suricata
log-httplog.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Ignacio Sanchez <sanchezmartin.ji@gmail.com>
23  *
24  * Implements http logging portion of the engine.
25  */
26 
27 #include "suricata-common.h"
28 #include "detect.h"
29 #include "pkt-var.h"
30 #include "conf.h"
31 
32 #include "threads.h"
33 #include "threadvars.h"
34 #include "tm-threads.h"
35 
36 #include "util-print.h"
37 #include "util-unittest.h"
38 
39 #include "util-debug.h"
40 
41 #include "output.h"
42 #include "log-httplog.h"
43 #include "app-layer-htp.h"
44 #include "app-layer-htp-libhtp.h"
45 #include "app-layer.h"
46 #include "app-layer-parser.h"
47 #include "util-privs.h"
48 #include "util-buffer.h"
49 
50 #include "util-logopenfile.h"
51 #include "util-time.h"
52 #include "log-cf-common.h"
53 
54 #define DEFAULT_LOG_FILENAME "http.log"
55 
56 #define MODULE_NAME "LogHttpLog"
57 
58 #define OUTPUT_BUFFER_SIZE 65535
59 
60 TmEcode LogHttpLogThreadInit(ThreadVars *, const void *, void **);
61 TmEcode LogHttpLogThreadDeinit(ThreadVars *, void *);
62 static void LogHttpLogDeInitCtx(OutputCtx *);
63 
64 int LogHttpLogger(ThreadVars *tv, void *thread_data, const Packet *, Flow *f, void *state, void *tx, uint64_t tx_id);
65 
66 void LogHttpLogRegister (void)
67 {
68  OutputRegisterTxModule(LOGGER_HTTP, MODULE_NAME, "http-log", LogHttpLogInitCtx, ALPROTO_HTTP1,
69  LogHttpLogger, LogHttpLogThreadInit, LogHttpLogThreadDeinit);
70 }
71 
72 #define LOG_HTTP_CF_REQUEST_HOST 'h'
73 #define LOG_HTTP_CF_REQUEST_PROTOCOL 'H'
74 #define LOG_HTTP_CF_REQUEST_METHOD 'm'
75 #define LOG_HTTP_CF_REQUEST_URI 'u'
76 #define LOG_HTTP_CF_REQUEST_HEADER 'i'
77 #define LOG_HTTP_CF_REQUEST_COOKIE 'C'
78 #define LOG_HTTP_CF_REQUEST_LEN 'b'
79 #define LOG_HTTP_CF_RESPONSE_STATUS 's'
80 #define LOG_HTTP_CF_RESPONSE_HEADER 'o'
81 #define LOG_HTTP_CF_RESPONSE_LEN 'B'
82 
83 
84 typedef struct LogHttpFileCtx_ {
85  LogFileCtx *file_ctx;
86  uint32_t flags; /** Store mode */
87  LogCustomFormat *cf;
88 } LogHttpFileCtx;
89 
90 #define LOG_HTTP_DEFAULT 0
91 #define LOG_HTTP_EXTENDED 1
92 #define LOG_HTTP_CUSTOM 2
93 
94 typedef struct LogHttpLogThread_ {
95  LogHttpFileCtx *httplog_ctx;
96  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
97  uint32_t uri_cnt;
98 
99  MemBuffer *buffer;
100 } LogHttpLogThread;
101 
102 /* Retrieves the selected cookie value */
103 static uint32_t GetCookieValue(uint8_t *rawcookies, uint32_t rawcookies_len, char *cookiename,
104  uint8_t **cookievalue)
105 {
106  uint8_t *p = rawcookies;
107  uint8_t *cn = p; /* ptr to cookie name start */
108  uint8_t *cv = NULL; /* ptr to cookie value start */
109  while (p < rawcookies + rawcookies_len) {
110  if (cv == NULL && *p == '=') {
111  cv = p + 1;
112  } else if (cv != NULL && (*p == ';' || p == rawcookies + rawcookies_len - 1) ) {
113  /* Found end of cookie */
114  p++;
115  if (strlen(cookiename) == (unsigned int) (cv-cn-1) &&
116  strncmp(cookiename, (char *) cn, cv-cn-1) == 0) {
117  *cookievalue = cv;
118  return (uint32_t) (p-cv);
119  }
120  cv = NULL;
121  cn = p + 1;
122  }
123  p++;
124  }
125  return 0;
126 }
127 
128 /* Custom format logging */
129 static void LogHttpLogCustom(LogHttpLogThread *aft, htp_tx_t *tx, const SCTime_t ts, char *srcip,
130  Port sp, char *dstip, Port dp)
131 {
132  LogHttpFileCtx *httplog_ctx = aft->httplog_ctx;
133  uint32_t i;
134  size_t datalen;
135  char buf[128];
136 
137  uint8_t *cvalue = NULL;
138  uint32_t cvalue_len = 0;
139 
140  htp_header_t *h_request_hdr;
141  htp_header_t *h_response_hdr;
142 
143  for (i = 0; i < httplog_ctx->cf->cf_n; i++) {
144  h_request_hdr = NULL;
145  h_response_hdr = NULL;
146 
147  LogCustomFormatNode * node = httplog_ctx->cf->cf_nodes[i];
148  if (! node) /* Should never happen */
149  continue;
150 
151  switch (node->type){
152  case LOG_CF_LITERAL:
153  /* LITERAL */
154  MemBufferWriteString(aft->buffer, "%s", node->data);
155  break;
156  case LOG_CF_TIMESTAMP:
157  /* TIMESTAMP */
158  LogCustomFormatWriteTimestamp(aft->buffer, node->data, ts);
159  break;
160  case LOG_CF_TIMESTAMP_U:
161  /* TIMESTAMP USECONDS */
162  snprintf(buf, sizeof(buf), "%06u", (unsigned int)SCTIME_USECS(ts));
163  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
164  (uint8_t *)buf, MIN(strlen(buf), 6));
165  break;
166  case LOG_CF_CLIENT_IP:
167  /* CLIENT IP ADDRESS */
168  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
169  aft->buffer->size, (uint8_t *)srcip,strlen(srcip));
170  break;
171  case LOG_CF_SERVER_IP:
172  /* SERVER IP ADDRESS */
173  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
174  aft->buffer->size, (uint8_t *)dstip,strlen(dstip));
175  break;
176  case LOG_CF_CLIENT_PORT:
177  /* CLIENT PORT */
178  MemBufferWriteString(aft->buffer, "%" PRIu16 "", sp);
179  break;
180  case LOG_CF_SERVER_PORT:
181  /* SERVER PORT */
182  MemBufferWriteString(aft->buffer, "%" PRIu16 "", dp);
183  break;
184  case LOG_HTTP_CF_REQUEST_METHOD:
185  /* METHOD */
186  if (htp_tx_request_method(tx) != NULL) {
187  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
188  (uint8_t *)bstr_ptr(htp_tx_request_method(tx)),
189  bstr_len(htp_tx_request_method(tx)));
190  } else {
191  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
192  }
193  break;
194  case LOG_HTTP_CF_REQUEST_URI:
195  /* URI */
196  if (htp_tx_request_uri(tx) != NULL) {
197  datalen = node->maxlen;
198  if (datalen == 0 || datalen > bstr_len(htp_tx_request_uri(tx))) {
199  datalen = bstr_len(htp_tx_request_uri(tx));
200  }
201  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
202  (uint8_t *)bstr_ptr(htp_tx_request_uri(tx)), datalen);
203  } else {
204  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
205  }
206  break;
207  case LOG_HTTP_CF_REQUEST_HOST:
208  /* HOSTNAME */
209  if (htp_tx_request_hostname(tx) != NULL) {
210  datalen = node->maxlen;
211  if (datalen == 0 || datalen > bstr_len(htp_tx_request_hostname(tx))) {
212  datalen = bstr_len(htp_tx_request_hostname(tx));
213  }
214  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
215  (uint8_t *)bstr_ptr(htp_tx_request_hostname(tx)), datalen);
216  } else {
217  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
218  }
219  break;
220  case LOG_HTTP_CF_REQUEST_PROTOCOL:
221  /* PROTOCOL */
222  if (htp_tx_request_protocol(tx) != NULL) {
223  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
224  (uint8_t *)bstr_ptr(htp_tx_request_protocol(tx)),
225  bstr_len(htp_tx_request_protocol(tx)));
226  } else {
227  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
228  }
229  break;
230  case LOG_HTTP_CF_REQUEST_HEADER:
231  /* REQUEST HEADER */
232  if (htp_tx_request_headers(tx) != NULL) {
233  h_request_hdr = htp_table_get_c(htp_tx_request_headers(tx), node->data);
234  }
235  if (h_request_hdr != NULL) {
236  datalen = node->maxlen;
237  if (datalen == 0 || datalen > bstr_len(h_request_hdr->value)) {
238  datalen = bstr_len(h_request_hdr->value);
239  }
240  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
241  aft->buffer->size, (uint8_t *)bstr_ptr(h_request_hdr->value),
242  datalen);
243  } else {
244  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
245  }
246  break;
247  case LOG_HTTP_CF_REQUEST_COOKIE:
248  /* REQUEST COOKIE */
249  if (htp_tx_request_headers(tx) != NULL) {
250  h_request_hdr = htp_table_get_c(htp_tx_request_headers(tx), "Cookie");
251  if (h_request_hdr != NULL) {
252  cvalue_len = GetCookieValue((uint8_t *)bstr_ptr(h_request_hdr->value),
253  (uint32_t)bstr_len(h_request_hdr->value), (char *)node->data, &cvalue);
254  }
255  }
256  if (cvalue_len > 0 && cvalue != NULL) {
257  datalen = node->maxlen;
258  if (datalen == 0 || datalen > cvalue_len) {
259  datalen = cvalue_len;
260  }
261  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
262  aft->buffer->size, cvalue, datalen);
263  } else {
264  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
265  }
266  break;
267  case LOG_HTTP_CF_REQUEST_LEN:
268  /* REQUEST LEN */
269  MemBufferWriteString(
270  aft->buffer, "%" PRIuMAX "", (uintmax_t)htp_tx_request_message_len(tx));
271  break;
272  case LOG_HTTP_CF_RESPONSE_STATUS:
273  /* RESPONSE STATUS */
274  if (htp_tx_response_status(tx) != NULL) {
275  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
276  (uint8_t *)bstr_ptr(htp_tx_response_status(tx)),
277  bstr_len(htp_tx_response_status(tx)));
278  } else {
279  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
280  }
281  break;
282  case LOG_HTTP_CF_RESPONSE_HEADER:
283  /* RESPONSE HEADER */
284  if (htp_tx_response_headers(tx) != NULL) {
285  h_response_hdr = htp_table_get_c(htp_tx_response_headers(tx), node->data);
286  }
287  if (h_response_hdr != NULL) {
288  datalen = node->maxlen;
289  if (datalen == 0 || datalen > bstr_len(h_response_hdr->value)) {
290  datalen = bstr_len(h_response_hdr->value);
291  }
292  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
293  aft->buffer->size, (uint8_t *)bstr_ptr(h_response_hdr->value),
294  datalen);
295  } else {
296  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
297  }
298  break;
299  case LOG_HTTP_CF_RESPONSE_LEN:
300  /* RESPONSE LEN */
301  MemBufferWriteString(
302  aft->buffer, "%" PRIuMAX "", (uintmax_t)htp_tx_response_message_len(tx));
303  break;
304  default:
305  /* NO MATCH */
306  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
307  SCLogDebug("No matching parameter %%%c for custom http log.", node->type);
308  break;
309  }
310  }
311  MemBufferWriteString(aft->buffer, "\n");
312 }
313 
314 static void LogHttpLogExtended(LogHttpLogThread *aft, htp_tx_t *tx)
315 {
316  LOG_CF_WRITE_STAR_SEPARATOR(aft->buffer);
317 
318  /* referer */
319  htp_header_t *h_referer = NULL;
320  if (htp_tx_request_headers(tx) != NULL) {
321  h_referer = htp_table_get_c(htp_tx_request_headers(tx), "referer");
322  }
323  if (h_referer != NULL) {
324  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
325  (uint8_t *)bstr_ptr(h_referer->value),
326  bstr_len(h_referer->value));
327  } else {
328  MemBufferWriteString(aft->buffer, "<no referer>");
329  }
330 
331  LOG_CF_WRITE_STAR_SEPARATOR(aft->buffer);
332 
333  /* method */
334  if (htp_tx_request_method(tx) != NULL) {
335  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
336  (uint8_t *)bstr_ptr(htp_tx_request_method(tx)),
337  bstr_len(htp_tx_request_method(tx)));
338  }
339  LOG_CF_WRITE_STAR_SEPARATOR(aft->buffer);
340 
341  /* protocol */
342  if (htp_tx_request_protocol(tx) != NULL) {
343  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
344  (uint8_t *)bstr_ptr(htp_tx_request_protocol(tx)),
345  bstr_len(htp_tx_request_protocol(tx)));
346  } else {
347  MemBufferWriteString(aft->buffer, "<no protocol>");
348  }
349  LOG_CF_WRITE_STAR_SEPARATOR(aft->buffer);
350 
351  /* response status */
352  if (htp_tx_response_status(tx) != NULL) {
353  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
354  (uint8_t *)bstr_ptr(htp_tx_response_status(tx)),
355  bstr_len(htp_tx_response_status(tx)));
356  /* Redirect? */
357  if ((htp_tx_response_status_number(tx) > 300) &&
358  ((htp_tx_response_status_number(tx)) < 303)) {
359  htp_header_t *h_location = htp_table_get_c(htp_tx_response_headers(tx), "location");
360  if (h_location != NULL) {
361  MemBufferWriteString(aft->buffer, " => ");
362 
363  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
364  (uint8_t *)bstr_ptr(h_location->value),
365  bstr_len(h_location->value));
366  }
367  }
368  } else {
369  MemBufferWriteString(aft->buffer, "<no status>");
370  }
371 
372  /* length */
373  LOG_CF_WRITE_STAR_SEPARATOR(aft->buffer);
374  MemBufferWriteString(
375  aft->buffer, "%" PRIuMAX " bytes", (uintmax_t)htp_tx_response_message_len(tx));
376 }
377 
378 static TmEcode LogHttpLogIPWrapper(ThreadVars *tv, void *data, const Packet *p, Flow *f, HtpState *htp_state, htp_tx_t *tx, uint64_t tx_id, int ipproto)
379 {
380  SCEnter();
381 
382  LogHttpLogThread *aft = (LogHttpLogThread *)data;
383  LogHttpFileCtx *hlog = aft->httplog_ctx;
384  char timebuf[64];
385 
386  /* check if we have HTTP state or not */
387  CreateTimeString(p->ts, timebuf, sizeof(timebuf));
388 
389  char srcip[46], dstip[46];
390  Port sp, dp;
391  if ((PKT_IS_TOSERVER(p))) {
392  switch (ipproto) {
393  case AF_INET:
394  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
395  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
396  break;
397  case AF_INET6:
398  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
399  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
400  break;
401  default:
402  goto end;
403  }
404  sp = p->sp;
405  dp = p->dp;
406  } else {
407  switch (ipproto) {
408  case AF_INET:
409  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip));
410  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip));
411  break;
412  case AF_INET6:
413  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), srcip, sizeof(srcip));
414  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), dstip, sizeof(dstip));
415  break;
416  default:
417  goto end;
418  }
419  sp = p->dp;
420  dp = p->sp;
421  }
422 
423  SCLogDebug("got a HTTP request and now logging !!");
424 
425  /* reset */
426  MemBufferReset(aft->buffer);
427 
428  if (hlog->flags & LOG_HTTP_CUSTOM) {
429  LogHttpLogCustom(aft, tx, p->ts, srcip, sp, dstip, dp);
430  } else {
431  /* time */
432  MemBufferWriteString(aft->buffer, "%s ", timebuf);
433 
434  /* hostname */
435  if (htp_tx_request_hostname(tx) != NULL) {
436  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
437  (uint8_t *)bstr_ptr(htp_tx_request_hostname(tx)),
438  bstr_len(htp_tx_request_hostname(tx)));
439  } else {
440  MemBufferWriteString(aft->buffer, "<hostname unknown>");
441  }
442  LOG_CF_WRITE_STAR_SEPARATOR(aft->buffer);
443 
444  /* uri */
445  if (htp_tx_request_uri(tx) != NULL) {
446  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
447  (uint8_t *)bstr_ptr(htp_tx_request_uri(tx)), bstr_len(htp_tx_request_uri(tx)));
448  }
449  LOG_CF_WRITE_STAR_SEPARATOR(aft->buffer);
450 
451  /* user agent */
452  htp_header_t *h_user_agent = NULL;
453  if (htp_tx_request_headers(tx) != NULL) {
454  h_user_agent = htp_table_get_c(htp_tx_request_headers(tx), "user-agent");
455  }
456  if (h_user_agent != NULL) {
457  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
458  (uint8_t *)bstr_ptr(h_user_agent->value),
459  bstr_len(h_user_agent->value));
460  } else {
461  MemBufferWriteString(aft->buffer, "<useragent unknown>");
462  }
463  if (hlog->flags & LOG_HTTP_EXTENDED) {
464  LogHttpLogExtended(aft, tx);
465  }
466 
467  /* ip/tcp header info */
468  LOG_CF_WRITE_STAR_SEPARATOR(aft->buffer);
469  MemBufferWriteString(aft->buffer,
470  "%s:%" PRIu16 " -> %s:%" PRIu16 "\n",
471  srcip, sp, dstip, dp);
472  }
473 
474  aft->uri_cnt ++;
475 
476  hlog->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer),
477  MEMBUFFER_OFFSET(aft->buffer), hlog->file_ctx);
478 
479 end:
480  SCReturnInt(0);
481 
482 }
483 
484 int LogHttpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id)
485 {
486  SCEnter();
487 
488  if (!(PacketIsTCP(p))) {
489  SCReturnInt(TM_ECODE_OK);
490  }
491 
492  int r = 0;
493  if (PacketIsIPv4(p)) {
494  r = LogHttpLogIPWrapper(tv, thread_data, p, f, (HtpState *)state, (htp_tx_t *)tx, tx_id, AF_INET);
495  } else if (PacketIsIPv6(p)) {
496  r = LogHttpLogIPWrapper(tv, thread_data, p, f, (HtpState *)state, (htp_tx_t *)tx, tx_id, AF_INET6);
497  }
498 
499  SCReturnInt(r);
500 }
501 
502 TmEcode LogHttpLogThreadInit(ThreadVars *t, const void *initdata, void **data)
503 {
504  LogHttpLogThread *aft = SCCalloc(1, sizeof(LogHttpLogThread));
505  if (unlikely(aft == NULL))
506  return TM_ECODE_FAILED;
507 
508  if(initdata == NULL)
509  {
510  SCLogDebug("Error getting context for LogHTTPLog. \"initdata\" argument NULL");
511  SCFree(aft);
512  return TM_ECODE_FAILED;
513  }
514 
515  aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
516  if (aft->buffer == NULL) {
517  SCFree(aft);
518  return TM_ECODE_FAILED;
519  }
520 
521  /* Use the Output Context (file pointer and mutex) */
522  aft->httplog_ctx= ((OutputCtx *)initdata)->data;
523 
524  *data = (void *)aft;
525  return TM_ECODE_OK;
526 }
527 
528 TmEcode LogHttpLogThreadDeinit(ThreadVars *t, void *data)
529 {
530  LogHttpLogThread *aft = (LogHttpLogThread *)data;
531  if (aft == NULL) {
532  return TM_ECODE_OK;
533  }
534 
535  MemBufferFree(aft->buffer);
536  /* clear memory */
537  memset(aft, 0, sizeof(LogHttpLogThread));
538 
539  SCFree(aft);
540  return TM_ECODE_OK;
541 }
542 
543 /** \brief Create a new http log LogFileCtx.
544  * \param conf Pointer to ConfNode containing this loggers configuration.
545  * \return NULL if failure, LogFileCtx* to the file_ctx if succesful
546  * */
547 OutputInitResult LogHttpLogInitCtx(ConfNode *conf)
548 {
549  SCLogWarning("The http-log output has been deprecated and will be removed in Suricata 9.0.");
550  OutputInitResult result = { NULL, false };
551  LogFileCtx* file_ctx = LogFileNewCtx();
552  if(file_ctx == NULL) {
553  SCLogError("couldn't create new file_ctx");
554  return result;
555  }
556 
557  if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
558  LogFileFreeCtx(file_ctx);
559  return result;
560  }
561 
562  LogHttpFileCtx *httplog_ctx = SCCalloc(1, sizeof(LogHttpFileCtx));
563  if (unlikely(httplog_ctx == NULL)) {
564  LogFileFreeCtx(file_ctx);
565  return result;
566  }
567 
568  httplog_ctx->file_ctx = file_ctx;
569 
570  const char *extended = ConfNodeLookupChildValue(conf, "extended");
571  const char *custom = ConfNodeLookupChildValue(conf, "custom");
572  const char *customformat = ConfNodeLookupChildValue(conf, "customformat");
573 
574  /* If custom logging format is selected, lets parse it */
575  if (custom != NULL && customformat != NULL && ConfValIsTrue(custom)) {
576 
577  httplog_ctx->cf = LogCustomFormatAlloc();
578  if (!httplog_ctx->cf) {
579  goto errorfree;
580  }
581 
582  httplog_ctx->flags |= LOG_HTTP_CUSTOM;
583 
584  /* Parsing */
585  if ( ! LogCustomFormatParse(httplog_ctx->cf, customformat)) {
586  goto parsererror;
587  }
588  } else {
589  if (extended == NULL) {
590  httplog_ctx->flags |= LOG_HTTP_DEFAULT;
591  } else {
592  if (ConfValIsTrue(extended)) {
593  httplog_ctx->flags |= LOG_HTTP_EXTENDED;
594  }
595  }
596  }
597 
598  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
599  if (unlikely(output_ctx == NULL)) {
600  goto parsererror;
601  }
602 
603  output_ctx->data = httplog_ctx;
604  output_ctx->DeInit = LogHttpLogDeInitCtx;
605 
606  SCLogDebug("HTTP log output initialized");
607 
608  /* enable the logger for the app layer */
609  AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP1);
610 
611  result.ctx = output_ctx;
612  result.ok = true;
613  return result;
614 
615 parsererror:
616  SCLogError("Syntax error in custom http log format string.");
617 errorfree:
618  LogCustomFormatFree(httplog_ctx->cf);
619  LogFileFreeCtx(file_ctx);
620  SCFree(httplog_ctx);
621  return result;
622 
623 }
624 
625 static void LogHttpLogDeInitCtx(OutputCtx *output_ctx)
626 {
627  LogHttpFileCtx *httplog_ctx = (LogHttpFileCtx *)output_ctx->data;
628  LogCustomFormatFree(httplog_ctx->cf);
629  LogFileFreeCtx(httplog_ctx->file_ctx);
630  SCFree(httplog_ctx);
631  SCFree(output_ctx);
632 }
LogHttpLogThread
struct LogHttpLogThread_ LogHttpLogThread
LogCustomFormatFree
void LogCustomFormatFree(LogCustomFormat *cf)
Frees memory held by a custom format.
Definition: log-cf-common.c:80
tm-threads.h
LOG_HTTP_CF_RESPONSE_STATUS
#define LOG_HTTP_CF_RESPONSE_STATUS
Definition: log-httplog.c:79
ts
uint64_t ts
Definition: source-erf-file.c:55
MemBuffer_::buffer
uint8_t buffer[]
Definition: util-buffer.h:30
LOG_HTTP_CF_RESPONSE_HEADER
#define LOG_HTTP_CF_RESPONSE_HEADER
Definition: log-httplog.c:80
htp_tx_request_uri
#define htp_tx_request_uri(tx)
Definition: app-layer-htp-libhtp.h:112
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
OUTPUT_BUFFER_SIZE
#define OUTPUT_BUFFER_SIZE
Definition: log-httplog.c:58
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:662
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
LOG_HTTP_EXTENDED
#define LOG_HTTP_EXTENDED
Definition: log-httplog.c:91
threads.h
Flow_
Flow data structure.
Definition: flow.h:357
LogFileCtx_
Definition: util-logopenfile.h:72
LOG_CF_LITERAL
#define LOG_CF_LITERAL
Definition: log-cf-common.h:39
htp_tx_request_protocol
#define htp_tx_request_protocol(tx)
Definition: app-layer-htp-libhtp.h:110
LogHttpLogInitCtx
OutputInitResult LogHttpLogInitCtx(ConfNode *conf)
Create a new http log LogFileCtx.
Definition: log-httplog.c:547
htp_tx_response_headers
#define htp_tx_response_headers(tx)
Definition: app-layer-htp-libhtp.h:114
LogHttpLogThread_::uri_cnt
uint32_t uri_cnt
Definition: log-httplog.c:97
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
util-privs.h
LogFileCtx_::Write
int(* Write)(const char *buffer, int buffer_len, struct LogFileCtx_ *fp)
Definition: util-logopenfile.h:87
htp_tx_request_message_len
#define htp_tx_request_message_len(tx)
Definition: app-layer-htp-libhtp.h:105
LOG_HTTP_CF_REQUEST_URI
#define LOG_HTTP_CF_REQUEST_URI
Definition: log-httplog.c:75
htp_tx_request_method
#define htp_tx_request_method(tx)
Definition: app-layer-htp-libhtp.h:106
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
LogCustomFormatWriteTimestamp
void LogCustomFormatWriteTimestamp(MemBuffer *buffer, const char *fmt, const SCTime_t ts)
Writes a timestamp with given format into a MemBuffer.
Definition: log-cf-common.c:211
htp_tx_response_status
#define htp_tx_response_status(tx)
Definition: app-layer-htp-libhtp.h:119
LOG_CF_CLIENT_PORT
#define LOG_CF_CLIENT_PORT
Definition: log-cf-common.h:44
OutputRegisterTxModule
void OutputRegisterTxModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Register a tx output module.
Definition: output.c:369
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:200
util-unittest.h
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:29
LOG_HTTP_CF_REQUEST_LEN
#define LOG_HTTP_CF_REQUEST_LEN
Definition: log-httplog.c:78
HtpState_
Definition: app-layer-htp.h:238
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:536
OutputCtx_::data
void * data
Definition: tm-modules.h:87
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
OutputCtx_
Definition: tm-modules.h:84
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:455
LogCustomFormat_::cf_n
uint32_t cf_n
Definition: log-cf-common.h:72
LogCustomFormatNode_
Definition: log-cf-common.h:64
LOGGER_HTTP
@ LOGGER_HTTP
Definition: suricata-common.h:464
LogHttpLogRegister
void LogHttpLogRegister(void)
Definition: log-httplog.c:66
LogCustomFormatNode_::type
uint32_t type
Definition: log-cf-common.h:65
htp_tx_request_headers
#define htp_tx_request_headers(tx)
Definition: app-layer-htp-libhtp.h:113
app-layer-htp.h
LOG_CF_WRITE_STAR_SEPARATOR
#define LOG_CF_WRITE_STAR_SEPARATOR(buffer)
Definition: log-cf-common.h:52
util-debug.h
GET_IPV4_DST_ADDR_PTR
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:195
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:234
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
Packet_::ts
SCTime_t ts
Definition: decode.h:524
LOG_CF_CLIENT_IP
#define LOG_CF_CLIENT_IP
Definition: log-cf-common.h:42
LOG_CF_TIMESTAMP
#define LOG_CF_TIMESTAMP
Definition: log-cf-common.h:40
LOG_HTTP_CF_REQUEST_HEADER
#define LOG_HTTP_CF_REQUEST_HEADER
Definition: log-httplog.c:76
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:466
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:230
pkt-var.h
LogHttpLogThreadInit
TmEcode LogHttpLogThreadInit(ThreadVars *, const void *, void **)
Definition: log-httplog.c:502
Packet_::sp
Port sp
Definition: decode.h:483
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: log-httplog.c:54
LOG_CF_SERVER_PORT
#define LOG_CF_SERVER_PORT
Definition: log-cf-common.h:45
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:48
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
app-layer-parser.h
htp_tx_request_hostname
#define htp_tx_request_hostname(tx)
Definition: app-layer-htp-libhtp.h:103
Packet_
Definition: decode.h:476
LOG_HTTP_CUSTOM
#define LOG_HTTP_CUSTOM
Definition: log-httplog.c:92
LOG_CF_TIMESTAMP_U
#define LOG_CF_TIMESTAMP_U
Definition: log-cf-common.h:41
LogHttpFileCtx_::file_ctx
LogFileCtx * file_ctx
Definition: log-httplog.c:85
conf.h
Port
uint16_t Port
Definition: decode.h:214
SCTime_t
Definition: util-time.h:40
TmEcode
TmEcode
Definition: tm-threads-common.h:79
LogCustomFormatNode_::maxlen
uint32_t maxlen
Definition: log-cf-common.h:66
LogHttpFileCtx_::cf
LogCustomFormat * cf
Definition: log-httplog.c:87
MemBuffer_
Definition: util-buffer.h:27
LogCustomFormat_
Definition: log-cf-common.h:71
PrintRawUriBuf
void PrintRawUriBuf(char *retbuf, uint32_t *offset, uint32_t retbuflen, uint8_t *buf, size_t buflen)
Definition: util-print.c:93
LogHttpLogThread_::buffer
MemBuffer * buffer
Definition: log-httplog.c:99
LogHttpLogThreadDeinit
TmEcode LogHttpLogThreadDeinit(ThreadVars *, void *)
Definition: log-httplog.c:528
LOG_HTTP_CF_REQUEST_METHOD
#define LOG_HTTP_CF_REQUEST_METHOD
Definition: log-httplog.c:74
LogCustomFormatNode_::data
char data[LOG_NODE_STRLEN]
Definition: log-cf-common.h:67
OutputInitResult_
Definition: output.h:46
LogHttpLogThread_
Definition: log-httplog.c:94
GET_IPV4_SRC_ADDR_PTR
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:194
suricata-common.h
LOG_HTTP_CF_REQUEST_PROTOCOL
#define LOG_HTTP_CF_REQUEST_PROTOCOL
Definition: log-httplog.c:73
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:90
htp_tx_response_message_len
#define htp_tx_response_message_len(tx)
Definition: app-layer-htp-libhtp.h:118
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:86
LOG_HTTP_CF_REQUEST_HOST
#define LOG_HTTP_CF_REQUEST_HOST
Definition: log-httplog.c:72
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:875
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
log-httplog.h
threadvars.h
log-cf-common.h
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:199
app-layer-htp-libhtp.h
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
util-logopenfile.h
util-buffer.h
LogCustomFormat_::cf_nodes
LogCustomFormatNode * cf_nodes[LOG_MAXN_NODES]
Definition: log-cf-common.h:73
LOG_HTTP_DEFAULT
#define LOG_HTTP_DEFAULT
Definition: log-httplog.c:90
LOG_CF_SERVER_IP
#define LOG_CF_SERVER_IP
Definition: log-cf-common.h:43
LogHttpFileCtx
struct LogHttpFileCtx_ LogHttpFileCtx
LOG_HTTP_CF_RESPONSE_LEN
#define LOG_HTTP_CF_RESPONSE_LEN
Definition: log-httplog.c:81
LOG_CF_NONE
#define LOG_CF_NONE
Definition: log-cf-common.h:38
MemBufferWriteString
void MemBufferWriteString(MemBuffer *dst, const char *fmt,...)
Definition: util-buffer.c:130
LogHttpLogThread_::httplog_ctx
LogHttpFileCtx * httplog_ctx
Definition: log-httplog.c:95
MemBuffer_::size
uint32_t size
Definition: util-buffer.h:28
MEMBUFFER_BUFFER
#define MEMBUFFER_BUFFER(mem_buffer)
Get the MemBuffers underlying buffer.
Definition: util-buffer.h:51
htp_tx_response_status_number
#define htp_tx_response_status_number(tx)
Definition: app-layer-htp-libhtp.h:120
LogCustomFormatAlloc
LogCustomFormat * LogCustomFormatAlloc(void)
Creates a custom format.
Definition: log-cf-common.c:54
LogHttpFileCtx_::flags
uint32_t flags
Definition: log-httplog.c:86
LogHttpLogger
int LogHttpLogger(ThreadVars *tv, void *thread_data, const Packet *, Flow *f, void *state, void *tx, uint64_t tx_id)
Definition: log-httplog.c:484
MEMBUFFER_OFFSET
#define MEMBUFFER_OFFSET(mem_buffer)
Get the MemBuffers current offset.
Definition: util-buffer.h:56
LogHttpFileCtx_
Definition: log-httplog.c:84
Packet_::dp
Port dp
Definition: decode.h:491
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
MODULE_NAME
#define MODULE_NAME
Definition: log-httplog.c:56
LOG_HTTP_CF_REQUEST_COOKIE
#define LOG_HTTP_CF_REQUEST_COOKIE
Definition: log-httplog.c:77
CreateTimeString
void CreateTimeString(const SCTime_t ts, char *str, size_t size)
Definition: util-time.c:272
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
output.h
LogCustomFormatParse
int LogCustomFormatParse(LogCustomFormat *cf, const char *format)
Parses and saves format nodes for custom format.
Definition: log-cf-common.c:96
app-layer.h
SCTIME_USECS
#define SCTIME_USECS(t)
Definition: util-time.h:56
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:809