suricata
log-httplog.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Ignacio Sanchez <sanchezmartin.ji@gmail.com>
23  *
24  * Implements http logging portion of the engine.
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "pkt-var.h"
31 #include "conf.h"
32 
33 #include "threads.h"
34 #include "threadvars.h"
35 #include "tm-threads.h"
36 
37 #include "util-print.h"
38 #include "util-unittest.h"
39 
40 #include "util-debug.h"
41 
42 #include "output.h"
43 #include "log-httplog.h"
44 #include "app-layer-htp.h"
45 #include "app-layer.h"
46 #include "app-layer-parser.h"
47 #include "util-privs.h"
48 #include "util-buffer.h"
49 
50 #include "util-logopenfile.h"
51 #include "util-time.h"
52 #include "log-cf-common.h"
53 
54 #define DEFAULT_LOG_FILENAME "http.log"
55 
56 #define MODULE_NAME "LogHttpLog"
57 
58 #define OUTPUT_BUFFER_SIZE 65535
59 
60 TmEcode LogHttpLogThreadInit(ThreadVars *, const void *, void **);
61 TmEcode LogHttpLogThreadDeinit(ThreadVars *, void *);
62 static void LogHttpLogDeInitCtx(OutputCtx *);
63 
64 int LogHttpLogger(ThreadVars *tv, void *thread_data, const Packet *, Flow *f, void *state, void *tx, uint64_t tx_id);
65 
66 void LogHttpLogRegister (void)
67 {
68  OutputRegisterTxModule(LOGGER_HTTP, MODULE_NAME, "http-log", LogHttpLogInitCtx, ALPROTO_HTTP1,
69  LogHttpLogger, LogHttpLogThreadInit, LogHttpLogThreadDeinit, NULL);
70 }
71 
72 #define LOG_HTTP_CF_REQUEST_HOST 'h'
73 #define LOG_HTTP_CF_REQUEST_PROTOCOL 'H'
74 #define LOG_HTTP_CF_REQUEST_METHOD 'm'
75 #define LOG_HTTP_CF_REQUEST_URI 'u'
76 #define LOG_HTTP_CF_REQUEST_TIME 't'
77 #define LOG_HTTP_CF_REQUEST_HEADER 'i'
78 #define LOG_HTTP_CF_REQUEST_COOKIE 'C'
79 #define LOG_HTTP_CF_REQUEST_LEN 'b'
80 #define LOG_HTTP_CF_RESPONSE_STATUS 's'
81 #define LOG_HTTP_CF_RESPONSE_HEADER 'o'
82 #define LOG_HTTP_CF_RESPONSE_LEN 'B'
83 
84 
85 typedef struct LogHttpFileCtx_ {
86  LogFileCtx *file_ctx;
87  uint32_t flags; /** Store mode */
88  LogCustomFormat *cf;
89 } LogHttpFileCtx;
90 
91 #define LOG_HTTP_DEFAULT 0
92 #define LOG_HTTP_EXTENDED 1
93 #define LOG_HTTP_CUSTOM 2
94 
95 typedef struct LogHttpLogThread_ {
96  LogHttpFileCtx *httplog_ctx;
97  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
98  uint32_t uri_cnt;
99 
100  MemBuffer *buffer;
101 } LogHttpLogThread;
102 
103 /* Retrieves the selected cookie value */
104 static uint32_t GetCookieValue(uint8_t *rawcookies, uint32_t rawcookies_len, char *cookiename,
105  uint8_t **cookievalue)
106 {
107  uint8_t *p = rawcookies;
108  uint8_t *cn = p; /* ptr to cookie name start */
109  uint8_t *cv = NULL; /* ptr to cookie value start */
110  while (p < rawcookies + rawcookies_len) {
111  if (cv == NULL && *p == '=') {
112  cv = p + 1;
113  } else if (cv != NULL && (*p == ';' || p == rawcookies + rawcookies_len - 1) ) {
114  /* Found end of cookie */
115  p++;
116  if (strlen(cookiename) == (unsigned int) (cv-cn-1) &&
117  strncmp(cookiename, (char *) cn, cv-cn-1) == 0) {
118  *cookievalue = cv;
119  return (uint32_t) (p-cv);
120  }
121  cv = NULL;
122  cn = p + 1;
123  }
124  p++;
125  }
126  return 0;
127 }
128 
129 /* Custom format logging */
130 static void LogHttpLogCustom(LogHttpLogThread *aft, htp_tx_t *tx, const struct timeval *ts,
131  char *srcip, Port sp, char *dstip, Port dp)
132 {
133  LogHttpFileCtx *httplog_ctx = aft->httplog_ctx;
134  uint32_t i;
135  uint32_t datalen;
136  char buf[128];
137 
138  uint8_t *cvalue = NULL;
139  uint32_t cvalue_len = 0;
140 
141  htp_header_t *h_request_hdr;
142  htp_header_t *h_response_hdr;
143 
144  for (i = 0; i < httplog_ctx->cf->cf_n; i++) {
145  h_request_hdr = NULL;
146  h_response_hdr = NULL;
147 
148  LogCustomFormatNode * node = httplog_ctx->cf->cf_nodes[i];
149  if (! node) /* Should never happen */
150  continue;
151 
152  switch (node->type){
153  case LOG_CF_LITERAL:
154  /* LITERAL */
155  MemBufferWriteString(aft->buffer, "%s", node->data);
156  break;
157  case LOG_CF_TIMESTAMP:
158  /* TIMESTAMP */
159  LogCustomFormatWriteTimestamp(aft->buffer, node->data, ts);
160  break;
161  case LOG_CF_TIMESTAMP_U:
162  /* TIMESTAMP USECONDS */
163  snprintf(buf, sizeof(buf), "%06u", (unsigned int) ts->tv_usec);
164  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
165  aft->buffer->size, (uint8_t *)buf, MIN(strlen(buf),6));
166  break;
167  case LOG_CF_CLIENT_IP:
168  /* CLIENT IP ADDRESS */
169  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
170  aft->buffer->size, (uint8_t *)srcip,strlen(srcip));
171  break;
172  case LOG_CF_SERVER_IP:
173  /* SERVER IP ADDRESS */
174  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
175  aft->buffer->size, (uint8_t *)dstip,strlen(dstip));
176  break;
177  case LOG_CF_CLIENT_PORT:
178  /* CLIENT PORT */
179  MemBufferWriteString(aft->buffer, "%" PRIu16 "", sp);
180  break;
181  case LOG_CF_SERVER_PORT:
182  /* SERVER PORT */
183  MemBufferWriteString(aft->buffer, "%" PRIu16 "", dp);
184  break;
185  case LOG_HTTP_CF_REQUEST_METHOD:
186  /* METHOD */
187  if (tx->request_method != NULL) {
188  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
189  aft->buffer->size, (uint8_t *)bstr_ptr(tx->request_method),
190  bstr_len(tx->request_method));
191  } else {
192  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
193  }
194  break;
195  case LOG_HTTP_CF_REQUEST_URI:
196  /* URI */
197  if (tx->request_uri != NULL) {
198  datalen = node->maxlen;
199  if (datalen == 0 || datalen > bstr_len(tx->request_uri)) {
200  datalen = bstr_len(tx->request_uri);
201  }
202  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
203  aft->buffer->size, (uint8_t *)bstr_ptr(tx->request_uri),
204  datalen);
205  } else {
206  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
207  }
208  break;
209  case LOG_HTTP_CF_REQUEST_HOST:
210  /* HOSTNAME */
211  if (tx->request_hostname != NULL)
212  {
213  datalen = node->maxlen;
214  if (datalen == 0 || datalen > bstr_len(tx->request_hostname)) {
215  datalen = bstr_len(tx->request_hostname);
216  }
217  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
218  aft->buffer->size, (uint8_t *)bstr_ptr(tx->request_hostname),
219  datalen);
220  } else {
221  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
222  }
223  break;
224  case LOG_HTTP_CF_REQUEST_PROTOCOL:
225  /* PROTOCOL */
226  if (tx->request_protocol != NULL) {
227  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
228  aft->buffer->size, (uint8_t *)bstr_ptr(tx->request_protocol),
229  bstr_len(tx->request_protocol));
230  } else {
231  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
232  }
233  break;
234  case LOG_HTTP_CF_REQUEST_HEADER:
235  /* REQUEST HEADER */
236  if (tx->request_headers != NULL) {
237  h_request_hdr = htp_table_get_c(tx->request_headers, node->data);
238  }
239  if (h_request_hdr != NULL) {
240  datalen = node->maxlen;
241  if (datalen == 0 || datalen > bstr_len(h_request_hdr->value)) {
242  datalen = bstr_len(h_request_hdr->value);
243  }
244  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
245  aft->buffer->size, (uint8_t *)bstr_ptr(h_request_hdr->value),
246  datalen);
247  } else {
248  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
249  }
250  break;
251  case LOG_HTTP_CF_REQUEST_COOKIE:
252  /* REQUEST COOKIE */
253  if (tx->request_headers != NULL) {
254  h_request_hdr = htp_table_get_c(tx->request_headers, "Cookie");
255  if (h_request_hdr != NULL) {
256  cvalue_len = GetCookieValue((uint8_t *) bstr_ptr(h_request_hdr->value),
257  bstr_len(h_request_hdr->value), (char *) node->data,
258  &cvalue);
259  }
260  }
261  if (cvalue_len > 0 && cvalue != NULL) {
262  datalen = node->maxlen;
263  if (datalen == 0 || datalen > cvalue_len) {
264  datalen = cvalue_len;
265  }
266  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
267  aft->buffer->size, cvalue, datalen);
268  } else {
269  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
270  }
271  break;
272  case LOG_HTTP_CF_REQUEST_LEN:
273  /* REQUEST LEN */
274  MemBufferWriteString(aft->buffer, "%"PRIuMAX"", (uintmax_t)tx->request_message_len);
275  break;
276  case LOG_HTTP_CF_RESPONSE_STATUS:
277  /* RESPONSE STATUS */
278  if (tx->response_status != NULL) {
279  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
280  aft->buffer->size, (uint8_t *)bstr_ptr(tx->response_status),
281  bstr_len(tx->response_status));
282  } else {
283  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
284  }
285  break;
286  case LOG_HTTP_CF_RESPONSE_HEADER:
287  /* RESPONSE HEADER */
288  if (tx->response_headers != NULL) {
289  h_response_hdr = htp_table_get_c(tx->response_headers,
290  node->data);
291  }
292  if (h_response_hdr != NULL) {
293  datalen = node->maxlen;
294  if (datalen == 0 || datalen > bstr_len(h_response_hdr->value)) {
295  datalen = bstr_len(h_response_hdr->value);
296  }
297  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
298  aft->buffer->size, (uint8_t *)bstr_ptr(h_response_hdr->value),
299  datalen);
300  } else {
301  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
302  }
303  break;
304  case LOG_HTTP_CF_RESPONSE_LEN:
305  /* RESPONSE LEN */
306  MemBufferWriteString(aft->buffer, "%"PRIuMAX"", (uintmax_t)tx->response_message_len);
307  break;
308  default:
309  /* NO MATCH */
310  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
311  SCLogDebug("No matching parameter %%%c for custom http log.", node->type);
312  break;
313  }
314  }
315  MemBufferWriteString(aft->buffer, "\n");
316 }
317 
318 static void LogHttpLogExtended(LogHttpLogThread *aft, htp_tx_t *tx)
319 {
320  LOG_CF_WRITE_STAR_SEPATATOR(aft->buffer);
321 
322  /* referer */
323  htp_header_t *h_referer = NULL;
324  if (tx->request_headers != NULL) {
325  h_referer = htp_table_get_c(tx->request_headers, "referer");
326  }
327  if (h_referer != NULL) {
328  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
329  (uint8_t *)bstr_ptr(h_referer->value),
330  bstr_len(h_referer->value));
331  } else {
332  MemBufferWriteString(aft->buffer, "<no referer>");
333  }
334 
335  LOG_CF_WRITE_STAR_SEPATATOR(aft->buffer);
336 
337  /* method */
338  if (tx->request_method != NULL) {
339  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
340  (uint8_t *)bstr_ptr(tx->request_method),
341  bstr_len(tx->request_method));
342  }
343  LOG_CF_WRITE_STAR_SEPATATOR(aft->buffer);
344 
345  /* protocol */
346  if (tx->request_protocol != NULL) {
347  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
348  (uint8_t *)bstr_ptr(tx->request_protocol),
349  bstr_len(tx->request_protocol));
350  } else {
351  MemBufferWriteString(aft->buffer, "<no protocol>");
352  }
353  LOG_CF_WRITE_STAR_SEPATATOR(aft->buffer);
354 
355  /* response status */
356  if (tx->response_status != NULL) {
357  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
358  (uint8_t *)bstr_ptr(tx->response_status),
359  bstr_len(tx->response_status));
360  /* Redirect? */
361  if ((tx->response_status_number > 300) && ((tx->response_status_number) < 303)) {
362  htp_header_t *h_location = htp_table_get_c(tx->response_headers, "location");
363  if (h_location != NULL) {
364  MemBufferWriteString(aft->buffer, " => ");
365 
366  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
367  (uint8_t *)bstr_ptr(h_location->value),
368  bstr_len(h_location->value));
369  }
370  }
371  } else {
372  MemBufferWriteString(aft->buffer, "<no status>");
373  }
374 
375  /* length */
376  LOG_CF_WRITE_STAR_SEPATATOR(aft->buffer);
377  MemBufferWriteString(aft->buffer, "%"PRIuMAX" bytes", (uintmax_t)tx->response_message_len);
378 }
379 
380 static TmEcode LogHttpLogIPWrapper(ThreadVars *tv, void *data, const Packet *p, Flow *f, HtpState *htp_state, htp_tx_t *tx, uint64_t tx_id, int ipproto)
381 {
382  SCEnter();
383 
384  LogHttpLogThread *aft = (LogHttpLogThread *)data;
385  LogHttpFileCtx *hlog = aft->httplog_ctx;
386  char timebuf[64];
387 
388  /* check if we have HTTP state or not */
389  CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
390 
391  char srcip[46], dstip[46];
392  Port sp, dp;
393  if ((PKT_IS_TOSERVER(p))) {
394  switch (ipproto) {
395  case AF_INET:
396  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
397  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
398  break;
399  case AF_INET6:
400  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
401  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
402  break;
403  default:
404  goto end;
405  }
406  sp = p->sp;
407  dp = p->dp;
408  } else {
409  switch (ipproto) {
410  case AF_INET:
411  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip));
412  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip));
413  break;
414  case AF_INET6:
415  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), srcip, sizeof(srcip));
416  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), dstip, sizeof(dstip));
417  break;
418  default:
419  goto end;
420  }
421  sp = p->dp;
422  dp = p->sp;
423  }
424 
425  SCLogDebug("got a HTTP request and now logging !!");
426 
427  /* reset */
428  MemBufferReset(aft->buffer);
429 
430  if (hlog->flags & LOG_HTTP_CUSTOM) {
431  LogHttpLogCustom(aft, tx, &p->ts, srcip, sp, dstip, dp);
432  } else {
433  /* time */
434  MemBufferWriteString(aft->buffer, "%s ", timebuf);
435 
436  /* hostname */
437  if (tx->request_hostname != NULL) {
438  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
439  (uint8_t *)bstr_ptr(tx->request_hostname),
440  bstr_len(tx->request_hostname));
441  } else {
442  MemBufferWriteString(aft->buffer, "<hostname unknown>");
443  }
444  LOG_CF_WRITE_STAR_SEPATATOR(aft->buffer);
445 
446  /* uri */
447  if (tx->request_uri != NULL) {
448  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
449  (uint8_t *)bstr_ptr(tx->request_uri),
450  bstr_len(tx->request_uri));
451  }
452  LOG_CF_WRITE_STAR_SEPATATOR(aft->buffer);
453 
454  /* user agent */
455  htp_header_t *h_user_agent = NULL;
456  if (tx->request_headers != NULL) {
457  h_user_agent = htp_table_get_c(tx->request_headers, "user-agent");
458  }
459  if (h_user_agent != NULL) {
460  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
461  (uint8_t *)bstr_ptr(h_user_agent->value),
462  bstr_len(h_user_agent->value));
463  } else {
464  MemBufferWriteString(aft->buffer, "<useragent unknown>");
465  }
466  if (hlog->flags & LOG_HTTP_EXTENDED) {
467  LogHttpLogExtended(aft, tx);
468  }
469 
470  /* ip/tcp header info */
471  LOG_CF_WRITE_STAR_SEPATATOR(aft->buffer);
472  MemBufferWriteString(aft->buffer,
473  "%s:%" PRIu16 " -> %s:%" PRIu16 "\n",
474  srcip, sp, dstip, dp);
475  }
476 
477  aft->uri_cnt ++;
478 
479  hlog->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer),
480  MEMBUFFER_OFFSET(aft->buffer), hlog->file_ctx);
481 
482 end:
483  SCReturnInt(0);
484 
485 }
486 
487 int LogHttpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id)
488 {
489  SCEnter();
490 
491  if (!(PKT_IS_TCP(p))) {
492  SCReturnInt(TM_ECODE_OK);
493  }
494 
495  int r = 0;
496  if (PKT_IS_IPV4(p)) {
497  r = LogHttpLogIPWrapper(tv, thread_data, p, f, (HtpState *)state, (htp_tx_t *)tx, tx_id, AF_INET);
498  } else if (PKT_IS_IPV6(p)) {
499  r = LogHttpLogIPWrapper(tv, thread_data, p, f, (HtpState *)state, (htp_tx_t *)tx, tx_id, AF_INET6);
500  }
501 
502  SCReturnInt(r);
503 }
504 
505 TmEcode LogHttpLogThreadInit(ThreadVars *t, const void *initdata, void **data)
506 {
507  LogHttpLogThread *aft = SCMalloc(sizeof(LogHttpLogThread));
508  if (unlikely(aft == NULL))
509  return TM_ECODE_FAILED;
510  memset(aft, 0, sizeof(LogHttpLogThread));
511 
512  if(initdata == NULL)
513  {
514  SCLogDebug("Error getting context for LogHTTPLog. \"initdata\" argument NULL");
515  SCFree(aft);
516  return TM_ECODE_FAILED;
517  }
518 
519  aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
520  if (aft->buffer == NULL) {
521  SCFree(aft);
522  return TM_ECODE_FAILED;
523  }
524 
525  /* Use the Ouptut Context (file pointer and mutex) */
526  aft->httplog_ctx= ((OutputCtx *)initdata)->data;
527 
528  *data = (void *)aft;
529  return TM_ECODE_OK;
530 }
531 
532 TmEcode LogHttpLogThreadDeinit(ThreadVars *t, void *data)
533 {
534  LogHttpLogThread *aft = (LogHttpLogThread *)data;
535  if (aft == NULL) {
536  return TM_ECODE_OK;
537  }
538 
539  MemBufferFree(aft->buffer);
540  /* clear memory */
541  memset(aft, 0, sizeof(LogHttpLogThread));
542 
543  SCFree(aft);
544  return TM_ECODE_OK;
545 }
546 
547 /** \brief Create a new http log LogFileCtx.
548  * \param conf Pointer to ConfNode containing this loggers configuration.
549  * \return NULL if failure, LogFileCtx* to the file_ctx if succesful
550  * */
551 OutputInitResult LogHttpLogInitCtx(ConfNode *conf)
552 {
553  OutputInitResult result = { NULL, false };
554  LogFileCtx* file_ctx = LogFileNewCtx();
555  if(file_ctx == NULL) {
556  SCLogError(SC_ERR_HTTP_LOG_GENERIC, "couldn't create new file_ctx");
557  return result;
558  }
559 
560  if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
561  LogFileFreeCtx(file_ctx);
562  return result;
563  }
564 
565  LogHttpFileCtx *httplog_ctx = SCMalloc(sizeof(LogHttpFileCtx));
566  if (unlikely(httplog_ctx == NULL)) {
567  LogFileFreeCtx(file_ctx);
568  return result;
569  }
570  memset(httplog_ctx, 0x00, sizeof(LogHttpFileCtx));
571 
572  httplog_ctx->file_ctx = file_ctx;
573 
574  const char *extended = ConfNodeLookupChildValue(conf, "extended");
575  const char *custom = ConfNodeLookupChildValue(conf, "custom");
576  const char *customformat = ConfNodeLookupChildValue(conf, "customformat");
577 
578  /* If custom logging format is selected, lets parse it */
579  if (custom != NULL && customformat != NULL && ConfValIsTrue(custom)) {
580 
581  httplog_ctx->cf = LogCustomFormatAlloc();
582  if (!httplog_ctx->cf) {
583  goto errorfree;
584  }
585 
586  httplog_ctx->flags |= LOG_HTTP_CUSTOM;
587 
588  /* Parsing */
589  if ( ! LogCustomFormatParse(httplog_ctx->cf, customformat)) {
590  goto parsererror;
591  }
592  } else {
593  if (extended == NULL) {
594  httplog_ctx->flags |= LOG_HTTP_DEFAULT;
595  } else {
596  if (ConfValIsTrue(extended)) {
597  httplog_ctx->flags |= LOG_HTTP_EXTENDED;
598  }
599  }
600  }
601 
602  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
603  if (unlikely(output_ctx == NULL)) {
604  goto parsererror;
605  }
606 
607  output_ctx->data = httplog_ctx;
608  output_ctx->DeInit = LogHttpLogDeInitCtx;
609 
610  SCLogDebug("HTTP log output initialized");
611 
612  /* enable the logger for the app layer */
613  AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP1);
614 
615  result.ctx = output_ctx;
616  result.ok = true;
617  return result;
618 
619 parsererror:
620  SCLogError(SC_ERR_INVALID_ARGUMENT,"Syntax error in custom http log format string.");
621 errorfree:
622  LogCustomFormatFree(httplog_ctx->cf);
623  LogFileFreeCtx(file_ctx);
624  SCFree(httplog_ctx);
625  return result;
626 
627 }
628 
629 static void LogHttpLogDeInitCtx(OutputCtx *output_ctx)
630 {
631  LogHttpFileCtx *httplog_ctx = (LogHttpFileCtx *)output_ctx->data;
632  LogCustomFormatFree(httplog_ctx->cf);
633  LogFileFreeCtx(httplog_ctx->file_ctx);
634  SCFree(httplog_ctx);
635  SCFree(output_ctx);
636 }
LogHttpLogThread
struct LogHttpLogThread_ LogHttpLogThread
LogCustomFormatFree
void LogCustomFormatFree(LogCustomFormat *cf)
Frees memory held by a custom format.
Definition: log-cf-common.c:78
tm-threads.h
LOG_HTTP_CF_RESPONSE_STATUS
#define LOG_HTTP_CF_RESPONSE_STATUS
Definition: log-httplog.c:80
ts
uint64_t ts
Definition: source-erf-file.c:54
LOG_HTTP_CF_RESPONSE_HEADER
#define LOG_HTTP_CF_RESPONSE_HEADER
Definition: log-httplog.c:81
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:260
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
OUTPUT_BUFFER_SIZE
#define OUTPUT_BUFFER_SIZE
Definition: log-httplog.c:58
LOG_CF_WRITE_STAR_SEPATATOR
#define LOG_CF_WRITE_STAR_SEPATATOR(buffer)
Definition: log-cf-common.h:53
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:637
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
LOG_HTTP_EXTENDED
#define LOG_HTTP_EXTENDED
Definition: log-httplog.c:92
threads.h
LogCustomFormatAlloc
LogCustomFormat * LogCustomFormatAlloc()
Creates a custom format.
Definition: log-cf-common.c:52
Flow_
Flow data structure.
Definition: flow.h:353
LogFileCtx_
Definition: util-logopenfile.h:64
LOG_CF_LITERAL
#define LOG_CF_LITERAL
Definition: log-cf-common.h:40
LogHttpLogInitCtx
OutputInitResult LogHttpLogInitCtx(ConfNode *conf)
Create a new http log LogFileCtx.
Definition: log-httplog.c:551
LogHttpLogThread_::uri_cnt
uint32_t uri_cnt
Definition: log-httplog.c:98
OutputRegisterTxModule
void OutputRegisterTxModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a tx output module.
Definition: output.c:398
MIN
#define MIN(x, y)
Definition: suricata-common.h:368
util-privs.h
LogFileCtx_::Write
int(* Write)(const char *buffer, int buffer_len, struct LogFileCtx_ *fp)
Definition: util-logopenfile.h:80
LOG_HTTP_CF_REQUEST_URI
#define LOG_HTTP_CF_REQUEST_URI
Definition: log-httplog.c:75
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
LOG_CF_CLIENT_PORT
#define LOG_CF_CLIENT_PORT
Definition: log-cf-common.h:45
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:228
util-unittest.h
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:30
LOG_HTTP_CF_REQUEST_LEN
#define LOG_HTTP_CF_REQUEST_LEN
Definition: log-httplog.c:79
HtpState_
Definition: app-layer-htp.h:248
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:565
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
OutputCtx_
Definition: tm-modules.h:78
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:423
LogCustomFormat_::cf_n
uint32_t cf_n
Definition: log-cf-common.h:74
LogCustomFormatNode_
Definition: log-cf-common.h:66
LOGGER_HTTP
@ LOGGER_HTTP
Definition: suricata-common.h:436
PKT_IS_TCP
#define PKT_IS_TCP(p)
Definition: decode.h:261
LogHttpLogRegister
void LogHttpLogRegister(void)
Definition: log-httplog.c:66
LogCustomFormatNode_::type
uint32_t type
Definition: log-cf-common.h:67
app-layer-htp.h
util-debug.h
GET_IPV4_DST_ADDR_PTR
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:223
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:265
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:44
LOG_CF_CLIENT_IP
#define LOG_CF_CLIENT_IP
Definition: log-cf-common.h:43
LOG_CF_TIMESTAMP
#define LOG_CF_TIMESTAMP
Definition: log-cf-common.h:41
LOG_HTTP_CF_REQUEST_HEADER
#define LOG_HTTP_CF_REQUEST_HEADER
Definition: log-httplog.c:77
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:455
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:272
pkt-var.h
LogHttpLogThreadInit
TmEcode LogHttpLogThreadInit(ThreadVars *, const void *, void **)
Definition: log-httplog.c:505
Packet_::sp
Port sp
Definition: decode.h:421
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: log-httplog.c:54
LOG_CF_SERVER_PORT
#define LOG_CF_SERVER_PORT
Definition: log-cf-common.h:46
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:45
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
app-layer-parser.h
Packet_
Definition: decode.h:414
LOG_HTTP_CUSTOM
#define LOG_HTTP_CUSTOM
Definition: log-httplog.c:93
LOG_CF_TIMESTAMP_U
#define LOG_CF_TIMESTAMP_U
Definition: log-cf-common.h:42
LogHttpFileCtx_::file_ctx
LogFileCtx * file_ctx
Definition: log-httplog.c:86
conf.h
Port
uint16_t Port
Definition: decode.h:243
TmEcode
TmEcode
Definition: tm-threads-common.h:79
CreateTimeString
void CreateTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:275
LogCustomFormatNode_::maxlen
uint32_t maxlen
Definition: log-cf-common.h:68
LogHttpFileCtx_::cf
LogCustomFormat * cf
Definition: log-httplog.c:88
MemBuffer_
Definition: util-buffer.h:27
LogCustomFormat_
Definition: log-cf-common.h:73
LogHttpLogThread_::buffer
MemBuffer * buffer
Definition: log-httplog.c:100
SC_ERR_HTTP_LOG_GENERIC
@ SC_ERR_HTTP_LOG_GENERIC
Definition: util-error.h:125
LogHttpLogThreadDeinit
TmEcode LogHttpLogThreadDeinit(ThreadVars *, void *)
Definition: log-httplog.c:532
LOG_HTTP_CF_REQUEST_METHOD
#define LOG_HTTP_CF_REQUEST_METHOD
Definition: log-httplog.c:74
LogCustomFormatNode_::data
char data[LOG_NODE_STRLEN]
Definition: log-cf-common.h:69
MemBufferReset
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
OutputInitResult_
Definition: output.h:43
LogHttpLogThread_
Definition: log-httplog.c:95
GET_IPV4_SRC_ADDR_PTR
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:222
Packet_::ts
struct timeval ts
Definition: decode.h:457
suricata-common.h
LOG_HTTP_CF_REQUEST_PROTOCOL
#define LOG_HTTP_CF_REQUEST_PROTOCOL
Definition: log-httplog.c:73
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
MemBufferWriteString
#define MemBufferWriteString(dst,...)
Write a string buffer to the Membuffer dst.
Definition: util-buffer.h:162
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
LOG_HTTP_CF_REQUEST_HOST
#define LOG_HTTP_CF_REQUEST_HOST
Definition: log-httplog.c:72
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:817
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
log-httplog.h
threadvars.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
log-cf-common.h
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:227
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
util-logopenfile.h
util-buffer.h
LogCustomFormat_::cf_nodes
LogCustomFormatNode * cf_nodes[LOG_MAXN_NODES]
Definition: log-cf-common.h:75
LOG_HTTP_DEFAULT
#define LOG_HTTP_DEFAULT
Definition: log-httplog.c:91
LOG_CF_SERVER_IP
#define LOG_CF_SERVER_IP
Definition: log-cf-common.h:44
LogHttpFileCtx
struct LogHttpFileCtx_ LogHttpFileCtx
LOG_HTTP_CF_RESPONSE_LEN
#define LOG_HTTP_CF_RESPONSE_LEN
Definition: log-httplog.c:82
LOG_CF_NONE
#define LOG_CF_NONE
Definition: log-cf-common.h:39
LogHttpLogThread_::httplog_ctx
LogHttpFileCtx * httplog_ctx
Definition: log-httplog.c:96
PrintRawUriBuf
void PrintRawUriBuf(char *retbuf, uint32_t *offset, uint32_t retbuflen, uint8_t *buf, uint32_t buflen)
Definition: util-print.c:118
MemBuffer_::size
uint32_t size
Definition: util-buffer.h:29
MEMBUFFER_BUFFER
#define MEMBUFFER_BUFFER(mem_buffer)
Get the MemBuffers underlying buffer.
Definition: util-buffer.h:50
LogCustomFormatWriteTimestamp
void LogCustomFormatWriteTimestamp(MemBuffer *buffer, const char *fmt, const struct timeval *ts)
Writes a timestamp with given format into a MemBuffer.
Definition: log-cf-common.c:209
MemBuffer_::buffer
uint8_t * buffer
Definition: util-buffer.h:28
LogHttpFileCtx_::flags
uint32_t flags
Definition: log-httplog.c:87
LogHttpLogger
int LogHttpLogger(ThreadVars *tv, void *thread_data, const Packet *, Flow *f, void *state, void *tx, uint64_t tx_id)
Definition: log-httplog.c:487
MEMBUFFER_OFFSET
#define MEMBUFFER_OFFSET(mem_buffer)
Get the MemBuffers current offset.
Definition: util-buffer.h:55
LogHttpFileCtx_
Definition: log-httplog.c:85
Packet_::dp
Port dp
Definition: decode.h:429
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
MODULE_NAME
#define MODULE_NAME
Definition: log-httplog.c:56
LOG_HTTP_CF_REQUEST_COOKIE
#define LOG_HTTP_CF_REQUEST_COOKIE
Definition: log-httplog.c:78
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:259
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
debug.h
output.h
LogCustomFormatParse
int LogCustomFormatParse(LogCustomFormat *cf, const char *format)
Parses and saves format nodes for custom format.
Definition: log-cf-common.c:94
app-layer.h
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:842