 {
447  if (strlen(set->load) == 0)
448  return 0;
449 
450  SCLogConfig("dataset: %s loading from '%s'", set->name, set->load);
451 
452  uint32_t cnt = 0;
453  if (format == DATASET_FORMAT_JSON) {
454  cnt = DatajsonLoadTypeFromJSON(set, json_key, array_key, DatajsonAddStringElement);
455  } else if (format == DATASET_FORMAT_NDJSON) {
456  cnt = DatajsonLoadTypeFromJsonline(set, json_key, DatajsonAddStringElement);
457  }
458  THashConsolidateMemcap(set->hash);
459 
460  SCLogConfig("dataset: %s loaded %u records", set->name, cnt);
461  return 0;
462 }
463 
464 static uint32_t DatajsonAddMd5Element(Dataset *set, json_t *value, char *json_key, bool *found)
465 {
466  json_t *key = GetSubObjectByKey(value, json_key);
467  if (key == NULL) {
468  /* ignore error as it can be a working mode where some entries
469  are not in the same format */
470  return 0;
471  }
472 
473  *found = true;
474 
475  if (!json_is_string(key)) {
476  FatalErrorOnInit("dataset: %s failed to get value because it is not a string", set->name);
477  return 0;
478  }
479  const char *hash_string = json_string_value(key);
480  if (strlen(hash_string) != SC_MD5_HEX_LEN) {
481  FatalErrorOnInit("Not correct length for a hash");
482  return 0;
483  }
484 
485  uint8_t hash[SC_MD5_LEN];
486  if (HexToRaw((const uint8_t *)hash_string, SC_MD5_HEX_LEN, hash, sizeof(hash)) < 0) {
487  FatalErrorOnInit("bad hash for dataset %s/%s", set->name, set->load);
488  return 0;
489  }
490  return DatajsonSetValue(set, hash, SC_MD5_LEN, value, json_key);
491 }
492 
493 static int DatajsonLoadMd5(Dataset *set, char *json_key, char *array_key, DatasetFormats format)
494 {
495  if (strlen(set->load) == 0)
496  return 0;
497 
498  SCLogConfig("dataset: %s loading from '%s'", set->name, set->load);
499 
500  uint32_t cnt = 0;
501  if (format == DATASET_FORMAT_JSON) {
502  cnt = DatajsonLoadTypeFromJSON(set, json_key, array_key, DatajsonAddMd5Element);
503  } else if (format == DATASET_FORMAT_NDJSON) {
504  cnt = DatajsonLoadTypeFromJsonline(set, json_key, DatajsonAddMd5Element);
505  }
506  THashConsolidateMemcap(set->hash);
507 
508  SCLogConfig("dataset: %s loaded %u records", set->name, cnt);
509  return 0;
510 }
511 
512 static uint32_t DatajsonAddSha256Element(Dataset *set, json_t *value, char *json_key, bool *found)
513 {
514  json_t *key = GetSubObjectByKey(value, json_key);
515  if (key == NULL) {
516  /* ignore error as it can be a working mode where some entries
517  are not in the same format */
518  return 0;
519  }
520 
521  *found = true;
522 
523  if (!json_is_string(key)) {
524  FatalErrorOnInit("dataset: %s failed to get value because it is not a string", set->name);
525  return 0;
526  }
527  const char *hash_string = json_string_value(key);
528  if (strlen(hash_string) != SC_SHA256_HEX_LEN) {
529  FatalErrorOnInit("Not correct length for a hash");
530  return 0;
531  }
532 
533  uint8_t hash[SC_SHA256_LEN];
534  if (HexToRaw((const uint8_t *)hash_string, SC_SHA256_HEX_LEN, hash, sizeof(hash)) < 0) {
535  FatalErrorOnInit("bad hash for dataset %s/%s", set->name, set->load);
536  return 0;
537  }
538 
539  return DatajsonSetValue(set, hash, SC_SHA256_LEN, value, json_key);
540 }
541 
542 static int DatajsonLoadSha256(Dataset *set, char *json_key, char *array_key, DatasetFormats format)
543 {
544  if (strlen(set->load) == 0)
545  return 0;
546 
547  SCLogConfig("dataset: %s loading from '%s'", set->name, set->load);
548 
549  uint32_t cnt = 0;
550  if (format == DATASET_FORMAT_JSON) {
551  cnt = DatajsonLoadTypeFromJSON(set, json_key, array_key, DatajsonAddSha256Element);
552  } else if (format == DATASET_FORMAT_NDJSON) {
553  cnt = DatajsonLoadTypeFromJsonline(set, json_key, DatajsonAddSha256Element);
554  }
555  THashConsolidateMemcap(set->hash);
556 
557  SCLogConfig("dataset: %s loaded %u records", set->name, cnt);
558  return 0;
559 }
560 
561 static uint32_t DatajsonAddIpv4Element(Dataset *set, json_t *value, char *json_key, bool *found)
562 {
563  json_t *key = GetSubObjectByKey(value, json_key);
564  if (key == NULL) {
565  /* ignore error as it can be a working mode where some entries
566  are not in the same format */
567  return 0;
568  }
569 
570  *found = true;
571 
572  if (!json_is_string(key)) {
573  FatalErrorOnInit("dataset: %s failed to get value because it is not a string", set->name);
574  return 0;
575  }
576  const char *ip_string = json_string_value(key);
577  struct in_addr in;
578  if (inet_pton(AF_INET, ip_string, &in) != 1) {
579  FatalErrorOnInit("datajson IPv4 parse failed %s/%s: %s", set->name, set->load, ip_string);
580  return 0;
581  }
582 
583  return DatajsonSetValue(set, (const uint8_t *)&in.s_addr, SC_IPV4_LEN, value, json_key);
584 }
585 
586 static int DatajsonLoadIPv4(Dataset *set, char *json_key, char *array_key, DatasetFormats format)
587 {
588  if (strlen(set->load) == 0)
589  return 0;
590 
591  SCLogConfig("dataset: %s loading from '%s'", set->name, set->load);
592  uint32_t cnt = 0;
593 
594  if (format == DATASET_FORMAT_JSON) {
595  cnt = DatajsonLoadTypeFromJSON(set, json_key, array_key, DatajsonAddIpv4Element);
596  } else if (format == DATASET_FORMAT_NDJSON) {
597  cnt = DatajsonLoadTypeFromJsonline(set, json_key, DatajsonAddIpv4Element);
598  }
599  THashConsolidateMemcap(set->hash);
600 
601  SCLogConfig("dataset: %s loaded %u records", set->name, cnt);
602  return 0;
603 }
604 
605 static uint32_t DatajsonAddIPv6Element(Dataset *set, json_t *value, char *json_key, bool *found)
606 {
607  json_t *key = GetSubObjectByKey(value, json_key);
608  if (key == NULL) {
609  /* ignore error as it can be a working mode where some entries
610  are not in the same format */
611  return 0;
612  }
613 
614  *found = true;
615 
616  if (!json_is_string(key)) {
617  FatalErrorOnInit("dataset: %s failed to get value because it is not a string", set->name);
618  return 0;
619  }
620  const char *ip_string = json_string_value(key);
621  struct in6_addr in6;
622  int ret = DatasetParseIpv6String(set, ip_string, &in6);
623  if (ret < 0) {
624  FatalErrorOnInit("unable to parse IP address");
625  return 0;
626  }
627 
628  return DatajsonSetValue(set, (const uint8_t *)&in6.s6_addr, SC_IPV6_LEN, value, json_key);
629 }
630 
631 static int DatajsonLoadIPv6(Dataset *set, char *json_key, char *array_key, DatasetFormats format)
632 {
633  if (strlen(set->load) == 0)
634  return 0;
635 
636  SCLogConfig("dataset: %s loading from '%s'", set->name, set->load);
637 
638  uint32_t cnt = 0;
639 
640  if (format == DATASET_FORMAT_JSON) {
641  cnt = DatajsonLoadTypeFromJSON(set, json_key, array_key, DatajsonAddIPv6Element);
642  } else if (format == DATASET_FORMAT_NDJSON) {
643  cnt = DatajsonLoadTypeFromJsonline(set, json_key, DatajsonAddIPv6Element);
644  }
645 
646  THashConsolidateMemcap(set->hash);
647 
648  SCLogConfig("dataset: %s loaded %u records", set->name, cnt);
649  return 0;
650 }
651 
652 Dataset *DatajsonGet(const char *name, enum DatasetTypes type, const char *load, uint64_t memcap,
653  uint32_t hashsize, char *json_key_value, char *json_array_key, DatasetFormats format,
654  bool remove_key)
655 {
656  Dataset *set = NULL;
657 
658  DatasetLock();
659  int ret = DatasetGetOrCreate(name, type, NULL, load, &memcap, &hashsize, &set);
660  if (ret < 0) {
661  SCLogError("dataset with JSON %s creation failed", name);
662  DatasetUnlock();
663  return NULL;
664  }
665  if (ret == 1) {
666  SCLogDebug("dataset %s already exists", name);
667  if (set->remove_key != remove_key) {
668  SCLogError("dataset %s remove_key mismatch: %d != %d", set->name, set->remove_key,
669  remove_key);
670  DatasetUnlock();
671  return NULL;
672  }
673  DatasetUnlock();
674  return set;
675  }
676 
677  set->remove_key = remove_key;
678 
679  char cnf_name[128];
680  snprintf(cnf_name, sizeof(cnf_name), "datasets.%s.hash", name);
681  switch (type) {
682  case DATASET_TYPE_MD5:
683  set->hash = THashInit(cnf_name, sizeof(Md5Type), Md5StrJsonSet, Md5StrJsonFree,
684  Md5StrHash, Md5StrCompare, NULL, Md5StrJsonGetLength, load != NULL ? 1 : 0,
685  memcap, hashsize);
686  if (set->hash == NULL)
687  goto out_err;
688  if (DatajsonLoadMd5(set, json_key_value, json_array_key, format) < 0)
689  goto out_err;
690  break;
691  case DATASET_TYPE_STRING:
692  set->hash = THashInit(cnf_name, sizeof(StringType), StringJsonSet, StringJsonFree,
693  StringHash, StringCompare, NULL, StringJsonGetLength, load != NULL ? 1 : 0,
694  memcap, hashsize);
695  if (set->hash == NULL)
696  goto out_err;
697  if (DatajsonLoadString(set, json_key_value, json_array_key, format) < 0) {
698  SCLogError("dataset %s loading failed", name);
699  goto out_err;
700  }
701  break;
702  case DATASET_TYPE_SHA256:
703  set->hash = THashInit(cnf_name, sizeof(Sha256Type), Sha256StrJsonSet, Sha256StrJsonFree,
704  Sha256StrHash, Sha256StrCompare, NULL, Sha256StrJsonGetLength,
705  load != NULL ? 1 : 0, memcap, hashsize);
706  if (set->hash == NULL)
707  goto out_err;
708  if (DatajsonLoadSha256(set, json_key_value, json_array_key, format) < 0)
709  goto out_err;
710  break;
711  case DATASET_TYPE_IPV4:
712  set->hash = THashInit(cnf_name, sizeof(IPv4Type), IPv4JsonSet, IPv4JsonFree, IPv4Hash,
713  IPv4Compare, NULL, IPv4JsonGetLength, load != NULL ? 1 : 0, memcap, hashsize);
714  if (set->hash == NULL)
715  goto out_err;
716  if (DatajsonLoadIPv4(set, json_key_value, json_array_key, format) < 0)
717  goto out_err;
718  break;
719  case DATASET_TYPE_IPV6:
720  set->hash = THashInit(cnf_name, sizeof(IPv6Type), IPv6JsonSet, IPv6JsonFree, IPv6Hash,
721  IPv6Compare, NULL, IPv6JsonGetLength, load != NULL ? 1 : 0, memcap, hashsize);
722  if (set->hash == NULL)
723  goto out_err;
724  if (DatajsonLoadIPv6(set, json_key_value, json_array_key, format) < 0)
725  goto out_err;
726  break;
727  }
728 
729  SCLogDebug(
730  "set %p/%s type %u save %s load %s", set, set->name, set->type, set->save, set->load);
731 
732  if (DatasetAppendSet(set) < 0) {
733  SCLogError("dataset %s append failed", name);
734  goto out_err;
735  }
736 
737  DatasetUnlock();
738  return set;
739 out_err:
740  if (set->hash) {
741  THashShutdown(set->hash);
742  }
743  SCFree(set);
744  DatasetUnlock();
745  return NULL;
746 }
747 
748 static DataJsonResultType DatajsonLookupString(
749  Dataset *set, const uint8_t *data, const uint32_t data_len)
750 {
751  DataJsonResultType rrep = { .found = false, .json = { .value = NULL, .len = 0 } };
752 
753  if (set == NULL)
754  return rrep;
755 
756  StringType lookup = {
757  .ptr = (uint8_t *)data, .len = data_len, .json.value = NULL, .json.len = 0
758  };
759  THashData *rdata = THashLookupFromHash(set->hash, &lookup);
760  if (rdata) {
761  StringType *found = rdata->data;
762  rrep.found = true;
763  rrep.json = found->json;
764  rrep.hashdata = rdata;
765  return rrep;
766  }
767  return rrep;
768 }
769 
770 static DataJsonResultType DatajsonLookupMd5(
771  Dataset *set, const uint8_t *data, const uint32_t data_len)
772 {
773  DataJsonResultType rrep = { .found = false, .json = { .value = NULL, .len = 0 } };
774 
775  if (set == NULL)
776  return rrep;
777 
778  if (data_len != SC_MD5_LEN)
779  return rrep;
780 
781  Md5Type lookup = { .json.value = NULL, .json.len = 0 };
782  memcpy(lookup.md5, data, data_len);
783  THashData *rdata = THashLookupFromHash(set->hash, &lookup);
784  if (rdata) {
785  Md5Type *found = rdata->data;
786  rrep.found = true;
787  rrep.json = found->json;
788  rrep.hashdata = rdata;
789  return rrep;
790  }
791  return rrep;
792 }
793 
794 static DataJsonResultType DatajsonLookupSha256(
795  Dataset *set, const uint8_t *data, const uint32_t data_len)
796 {
797  DataJsonResultType rrep = { .found = false, .json = { .value = NULL, .len = 0 } };
798 
799  if (set == NULL)
800  return rrep;
801 
802  if (data_len != SC_SHA256_LEN)
803  return rrep;
804 
805  Sha256Type lookup = { .json.value = NULL, .json.len = 0 };
806  memcpy(lookup.sha256, data, data_len);
807  THashData *rdata = THashLookupFromHash(set->hash, &lookup);
808  if (rdata) {
809  Sha256Type *found = rdata->data;
810  rrep.found = true;
811  rrep.json = found->json;
812  rrep.hashdata = rdata;
813  return rrep;
814  }
815  return rrep;
816 }
817 
818 static DataJsonResultType DatajsonLookupIPv4(
819  Dataset *set, const uint8_t *data, const uint32_t data_len)
820 {
821  DataJsonResultType rrep = { .found = false, .json = { .value = NULL, .len = 0 } };
822 
823  if (set == NULL)
824  return rrep;
825 
826  if (data_len != SC_IPV4_LEN)
827  return rrep;
828 
829  IPv4Type lookup = { .json.value = NULL, .json.len = 0 };
830  memcpy(lookup.ipv4, data, data_len);
831  THashData *rdata = THashLookupFromHash(set->hash, &lookup);
832  if (rdata) {
833  IPv4Type *found = rdata->data;
834  rrep.found = true;
835  rrep.json = found->json;
836  rrep.hashdata = rdata;
837  return rrep;
838  }
839  return rrep;
840 }
841 
842 static DataJsonResultType DatajsonLookupIPv6(
843  Dataset *set, const uint8_t *data, const uint32_t data_len)
844 {
845  DataJsonResultType rrep = { .found = false, .json = { .value = NULL, .len = 0 } };
846 
847  if (set == NULL)
848  return rrep;
849 
850  /* We can have IPv4 or IPV6 here due to ip.src and ip.dst implementation */
851  if (data_len != SC_IPV6_LEN && data_len != SC_IPV4_LEN)
852  return rrep;
853 
854  IPv6Type lookup = { .json.value = NULL, .json.len = 0 };
855  memcpy(lookup.ipv6, data, data_len);
856  THashData *rdata = THashLookupFromHash(set->hash, &lookup);
857  if (rdata) {
858  IPv6Type *found = rdata->data;
859  rrep.found = true;
860  rrep.json = found->json;
861  rrep.hashdata = rdata;
862  return rrep;
863  }
864  return rrep;
865 }
866 
867 DataJsonResultType DatajsonLookup(Dataset *set, const uint8_t *data, const uint32_t data_len)
868 {
869  DataJsonResultType rrep = { .found = false, .json = { .value = 0 } };
870  if (set == NULL)
871  return rrep;
872 
873  switch (set->type) {
874  case DATASET_TYPE_STRING:
875  return DatajsonLookupString(set, data, data_len);
876  case DATASET_TYPE_MD5:
877  return DatajsonLookupMd5(set, data, data_len);
878  case DATASET_TYPE_SHA256:
879  return DatajsonLookupSha256(set, data, data_len);
880  case DATASET_TYPE_IPV4:
881  return DatajsonLookupIPv4(set, data, data_len);
882  case DATASET_TYPE_IPV6:
883  return DatajsonLookupIPv6(set, data, data_len);
884  default:
885  break;
886  }
887  return rrep;
888 }
889 
890 /** \brief add serialized data to json set
891  * \retval int 1 added
892  * \retval int 0 already in hash
893  * \retval int -1 API error (not added)
894  * \retval int -2 DATA error
895  */
896 int DatajsonAddSerialized(Dataset *set, const char *value, const char *json)
897 {
898  if (set == NULL)
899  return -1;
900 
901  if (strlen(value) == 0)
902  return -1;
903 
904  DataJsonType jvalue = { .value = NULL, .len = 0 };
905  if (json) {
906  if (ParseJsonLine(json, strlen(json), &jvalue) < 0) {
907  SCLogNotice("bad json value for dataset %s/%s", set->name, set->load);
908  return -1;
909  }
910  }
911 
912  int ret = -1;
913  switch (set->type) {
914  case DATASET_TYPE_STRING: {
915  if (strlen(value) > UINT16_MAX) {
916  // size check before stack allocation
917  // should never happen as unix socket callers limits it to 4k
918  SCFree(jvalue.value);
919  return -1;
920  }
921  uint32_t decoded_size = SCBase64DecodeBufferSize((uint32_t)strlen(value));
922  uint8_t decoded[decoded_size];
923  uint32_t num_decoded = SCBase64Decode(
924  (const uint8_t *)value, strlen(value), SCBase64ModeStrict, decoded);
925  if (num_decoded == 0)
926  goto operror;
927  ret = DatajsonAdd(set, decoded, num_decoded, &jvalue);
928  break;
929  }
930  case DATASET_TYPE_MD5: {
931  if (strlen(value) != SC_MD5_HEX_LEN)
932  goto operror;
933  uint8_t hash[SC_MD5_LEN];
934  if (HexToRaw((const uint8_t *)value, SC_MD5_HEX_LEN, hash, sizeof(hash)) < 0)
935  goto operror;
936  ret = DatajsonAdd(set, hash, SC_MD5_LEN, &jvalue);
937  break;
938  }
939  case DATASET_TYPE_SHA256: {
940  if (strlen(value) != SC_SHA256_HEX_LEN)
941  goto operror;
942  uint8_t hash[SC_SHA256_LEN];
943  if (HexToRaw((const uint8_t *)value, SC_SHA256_HEX_LEN, hash, sizeof(hash)) < 0)
944  goto operror;
945  ret = DatajsonAdd(set, hash, SC_SHA256_LEN, &jvalue);
946  break;
947  }
948  case DATASET_TYPE_IPV4: {
949  struct in_addr in;
950  if (inet_pton(AF_INET, value, &in) != 1)
951  goto operror;
952  ret = DatajsonAdd(set, (uint8_t *)&in.s_addr, SC_IPV4_LEN, &jvalue);
953  break;
954  }
955  case DATASET_TYPE_IPV6: {
956  struct in6_addr in6;
957  if (DatasetParseIpv6String(set, value, &in6) != 0) {
958  SCLogError("Dataset failed to import %s as IPv6", value);
959  goto operror;
960  }
961  ret = DatajsonAdd(set, (uint8_t *)&in6.s6_addr, SC_IPV6_LEN, &jvalue);
962  break;
963  }
964  }
965  SCFree(jvalue.value);
966  return ret;
967 operror:
968  SCFree(jvalue.value);
969  return -2;
970 }
DatajsonLookup
DataJsonResultType DatajsonLookup(Dataset *set, const uint8_t *data, const uint32_t data_len)
Definition: datasets-context-json.c:867
Sha256StrJsonSet
int Sha256StrJsonSet(void *dst, void *src)
Definition: datasets-sha256.c:41
DataJsonType::len
uint16_t len
Definition: datasets-context-json.h:34
util-byte.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
datasets-string.h
THashDataGetResult::data
THashData * data
Definition: util-thash.h:192
datasets-md5.h
IPv4JsonSet
int IPv4JsonSet(void *dst, void *src)
Definition: datasets-ipv4.c:41
Dataset::name
char name[DATASET_NAME_MAX_LEN+1]
Definition: datasets.h:56
Dataset::save
char save[PATH_MAX]
Definition: datasets.h:65
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
datasets-sha256.h
IPv6Compare
bool IPv6Compare(void *a, void *b)
Definition: datasets-ipv6.c:56
name
const char * name
Definition: detect-engine-proto.c:48
StringJsonFree
void StringJsonFree(void *s)
Definition: datasets-string.c:127
HexToRaw
int HexToRaw(const uint8_t *in, size_t ins, uint8_t *out, size_t outs)
Definition: util-byte.c:771
SC_SHA256_LEN
#define SC_SHA256_LEN
Definition: util-file.h:104
Md5Type
Definition: datasets-md5.h:30
Dataset::hash
THashTableContext * hash
Definition: datasets.h:62
type
uint8_t type
Definition: decode-sctp.h:0
IPv4JsonFree
void IPv4JsonFree(void *s)
Definition: datasets-ipv4.c:74
DatasetFormats
DatasetFormats
Definition: datasets.h:39
IPv4Hash
uint32_t IPv4Hash(uint32_t hash_seed, void *s)
Definition: datasets-ipv4.c:63
Sha256Type::sha256
uint8_t sha256[32]
Definition: datasets-sha256.h:31
Dataset::type
enum DatasetTypes type
Definition: datasets.h:57
THashConsolidateMemcap
void THashConsolidateMemcap(THashTableContext *ctx)
Definition: util-thash.c:345
SC_IPV6_LEN
#define SC_IPV6_LEN
Definition: util-ip.h:29
rust.h
DATASET_TYPE_SHA256
@ DATASET_TYPE_SHA256
Definition: datasets.h:49
StringJsonGetLength
uint32_t StringJsonGetLength(void *s)
Definition: datasets-string.c:136
Md5Type::md5
uint8_t md5[16]
Definition: datasets-md5.h:31
DataJsonResultType::found
bool found
Definition: datasets-context-json.h:38
DATASET_TYPE_IPV6
@ DATASET_TYPE_IPV6
Definition: datasets.h:51
Md5StrCompare
bool Md5StrCompare(void *a, void *b)
Definition: datasets-md5.c:57
DatajsonUnlockElt
void DatajsonUnlockElt(DataJsonResultType *r)
Definition: datasets-context-json.c:47
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
DataJsonResultType::hashdata
THashData * hashdata
Definition: datasets-context-json.h:40
DataJsonResultType
Definition: datasets-context-json.h:37
datasets.h
IPv4JsonGetLength
uint32_t IPv4JsonGetLength(void *s)
Definition: datasets-ipv4.c:82
util-debug.h
DatasetGetOrCreate
int DatasetGetOrCreate(const char *name, enum DatasetTypes type, const char *save, const char *load, uint64_t *memcap, uint32_t *hashsize, Dataset **ret_set)
Definition: datasets.c:369
datasets-ipv6.h
IPv6Type::ipv6
uint8_t ipv6[16]
Definition: datasets-ipv6.h:31
SIG_JSON_CONTENT_KEY_LEN
#define SIG_JSON_CONTENT_KEY_LEN
Definition: detect.h:1280
util-ip.h
DataJsonResultType::json
DataJsonType json
Definition: datasets-context-json.h:39
datasets-ipv4.h
IPv6JsonGetLength
uint32_t IPv6JsonGetLength(void *s)
Definition: datasets-ipv6.c:83
Md5StrHash
uint32_t Md5StrHash(uint32_t hash_seed, void *s)
Definition: datasets-md5.c:65
THashDataGetResult
Definition: util-thash.h:191
StringType
Definition: datasets-string.h:30
Md5Type::json
DataJsonType json
Definition: datasets-md5.h:34
Sha256Type::json
DataJsonType json
Definition: datasets-sha256.h:34
DatasetLock
void DatasetLock(void)
Definition: datasets.c:102
IPv6Type
Definition: datasets-ipv6.h:30
IPv4Type::json
DataJsonType json
Definition: datasets-ipv4.h:34
DATASET_TYPE_IPV4
@ DATASET_TYPE_IPV4
Definition: datasets.h:50
StringType::ptr
uint8_t * ptr
Definition: datasets-string.h:36
IPv6JsonFree
void IPv6JsonFree(void *s)
Definition: datasets-ipv6.c:75
StringType::json
DataJsonType json
Definition: datasets-string.h:34
THashShutdown
void THashShutdown(THashTableContext *ctx)
shutdown the flow engine
Definition: util-thash.c:354
DatasetTypes
DatasetTypes
Definition: datasets.h:45
Sha256StrJsonGetLength
uint32_t Sha256StrJsonGetLength(void *s)
Definition: datasets-sha256.c:83
THashData_::data
void * data
Definition: util-thash.h:92
cnt
uint32_t cnt
Definition: tmqh-packetpool.h:7
Sha256Type
Definition: datasets-sha256.h:30
THashData_
Definition: util-thash.h:85
Dataset::remove_key
bool remove_key
Definition: datasets.h:61
Sha256StrJsonFree
void Sha256StrJsonFree(void *s)
Definition: datasets-sha256.c:75
DATASET_FORMAT_NDJSON
@ DATASET_FORMAT_NDJSON
Definition: datasets.h:42
DATASET_FORMAT_JSON
@ DATASET_FORMAT_JSON
Definition: datasets.h:41
suricata-common.h
SCStrndup
#define SCStrndup(s, n)
Definition: util-mem.h:59
datasets-context-json.h
FatalErrorOnInit
#define FatalErrorOnInit(...)
Fatal error IF we're starting up, and configured to consider errors to be fatal errors.
Definition: util-debug.h:526
StringCompare
bool StringCompare(void *a, void *b)
Definition: datasets-string.c:97
THashGetFromHash
struct THashDataGetResult THashGetFromHash(THashTableContext *ctx, void *data)
Definition: util-thash.c:637
DataJsonType
Definition: datasets-context-json.h:32
hashsize
#define hashsize(n)
Definition: util-hash-lookup3.h:40
THashLookupFromHash
THashData * THashLookupFromHash(THashTableContext *ctx, void *data)
look up data in the hash
Definition: util-thash.c:747
IPv4Type
Definition: datasets-ipv4.h:30
THashDecrUsecnt
#define THashDecrUsecnt(h)
Definition: util-thash.h:170
IPv4Compare
bool IPv4Compare(void *a, void *b)
Definition: datasets-ipv4.c:55
DatajsonCopyJson
int DatajsonCopyJson(DataJsonType *dst, DataJsonType *src)
Definition: datasets-context-json.c:54
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
IPv6Hash
uint32_t IPv6Hash(uint32_t hash_seed, void *s)
Definition: datasets-ipv6.c:64
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:274
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Sha256StrCompare
bool Sha256StrCompare(void *a, void *b)
Definition: datasets-sha256.c:55
DatajsonGet
Dataset * DatajsonGet(const char *name, enum DatasetTypes type, const char *load, uint64_t memcap, uint32_t hashsize, char *json_key_value, char *json_array_key, DatasetFormats format, bool remove_key)
Definition: datasets-context-json.c:652
StringHash
uint32_t StringHash(uint32_t hash_seed, void *s)
Definition: datasets-string.c:108
src
uint16_t src
Definition: app-layer-dnp3.h:5
DataJsonType::value
char * value
Definition: datasets-context-json.h:33
IPv6JsonSet
int IPv6JsonSet(void *dst, void *src)
Definition: datasets-ipv6.c:42
DATASET_TYPE_MD5
@ DATASET_TYPE_MD5
Definition: datasets.h:48
DATASET_TYPE_STRING
@ DATASET_TYPE_STRING
Definition: datasets.h:47
DatasetUnlock
void DatasetUnlock(void)
Definition: datasets.c:107
THashDataGetResult::is_new
bool is_new
Definition: util-thash.h:193
suricata.h
THashInit
THashTableContext * THashInit(const char *cnf_prefix, uint32_t data_size, int(*DataSet)(void *, void *), void(*DataFree)(void *), uint32_t(*DataHash)(uint32_t, void *), bool(*DataCompare)(void *, void *), bool(*DataExpired)(void *, SCTime_t), uint32_t(*DataSize)(void *), bool reset_memcap, uint64_t memcap, uint32_t hashsize)
Definition: util-thash.c:302
StringJsonSet
int StringJsonSet(void *dst, void *src)
Definition: datasets-string.c:81
IPv4Type::ipv4
uint8_t ipv4[4]
Definition: datasets-ipv4.h:31
Dataset
Definition: datasets.h:55
SC_MD5_LEN
#define SC_MD5_LEN
Definition: util-file.h:110
IPv6Type::json
DataJsonType json
Definition: datasets-ipv6.h:34
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:250
Md5StrJsonFree
void Md5StrJsonFree(void *s)
Definition: datasets-md5.c:76
Dataset::load
char load[PATH_MAX]
Definition: datasets.h:64
Sha256StrHash
uint32_t Sha256StrHash(uint32_t hash_seed, void *s)
Definition: datasets-sha256.c:63
SC_IPV4_LEN
#define SC_IPV4_LEN
Definition: util-ip.h:28
Md5StrJsonGetLength
uint32_t Md5StrJsonGetLength(void *s)
Definition: datasets-md5.c:84
DatajsonAddSerialized
int DatajsonAddSerialized(Dataset *set, const char *value, const char *json)
add serialized data to json set
Definition: datasets-context-json.c:896
DatasetAppendSet
int DatasetAppendSet(Dataset *set)
Definition: datasets.c:79
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:109
Md5StrJsonSet
int Md5StrJsonSet(void *dst, void *src)
Definition: datasets-md5.c:43
DatasetParseIpv6String
int DatasetParseIpv6String(Dataset *set, const char *line, struct in6_addr *in6)
Definition: datasets.c:156
DATAJSON_JSON_LENGTH
#define DATAJSON_JSON_LENGTH
Definition: datasets-context-json.h:30