suricata
log-tlslog.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Roliers Jean-Paul <popof.fpn@gmail.co>
22  * \author Eric Leblond <eric@regit.org>
23  * \author Victor Julien <victor@inliniac.net>
24  * \author Paulo Pacheco <fooinha@gmail.com>
25  *
26  * Implements TLS logging portion of the engine.
27  */
28 
29 #include "suricata-common.h"
30 #include "detect.h"
31 #include "pkt-var.h"
32 #include "conf.h"
33 
34 #include "threads.h"
35 #include "threadvars.h"
36 #include "tm-threads.h"
37 
38 #include "util-print.h"
39 #include "util-unittest.h"
40 
41 #include "util-debug.h"
42 
43 #include "output.h"
44 #include "log-tlslog.h"
45 #include "app-layer-ssl.h"
46 #include "app-layer.h"
47 #include "app-layer-parser.h"
48 #include "util-privs.h"
49 #include "util-buffer.h"
50 
51 #include "util-logopenfile.h"
52 #include "util-time.h"
53 #include "log-cf-common.h"
54 
55 #define DEFAULT_LOG_FILENAME "tls.log"
56 
57 #define MODULE_NAME "LogTlsLog"
58 
59 #define PRINT_BUF_LEN 46
60 
61 #define OUTPUT_BUFFER_SIZE 65535
62 
63 #define LOG_TLS_DEFAULT 0
64 #define LOG_TLS_EXTENDED 1
65 #define LOG_TLS_CUSTOM 2
66 
67 #define LOG_TLS_SESSION_RESUMPTION 4
68 
69 #define LOG_TLS_CF_VERSION 'v'
70 #define LOG_TLS_CF_DATE_NOT_BEFORE 'd'
71 #define LOG_TLS_CF_DATE_NOT_AFTER 'D'
72 #define LOG_TLS_CF_SHA1 'f'
73 #define LOG_TLS_CF_SNI 'n'
74 #define LOG_TLS_CF_SUBJECT 's'
75 #define LOG_TLS_CF_ISSUER 'i'
76 #define LOG_TLS_CF_EXTENDED 'E'
77 
78 typedef struct LogTlsFileCtx_ {
80  uint32_t flags; /** Store mode */
83 
84 typedef struct LogTlsLogThread_ {
86 
87  /* LogTlsFileCtx has the pointer to the file and a mutex to allow
88  multithreading. */
89  uint32_t tls_cnt;
90 
93 
94 int TLSGetIPInformations(const Packet *p, char* srcip, size_t srcip_len,
95  Port* sp, char* dstip, size_t dstip_len, Port* dp,
96  int ipproto)
97 {
98  if ((PKT_IS_TOSERVER(p))) {
99  switch (ipproto) {
100  case AF_INET:
101  PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p),
102  srcip, srcip_len);
103  PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p),
104  dstip, dstip_len);
105  break;
106  case AF_INET6:
107  PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), srcip,
108  srcip_len);
109  PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), dstip,
110  dstip_len);
111  break;
112  default:
113  return 0;
114  }
115  *sp = p->sp;
116  *dp = p->dp;
117  } else {
118  switch (ipproto) {
119  case AF_INET:
120  PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p),
121  srcip, srcip_len);
122  PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p),
123  dstip, dstip_len);
124  break;
125  case AF_INET6:
126  PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), srcip,
127  srcip_len);
128  PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), dstip,
129  dstip_len);
130  break;
131  default:
132  return 0;
133  }
134  *sp = p->dp;
135  *dp = p->sp;
136  }
137  return 1;
138 }
139 
140 static TmEcode LogTlsLogThreadInit(ThreadVars *t, const void *initdata,
141  void **data)
142 {
143  LogTlsLogThread *aft = SCCalloc(1, sizeof(LogTlsLogThread));
144  if (unlikely(aft == NULL))
145  return TM_ECODE_FAILED;
146 
147  if (initdata == NULL) {
148  SCLogDebug("Error getting context for TLSLog. \"initdata\" argument NULL");
149  SCFree(aft);
150  return TM_ECODE_FAILED;
151  }
152 
154  if (aft->buffer == NULL) {
155  SCFree(aft);
156  return TM_ECODE_FAILED;
157  }
158 
159  /* Use the Output Context (file pointer and mutex) */
160  aft->tlslog_ctx = ((OutputCtx *) initdata)->data;
161 
162  *data = (void *)aft;
163  return TM_ECODE_OK;
164 }
165 
166 static TmEcode LogTlsLogThreadDeinit(ThreadVars *t, void *data)
167 {
168  LogTlsLogThread *aft = (LogTlsLogThread *)data;
169  if (aft == NULL) {
170  return TM_ECODE_OK;
171  }
172 
173  MemBufferFree(aft->buffer);
174  memset(aft, 0, sizeof(LogTlsLogThread));
175 
176  SCFree(aft);
177  return TM_ECODE_OK;
178 }
179 
180 static void LogTlsLogDeInitCtx(OutputCtx *output_ctx)
181 {
182  LogTlsFileCtx *tlslog_ctx = (LogTlsFileCtx *) output_ctx->data;
183  LogFileFreeCtx(tlslog_ctx->file_ctx);
184  LogCustomFormatFree(tlslog_ctx->cf);
185  SCFree(tlslog_ctx);
186  SCFree(output_ctx);
187 }
188 
189 static void LogTlsLogExitPrintStats(ThreadVars *tv, void *data)
190 {
191  LogTlsLogThread *aft = (LogTlsLogThread *)data;
192  if (aft == NULL) {
193  return;
194  }
195 
196  SCLogInfo("TLS logger logged %" PRIu32 " requests", aft->tls_cnt);
197 }
198 
199 /** \brief Create a new tls log LogFileCtx.
200  * \param conf Pointer to ConfNode containing this loggers configuration.
201  * \return NULL if failure, LogFileCtx* to the file_ctx if succesful
202  * */
203 static OutputInitResult LogTlsLogInitCtx(ConfNode *conf)
204 {
205  OutputInitResult result = { NULL, false };
206  LogFileCtx* file_ctx = LogFileNewCtx();
207 
208  if (file_ctx == NULL) {
209  SCLogError("LogTlsLogInitCtx: Couldn't "
210  "create new file_ctx");
211  return result;
212  }
213 
214  if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
215  goto filectx_error;
216  }
217 
218  LogTlsFileCtx *tlslog_ctx = SCCalloc(1, sizeof(LogTlsFileCtx));
219  if (unlikely(tlslog_ctx == NULL)) {
220  goto filectx_error;
221  }
222  tlslog_ctx->file_ctx = file_ctx;
223 
224  const char *extended = ConfNodeLookupChildValue(conf, "extended");
225  const char *custom = ConfNodeLookupChildValue(conf, "custom");
226  const char *customformat = ConfNodeLookupChildValue(conf, "customformat");
227 
228  /* If custom logging format is selected, lets parse it */
229  if (custom != NULL && customformat != NULL && ConfValIsTrue(custom)) {
230  tlslog_ctx->cf = LogCustomFormatAlloc();
231  if (!tlslog_ctx->cf) {
232  goto tlslog_error;
233  }
234 
235  tlslog_ctx->flags |= LOG_TLS_CUSTOM;
236 
237  if (!LogCustomFormatParse(tlslog_ctx->cf, customformat)) {
238  goto parser_error;
239  }
240  } else {
241  if (extended == NULL) {
242  tlslog_ctx->flags |= LOG_TLS_DEFAULT;
243  } else {
244  if (ConfValIsTrue(extended)) {
245  tlslog_ctx->flags |= LOG_TLS_EXTENDED;
246  }
247  }
248  }
249 
250  const char *resumption = ConfNodeLookupChildValue(conf,
251  "session-resumption");
252  if (resumption == NULL || ConfValIsTrue(resumption)) {
253  tlslog_ctx->flags |= LOG_TLS_SESSION_RESUMPTION;
254  }
255 
256  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
257  if (unlikely(output_ctx == NULL)) {
258  goto tlslog_error;
259  }
260  output_ctx->data = tlslog_ctx;
261  output_ctx->DeInit = LogTlsLogDeInitCtx;
262 
263  SCLogDebug("TLS log output initialized");
264 
265  /* Enable the logger for the app layer */
267 
268  result.ctx = output_ctx;
269  result.ok = true;
270  return result;
271 
272 parser_error:
273  SCLogError("Syntax error in custom tls log "
274  "format string.");
275 tlslog_error:
276  LogCustomFormatFree(tlslog_ctx->cf);
277  SCFree(tlslog_ctx);
278 filectx_error:
279  LogFileFreeCtx(file_ctx);
280  return result;
281 }
282 
283 static void LogTlsLogVersion(MemBuffer *buffer, uint16_t version)
284 {
285  char ssl_version[SSL_VERSION_MAX_STRLEN];
286  SSLVersionToString(version, ssl_version);
287  MemBufferWriteString(buffer, "VERSION='%s'", ssl_version);
288 }
289 
290 static void LogTlsLogDate(MemBuffer *buffer, const char *title, int64_t *date)
291 {
292  char timebuf[64] = {0};
293  if (sc_x509_format_timestamp(*date, timebuf, sizeof(timebuf))) {
294  MemBufferWriteString(buffer, "%s='%s'", title, timebuf);
295  }
296 }
297 
298 static void LogTlsLogString(MemBuffer *buffer, const char *title,
299  const char *value)
300 {
301  MemBufferWriteString(buffer, "%s='%s'", title, value);
302 }
303 
304 static void LogTlsLogBasic(LogTlsLogThread *aft, SSLState *ssl_state, const SCTime_t ts,
305  char *srcip, Port sp, char *dstip, Port dp)
306 {
307  char timebuf[64];
308  CreateTimeString(ts, timebuf, sizeof(timebuf));
310  "%s %s:%d -> %s:%d TLS:",
311  timebuf, srcip, sp, dstip, dp);
312 
313  if (ssl_state->server_connp.cert0_subject != NULL) {
314  MemBufferWriteString(aft->buffer, " Subject='%s'",
315  ssl_state->server_connp.cert0_subject);
316  }
317 
318  if (ssl_state->server_connp.cert0_issuerdn != NULL) {
319  MemBufferWriteString(aft->buffer, " Issuerdn='%s'",
320  ssl_state->server_connp.cert0_issuerdn);
321  }
322 
323  if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
324  /* Only log a session as 'resumed' if a certificate has not
325  been seen. */
326  if ((ssl_state->server_connp.cert0_issuerdn == NULL) &&
327  (ssl_state->server_connp.cert0_subject == NULL) &&
328  (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
329  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
330  MemBufferWriteString(aft->buffer, " Session='resumed'");
331  }
332  }
333 }
334 
335 static void LogTlsLogExtended(LogTlsLogThread *aft, SSLState *ssl_state, const SCTime_t ts,
336  char *srcip, Port sp, char *dstip, Port dp)
337 {
338  if (ssl_state->server_connp.cert0_fingerprint != NULL) {
340  LogTlsLogString(aft->buffer, "SHA1",
341  ssl_state->server_connp.cert0_fingerprint);
342  }
343  if (ssl_state->client_connp.sni != NULL) {
345  LogTlsLogString(aft->buffer, "SNI", ssl_state->client_connp.sni);
346  }
347  if (ssl_state->server_connp.cert0_serial != NULL) {
349  LogTlsLogString(aft->buffer, "SERIAL",
350  ssl_state->server_connp.cert0_serial);
351  }
352 
354  LogTlsLogVersion(aft->buffer, ssl_state->server_connp.version);
355 
356  if (ssl_state->server_connp.cert0_not_before != 0) {
358  LogTlsLogDate(aft->buffer, "NOTBEFORE",
359  &ssl_state->server_connp.cert0_not_before);
360  }
361  if (ssl_state->server_connp.cert0_not_after != 0) {
363  LogTlsLogDate(aft->buffer, "NOTAFTER",
364  &ssl_state->server_connp.cert0_not_after);
365  }
366 }
367 
368 /* Custom format logging */
369 static void LogTlsLogCustom(LogTlsLogThread *aft, SSLState *ssl_state, const SCTime_t ts,
370  char *srcip, Port sp, char *dstip, Port dp)
371 {
372  LogTlsFileCtx *tlslog_ctx = aft->tlslog_ctx;
373  uint32_t i;
374  char buf[64];
375 
376  for (i = 0; i < tlslog_ctx->cf->cf_n; i++)
377  {
378  LogCustomFormatNode *node = tlslog_ctx->cf->cf_nodes[i];
379  if (!node) /* Should never happen */
380  continue;
381 
382  switch (node->type) {
383  case LOG_CF_LITERAL:
384  /* LITERAL */
385  MemBufferWriteString(aft->buffer, "%s", node->data);
386  break;
387  case LOG_CF_TIMESTAMP:
388  /* TIMESTAMP */
390  break;
391  case LOG_CF_TIMESTAMP_U:
392  /* TIMESTAMP USECONDS */
393  snprintf(buf, sizeof(buf), "%06u", (unsigned int)SCTIME_USECS(ts));
394  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
395  (uint8_t *)buf, MIN(strlen(buf), 6));
396  break;
397  case LOG_CF_CLIENT_IP:
398  /* CLIENT IP ADDRESS */
399  PrintRawUriBuf((char *)aft->buffer->buffer,
400  &aft->buffer->offset, aft->buffer->size,
401  (uint8_t *)srcip,strlen(srcip));
402  break;
403  case LOG_CF_SERVER_IP:
404  /* SERVER IP ADDRESS */
405  PrintRawUriBuf((char *)aft->buffer->buffer,
406  &aft->buffer->offset, aft->buffer->size,
407  (uint8_t *)dstip, strlen(dstip));
408  break;
409  case LOG_CF_CLIENT_PORT:
410  /* CLIENT PORT */
411  MemBufferWriteString(aft->buffer, "%" PRIu16 "", sp);
412  break;
413  case LOG_CF_SERVER_PORT:
414  /* SERVER PORT */
415  MemBufferWriteString(aft->buffer, "%" PRIu16 "", dp);
416  break;
417  case LOG_TLS_CF_VERSION:
418  LogTlsLogVersion(aft->buffer, ssl_state->server_connp.version);
419  break;
421  LogTlsLogDate(aft->buffer, "NOTBEFORE",
422  &ssl_state->server_connp.cert0_not_before);
423  break;
425  LogTlsLogDate(aft->buffer, "NOTAFTER",
426  &ssl_state->server_connp.cert0_not_after);
427  break;
428  case LOG_TLS_CF_SHA1:
429  if (ssl_state->server_connp.cert0_fingerprint != NULL) {
430  MemBufferWriteString(aft->buffer, "%s",
431  ssl_state->server_connp.cert0_fingerprint);
432  } else {
434  }
435  break;
436  case LOG_TLS_CF_SNI:
437  if (ssl_state->client_connp.sni != NULL) {
438  MemBufferWriteString(aft->buffer, "%s",
439  ssl_state->client_connp.sni);
440  } else {
442  }
443  break;
444  case LOG_TLS_CF_SUBJECT:
445  if (ssl_state->server_connp.cert0_subject != NULL) {
446  MemBufferWriteString(aft->buffer, "%s",
447  ssl_state->server_connp.cert0_subject);
448  } else {
450  }
451  break;
452  case LOG_TLS_CF_ISSUER:
453  if (ssl_state->server_connp.cert0_issuerdn != NULL) {
454  MemBufferWriteString(aft->buffer, "%s",
455  ssl_state->server_connp.cert0_issuerdn);
456  } else {
458  }
459  break;
460  case LOG_TLS_CF_EXTENDED:
461  /* Extended format */
462  LogTlsLogExtended(aft, ssl_state, ts, srcip, sp, dstip, dp);
463  break;
464  default:
465  /* NO MATCH */
467  SCLogDebug("No matching parameter %%%c for custom tls log.",
468  node->type);
469  break;
470  }
471  }
472 }
473 
474 
475 static int LogTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
476  Flow *f, void *state, void *tx, uint64_t tx_id)
477 {
478  LogTlsLogThread *aft = (LogTlsLogThread *)thread_data;
479  LogTlsFileCtx *hlog = aft->tlslog_ctx;
480  int ipproto = (PacketIsIPv4(p)) ? AF_INET : AF_INET6;
481 
482  SSLState *ssl_state = (SSLState *)state;
483  if (unlikely(ssl_state == NULL)) {
484  return 0;
485  }
486 
487  if (((hlog->flags & LOG_TLS_SESSION_RESUMPTION) == 0 ||
488  (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) == 0) &&
489  (ssl_state->server_connp.cert0_issuerdn == NULL ||
490  ssl_state->server_connp.cert0_subject == NULL) &&
491  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
492  return 0;
493  }
494 
495  char srcip[PRINT_BUF_LEN], dstip[PRINT_BUF_LEN];
496 
497  Port sp, dp;
498  if (!TLSGetIPInformations(p, srcip, PRINT_BUF_LEN, &sp, dstip,
499  PRINT_BUF_LEN, &dp, ipproto)) {
500  return 0;
501  }
502 
503  MemBufferReset(aft->buffer);
504 
505  if (hlog->flags & LOG_TLS_CUSTOM) {
506  LogTlsLogCustom(aft, ssl_state, p->ts, srcip, sp, dstip, dp);
507  } else if (hlog->flags & LOG_TLS_EXTENDED) {
508  LogTlsLogBasic(aft, ssl_state, p->ts, srcip, sp, dstip, dp);
509  LogTlsLogExtended(aft, ssl_state, p->ts, srcip, sp, dstip, dp);
510  } else {
511  LogTlsLogBasic(aft, ssl_state, p->ts, srcip, sp, dstip, dp);
512  }
513 
514  MemBufferWriteString(aft->buffer, "\n");
515 
516  aft->tls_cnt++;
517 
518  hlog->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer),
519  MEMBUFFER_OFFSET(aft->buffer), hlog->file_ctx);
520 
521  return 0;
522 }
523 
525 {
527  LogTlsLogInitCtx, ALPROTO_TLS, LogTlsLogger, TLS_HANDSHAKE_DONE,
528  TLS_HANDSHAKE_DONE, LogTlsLogThreadInit, LogTlsLogThreadDeinit,
529  LogTlsLogExitPrintStats);
530 }
LogCustomFormatFree
void LogCustomFormatFree(LogCustomFormat *cf)
Frees memory held by a custom format.
Definition: log-cf-common.c:80
tm-threads.h
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:255
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:296
ts
uint64_t ts
Definition: source-erf-file.c:55
MemBuffer_::buffer
uint8_t buffer[]
Definition: util-buffer.h:30
LOG_TLS_SESSION_RESUMPTION
#define LOG_TLS_SESSION_RESUMPTION
Definition: log-tlslog.c:67
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:314
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:659
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
LogTlsFileCtx_::flags
uint32_t flags
Definition: log-tlslog.c:80
OUTPUT_BUFFER_SIZE
#define OUTPUT_BUFFER_SIZE
Definition: log-tlslog.c:61
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: log-tlslog.c:55
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:315
SSLStateConnp_::cert0_not_before
int64_t cert0_not_before
Definition: app-layer-ssl.h:258
SSL_AL_FLAG_SESSION_RESUMED
#define SSL_AL_FLAG_SESSION_RESUMED
Definition: app-layer-ssl.h:116
threads.h
Flow_
Flow data structure.
Definition: flow.h:360
LogTlsLogRegister
void LogTlsLogRegister(void)
Definition: log-tlslog.c:524
SSL_AL_FLAG_STATE_SERVER_HELLO
#define SSL_AL_FLAG_STATE_SERVER_HELLO
Definition: app-layer-ssl.h:99
LogTlsLogThread_::buffer
MemBuffer * buffer
Definition: log-tlslog.c:91
LogFileCtx_
Definition: util-logopenfile.h:72
LOG_CF_LITERAL
#define LOG_CF_LITERAL
Definition: log-cf-common.h:39
SSL_VERSION_MAX_STRLEN
#define SSL_VERSION_MAX_STRLEN
Definition: app-layer-ssl.h:154
LogTlsFileCtx_::file_ctx
LogFileCtx * file_ctx
Definition: log-tlslog.c:79
LOG_TLS_CUSTOM
#define LOG_TLS_CUSTOM
Definition: log-tlslog.c:65
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
util-privs.h
LogFileCtx_::Write
int(* Write)(const char *buffer, int buffer_len, struct LogFileCtx_ *fp)
Definition: util-logopenfile.h:87
SSLStateConnp_::sni
char * sni
Definition: app-layer-ssl.h:265
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:85
LogCustomFormatWriteTimestamp
void LogCustomFormatWriteTimestamp(MemBuffer *buffer, const char *fmt, const SCTime_t ts)
Writes a timestamp with given format into a MemBuffer.
Definition: log-cf-common.c:211
LOG_CF_CLIENT_PORT
#define LOG_CF_CLIENT_PORT
Definition: log-cf-common.h:44
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:209
util-unittest.h
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:29
SSLStateConnp_::cert0_issuerdn
char * cert0_issuerdn
Definition: app-layer-ssl.h:256
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:536
OutputCtx_::data
void * data
Definition: tm-modules.h:88
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:84
OutputCtx_
Definition: tm-modules.h:85
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:452
SSLStateConnp_::cert0_not_after
int64_t cert0_not_after
Definition: app-layer-ssl.h:259
LogCustomFormat_::cf_n
uint32_t cf_n
Definition: log-cf-common.h:72
LogCustomFormatNode_
Definition: log-cf-common.h:64
PRINT_BUF_LEN
#define PRINT_BUF_LEN
Definition: log-tlslog.c:59
LOG_TLS_DEFAULT
#define LOG_TLS_DEFAULT
Definition: log-tlslog.c:63
LogCustomFormatNode_::type
uint32_t type
Definition: log-cf-common.h:65
LOG_TLS_CF_DATE_NOT_AFTER
#define LOG_TLS_CF_DATE_NOT_AFTER
Definition: log-tlslog.c:71
MODULE_NAME
#define MODULE_NAME
Definition: log-tlslog.c:57
LOG_TLS_CF_SUBJECT
#define LOG_TLS_CF_SUBJECT
Definition: log-tlslog.c:74
util-debug.h
GET_IPV4_DST_ADDR_PTR
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:204
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:243
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
Packet_::ts
SCTime_t ts
Definition: decode.h:530
LOG_CF_CLIENT_IP
#define LOG_CF_CLIENT_IP
Definition: log-cf-common.h:42
LOG_CF_TIMESTAMP
#define LOG_CF_TIMESTAMP
Definition: log-cf-common.h:40
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:457
LogTlsLogThread
struct LogTlsLogThread_ LogTlsLogThread
util-print.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:231
pkt-var.h
Packet_::sp
Port sp
Definition: decode.h:489
LOG_CF_SERVER_PORT
#define LOG_CF_SERVER_PORT
Definition: log-cf-common.h:45
SSLVersionToString
void SSLVersionToString(uint16_t version, char *buffer)
Definition: app-layer-ssl.c:346
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:48
log-tlslog.h
LOGGER_TLS
@ LOGGER_TLS
Definition: suricata-common.h:467
app-layer-parser.h
Packet_
Definition: decode.h:482
LOG_CF_TIMESTAMP_U
#define LOG_CF_TIMESTAMP_U
Definition: log-cf-common.h:41
conf.h
Port
uint16_t Port
Definition: decode.h:223
SCTime_t
Definition: util-time.h:40
TmEcode
TmEcode
Definition: tm-threads-common.h:83
LOG_CF_WRITE_UNKNOWN_VALUE
#define LOG_CF_WRITE_UNKNOWN_VALUE(buffer)
Definition: log-cf-common.h:57
MemBuffer_
Definition: util-buffer.h:27
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
LogCustomFormat_
Definition: log-cf-common.h:71
LOG_TLS_CF_VERSION
#define LOG_TLS_CF_VERSION
Definition: log-tlslog.c:69
LogCustomFormatNode_::data
char data[LOG_NODE_STRLEN]
Definition: log-cf-common.h:67
OutputInitResult_
Definition: output.h:46
GET_IPV4_SRC_ADDR_PTR
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:203
LogTlsFileCtx
struct LogTlsFileCtx_ LogTlsFileCtx
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:91
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:81
version
uint8_t version
Definition: decode-gre.h:1
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:868
LogTlsLogThread_::tls_cnt
uint32_t tls_cnt
Definition: log-tlslog.c:89
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
threadvars.h
log-cf-common.h
LogTlsLogThread_::tlslog_ctx
LogTlsFileCtx * tlslog_ctx
Definition: log-tlslog.c:85
LOG_TLS_CF_SNI
#define LOG_TLS_CF_SNI
Definition: log-tlslog.c:73
TLS_HANDSHAKE_DONE
@ TLS_HANDSHAKE_DONE
Definition: app-layer-ssl.h:79
TLSGetIPInformations
int TLSGetIPInformations(const Packet *p, char *srcip, size_t srcip_len, Port *sp, char *dstip, size_t dstip_len, Port *dp, int ipproto)
Definition: log-tlslog.c:94
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:208
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
util-logopenfile.h
LOG_TLS_CF_DATE_NOT_BEFORE
#define LOG_TLS_CF_DATE_NOT_BEFORE
Definition: log-tlslog.c:70
util-buffer.h
LogCustomFormat_::cf_nodes
LogCustomFormatNode * cf_nodes[LOG_MAXN_NODES]
Definition: log-cf-common.h:73
OutputRegisterTxModuleWithProgress
void OutputRegisterTxModuleWithProgress(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, int tc_log_progress, int ts_log_progress, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a tx output module with progress.
Definition: output.c:363
LOG_CF_SERVER_IP
#define LOG_CF_SERVER_IP
Definition: log-cf-common.h:43
LOG_TLS_CF_ISSUER
#define LOG_TLS_CF_ISSUER
Definition: log-tlslog.c:75
LOG_CF_NONE
#define LOG_CF_NONE
Definition: log-cf-common.h:38
LOG_TLS_EXTENDED
#define LOG_TLS_EXTENDED
Definition: log-tlslog.c:64
MemBufferWriteString
void MemBufferWriteString(MemBuffer *dst, const char *fmt,...)
Definition: util-buffer.c:125
PrintRawUriBuf
void PrintRawUriBuf(char *retbuf, uint32_t *offset, uint32_t retbuflen, uint8_t *buf, uint32_t buflen)
Definition: util-print.c:93
MemBuffer_::size
uint32_t size
Definition: util-buffer.h:28
MEMBUFFER_BUFFER
#define MEMBUFFER_BUFFER(mem_buffer)
Get the MemBuffers underlying buffer.
Definition: util-buffer.h:51
SSLStateConnp_::cert0_fingerprint
char * cert0_fingerprint
Definition: app-layer-ssl.h:260
LogCustomFormatAlloc
LogCustomFormat * LogCustomFormatAlloc(void)
Creates a custom format.
Definition: log-cf-common.c:54
MEMBUFFER_OFFSET
#define MEMBUFFER_OFFSET(mem_buffer)
Get the MemBuffers current offset.
Definition: util-buffer.h:56
Packet_::dp
Port dp
Definition: decode.h:497
LOG_CF_WRITE_SPACE_SEPARATOR
#define LOG_CF_WRITE_SPACE_SEPARATOR(buffer)
Definition: log-cf-common.h:54
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LogTlsFileCtx_::cf
LogCustomFormat * cf
Definition: log-tlslog.c:81
SSLStateConnp_::cert0_serial
char * cert0_serial
Definition: app-layer-ssl.h:257
app-layer-ssl.h
LOG_TLS_CF_SHA1
#define LOG_TLS_CF_SHA1
Definition: log-tlslog.c:72
SSL_AL_FLAG_LOG_WITHOUT_CERT
#define SSL_AL_FLAG_LOG_WITHOUT_CERT
Definition: app-layer-ssl.h:123
CreateTimeString
void CreateTimeString(const SCTime_t ts, char *str, size_t size)
Definition: util-time.c:272
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
LOG_TLS_CF_EXTENDED
#define LOG_TLS_CF_EXTENDED
Definition: log-tlslog.c:76
output.h
LogTlsFileCtx_
Definition: log-tlslog.c:78
LogCustomFormatParse
int LogCustomFormatParse(LogCustomFormat *cf, const char *format)
Parses and saves format nodes for custom format.
Definition: log-cf-common.c:96
app-layer.h
SCTIME_USECS
#define SCTIME_USECS(t)
Definition: util-time.h:56
LogTlsLogThread_
Definition: log-tlslog.c:84
SSLState_::flags
uint32_t flags
Definition: app-layer-ssl.h:303
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:244
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:809