suricata
log-tlslog.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Roliers Jean-Paul <popof.fpn@gmail.co>
22  * \author Eric Leblond <eric@regit.org>
23  * \author Victor Julien <victor@inliniac.net>
24  * \author Paulo Pacheco <fooinha@gmail.com>
25  *
26  * Implements TLS logging portion of the engine. The TLS logger is
27  * implemented as a packet logger, as the TLS parser is not transaction
28  * aware.
29  */
30 
31 #include "suricata-common.h"
32 #include "debug.h"
33 #include "detect.h"
34 #include "pkt-var.h"
35 #include "conf.h"
36 
37 #include "threads.h"
38 #include "threadvars.h"
39 #include "tm-threads.h"
40 
41 #include "util-print.h"
42 #include "util-unittest.h"
43 
44 #include "util-debug.h"
45 
46 #include "output.h"
47 #include "log-tlslog.h"
48 #include "app-layer-ssl.h"
49 #include "app-layer.h"
50 #include "app-layer-parser.h"
51 #include "util-privs.h"
52 #include "util-buffer.h"
53 
54 #include "util-logopenfile.h"
55 #include "util-crypt.h"
56 #include "util-time.h"
57 #include "log-cf-common.h"
58 
59 #define DEFAULT_LOG_FILENAME "tls.log"
60 
61 #define MODULE_NAME "LogTlsLog"
62 
63 #define OUTPUT_BUFFER_SIZE 65535
64 #define CERT_ENC_BUFFER_SIZE 2048
65 
66 #define LOG_TLS_DEFAULT 0
67 #define LOG_TLS_EXTENDED 1
68 #define LOG_TLS_CUSTOM 2
69 #define LOG_TLS_SESSION_RESUMPTION 4
70 
71 #define LOG_TLS_CF_VERSION 'v'
72 #define LOG_TLS_CF_DATE_NOT_BEFORE 'd'
73 #define LOG_TLS_CF_DATE_NOT_AFTER 'D'
74 #define LOG_TLS_CF_SHA1 'f'
75 #define LOG_TLS_CF_SNI 'n'
76 #define LOG_TLS_CF_SUBJECT 's'
77 #define LOG_TLS_CF_ISSUER 'i'
78 #define LOG_TLS_CF_EXTENDED 'E'
79 
80 typedef struct LogTlsFileCtx_ {
81  LogFileCtx *file_ctx;
82  uint32_t flags; /** Store mode */
83  LogCustomFormat *cf;
84 } LogTlsFileCtx;
85 
86 typedef struct LogTlsLogThread_ {
87  LogTlsFileCtx *tlslog_ctx;
88 
89  /** LogTlsFileCtx has the pointer to the file and a mutex to allow multithreading */
90  uint32_t tls_cnt;
91 
92  MemBuffer *buffer;
93 } LogTlsLogThread;
94 
95 static void LogTlsLogVersion(MemBuffer *buffer, uint16_t version)
96 {
97  char ssl_version[SSL_VERSION_MAX_STRLEN];
98  SSLVersionToString(version, ssl_version);
99  MemBufferWriteString(buffer, "VERSION='%s'", ssl_version);
100 }
101 
102 static void LogTlsLogDate(MemBuffer *buffer, const char *title, time_t *date)
103 {
104  char timebuf[64] = {0};
105  struct timeval tv;
106  tv.tv_sec = *date;
107  tv.tv_usec = 0;
108  CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf));
109  MemBufferWriteString(buffer, "%s='%s'", title, timebuf);
110 }
111 
112 static void LogTlsLogString(MemBuffer *buffer, const char *title, const char *value)
113 {
114  MemBufferWriteString(buffer, "%s='%s'", title, value);
115 }
116 
117 static void LogTlsLogExtended(LogTlsLogThread *aft, SSLState * state)
118 {
119  if (state->server_connp.cert0_fingerprint != NULL) {
120  LOG_CF_WRITE_SPACE_SEPARATOR(aft->buffer);
121  LogTlsLogString(aft->buffer, "SHA1", state->server_connp.cert0_fingerprint);
122  }
123  if (state->client_connp.sni != NULL) {
124  LOG_CF_WRITE_SPACE_SEPARATOR(aft->buffer);
125  LogTlsLogString(aft->buffer, "SNI", state->client_connp.sni);
126  }
127  if (state->server_connp.cert0_serial != NULL) {
128  LOG_CF_WRITE_SPACE_SEPARATOR(aft->buffer);
129  LogTlsLogString(aft->buffer, "SERIAL", state->server_connp.cert0_serial);
130  }
131 
132  LOG_CF_WRITE_SPACE_SEPARATOR(aft->buffer);
133  LogTlsLogVersion(aft->buffer, state->server_connp.version);
134 
135  if (state->server_connp.cert0_not_before != 0) {
136  LOG_CF_WRITE_SPACE_SEPARATOR(aft->buffer);
137  LogTlsLogDate(aft->buffer, "NOTBEFORE", &state->server_connp.cert0_not_before);
138  }
139  if (state->server_connp.cert0_not_after != 0) {
140  LOG_CF_WRITE_SPACE_SEPARATOR(aft->buffer);
141  LogTlsLogDate(aft->buffer, "NOTAFTER", &state->server_connp.cert0_not_after);
142  }
143 }
144 
145 int TLSGetIPInformations(const Packet *p, char* srcip, size_t srcip_len,
146  Port* sp, char* dstip, size_t dstip_len,
147  Port* dp, int ipproto)
148 {
149  if ((PKT_IS_TOSERVER(p))) {
150  switch (ipproto) {
151  case AF_INET:
152  PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p), srcip, srcip_len);
153  PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p), dstip, dstip_len);
154  break;
155  case AF_INET6:
156  PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), srcip, srcip_len);
157  PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), dstip, dstip_len);
158  break;
159  default:
160  return 0;
161  }
162  *sp = p->sp;
163  *dp = p->dp;
164  } else {
165  switch (ipproto) {
166  case AF_INET:
167  PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p), srcip, srcip_len);
168  PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p), dstip, dstip_len);
169  break;
170  case AF_INET6:
171  PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), srcip, srcip_len);
172  PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), dstip, dstip_len);
173  break;
174  default:
175  return 0;
176  }
177  *sp = p->dp;
178  *dp = p->sp;
179  }
180  return 1;
181 }
182 
183 static TmEcode LogTlsLogThreadInit(ThreadVars *t, const void *initdata, void **data)
184 {
185  LogTlsLogThread *aft = SCMalloc(sizeof(LogTlsLogThread));
186  if (unlikely(aft == NULL))
187  return TM_ECODE_FAILED;
188  memset(aft, 0, sizeof(LogTlsLogThread));
189 
190  if (initdata == NULL) {
191  SCLogDebug( "Error getting context for TLSLog. \"initdata\" argument NULL");
192  SCFree(aft);
193  return TM_ECODE_FAILED;
194  }
195 
196  aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
197  if (aft->buffer == NULL) {
198  SCFree(aft);
199  return TM_ECODE_FAILED;
200  }
201 
202  /* Use the Ouptut Context (file pointer and mutex) */
203  aft->tlslog_ctx = ((OutputCtx *) initdata)->data;
204 
205  *data = (void *) aft;
206  return TM_ECODE_OK;
207 }
208 
209 static TmEcode LogTlsLogThreadDeinit(ThreadVars *t, void *data)
210 {
211  LogTlsLogThread *aft = (LogTlsLogThread *) data;
212  if (aft == NULL) {
213  return TM_ECODE_OK;
214  }
215 
216  MemBufferFree(aft->buffer);
217  /* clear memory */
218  memset(aft, 0, sizeof(LogTlsLogThread));
219 
220  SCFree(aft);
221  return TM_ECODE_OK;
222 }
223 
224 static void LogTlsLogDeInitCtx(OutputCtx *output_ctx)
225 {
226  LogTlsFileCtx *tlslog_ctx = (LogTlsFileCtx *) output_ctx->data;
227  LogFileFreeCtx(tlslog_ctx->file_ctx);
228  LogCustomFormatFree(tlslog_ctx->cf);
229  SCFree(tlslog_ctx);
230  SCFree(output_ctx);
231 }
232 
233 static void LogTlsLogExitPrintStats(ThreadVars *tv, void *data)
234 {
235  LogTlsLogThread *aft = (LogTlsLogThread *) data;
236  if (aft == NULL) {
237  return;
238  }
239 
240  SCLogInfo("TLS logger logged %" PRIu32 " requests", aft->tls_cnt);
241 }
242 
243 /** \brief Create a new tls log LogFileCtx.
244  * \param conf Pointer to ConfNode containing this loggers configuration.
245  * \return NULL if failure, LogFileCtx* to the file_ctx if succesful
246  * */
247 static OutputInitResult LogTlsLogInitCtx(ConfNode *conf)
248 {
249  OutputInitResult result = { NULL, false };
250  LogFileCtx* file_ctx = LogFileNewCtx();
251 
252  if (file_ctx == NULL) {
253  SCLogError(SC_ERR_TLS_LOG_GENERIC, "LogTlsLogInitCtx: Couldn't "
254  "create new file_ctx");
255  return result;
256  }
257 
258  if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
259  goto filectx_error;
260  }
261 
262  LogTlsFileCtx *tlslog_ctx = SCCalloc(1, sizeof(LogTlsFileCtx));
263  if (unlikely(tlslog_ctx == NULL))
264  goto filectx_error;
265  tlslog_ctx->file_ctx = file_ctx;
266 
267  const char *extended = ConfNodeLookupChildValue(conf, "extended");
268  const char *custom = ConfNodeLookupChildValue(conf, "custom");
269  const char *customformat = ConfNodeLookupChildValue(conf, "customformat");
270 
271  /* If custom logging format is selected, lets parse it */
272  if (custom != NULL && customformat != NULL && ConfValIsTrue(custom)) {
273  tlslog_ctx->cf = LogCustomFormatAlloc();
274  if (!tlslog_ctx->cf) {
275  goto tlslog_error;
276  }
277 
278  tlslog_ctx->flags |= LOG_TLS_CUSTOM;
279  /* Parsing */
280  if ( ! LogCustomFormatParse(tlslog_ctx->cf, customformat)) {
281  goto parser_error;
282  }
283  } else {
284  if (extended == NULL) {
285  tlslog_ctx->flags |= LOG_TLS_DEFAULT;
286  } else {
287  if (ConfValIsTrue(extended)) {
288  tlslog_ctx->flags |= LOG_TLS_EXTENDED;
289  }
290  }
291  }
292 
293  const char *session_resumption = ConfNodeLookupChildValue(conf, "session-resumption");
294  if (session_resumption == NULL || ConfValIsTrue(session_resumption)) {
295  tlslog_ctx->flags |= LOG_TLS_SESSION_RESUMPTION;
296  }
297 
298  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
299  if (unlikely(output_ctx == NULL))
300  goto tlslog_error;
301  output_ctx->data = tlslog_ctx;
302  output_ctx->DeInit = LogTlsLogDeInitCtx;
303 
304  SCLogDebug("TLS log output initialized");
305 
306  /* enable the logger for the app layer */
307  AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TLS);
308 
309  result.ctx = output_ctx;
310  result.ok = true;
311  return result;
312 parser_error:
313  SCLogError(SC_ERR_INVALID_ARGUMENT,"Syntax error in custom tls log format string.");
314 tlslog_error:
315  LogCustomFormatFree(tlslog_ctx->cf);
316  SCFree(tlslog_ctx);
317 filectx_error:
318  LogFileFreeCtx(file_ctx);
319  return result;
320 }
321 
322 /* Custom format logging */
323 static void LogTlsLogCustom(LogTlsLogThread *aft, SSLState *ssl_state, const struct timeval *ts,
324  char *srcip, Port sp, char *dstip, Port dp)
325 {
326  LogTlsFileCtx *tlslog_ctx = aft->tlslog_ctx;
327  uint32_t i;
328  char buf[64];
329 
330  for (i = 0; i < tlslog_ctx->cf->cf_n; i++) {
331 
332  LogCustomFormatNode * node = tlslog_ctx->cf->cf_nodes[i];
333  if (! node) /* Should never happen */
334  continue;
335 
336  switch (node->type){
337  case LOG_CF_LITERAL:
338  /* LITERAL */
339  MemBufferWriteString(aft->buffer, "%s", node->data);
340  break;
341  case LOG_CF_TIMESTAMP:
342  /* TIMESTAMP */
343  LogCustomFormatWriteTimestamp(aft->buffer, node->data, ts);
344  break;
345  case LOG_CF_TIMESTAMP_U:
346  /* TIMESTAMP USECONDS */
347  snprintf(buf, sizeof(buf), "%06u", (unsigned int) ts->tv_usec);
348  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
349  aft->buffer->size, (uint8_t *)buf, MIN(strlen(buf),6));
350  break;
351  case LOG_CF_CLIENT_IP:
352  /* CLIENT IP ADDRESS */
353  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
354  aft->buffer->size, (uint8_t *)srcip,strlen(srcip));
355  break;
356  case LOG_CF_SERVER_IP:
357  /* SERVER IP ADDRESS */
358  PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
359  aft->buffer->size, (uint8_t *)dstip,strlen(dstip));
360  break;
361  case LOG_CF_CLIENT_PORT:
362  /* CLIENT PORT */
363  MemBufferWriteString(aft->buffer, "%" PRIu16 "", sp);
364  break;
365  case LOG_CF_SERVER_PORT:
366  /* SERVER PORT */
367  MemBufferWriteString(aft->buffer, "%" PRIu16 "", dp);
368  break;
369  case LOG_TLS_CF_VERSION:
370  LogTlsLogVersion(aft->buffer, ssl_state->server_connp.version);
371  break;
372  case LOG_TLS_CF_DATE_NOT_BEFORE:
373  LogTlsLogDate(aft->buffer, "NOTBEFORE", &ssl_state->server_connp.cert0_not_before);
374  break;
375  case LOG_TLS_CF_DATE_NOT_AFTER:
376  LogTlsLogDate(aft->buffer, "NOTAFTER", &ssl_state->server_connp.cert0_not_after);
377  break;
378  case LOG_TLS_CF_SHA1:
379  if (ssl_state->server_connp.cert0_fingerprint != NULL) {
380  MemBufferWriteString(aft->buffer, "%s",
381  ssl_state->server_connp.cert0_fingerprint);
382  } else {
383  LOG_CF_WRITE_UNKNOWN_VALUE(aft->buffer);
384  }
385  break;
386  case LOG_TLS_CF_SNI:
387  if (ssl_state->client_connp.sni != NULL) {
388  MemBufferWriteString(aft->buffer, "%s",
389  ssl_state->client_connp.sni);
390  } else {
391  LOG_CF_WRITE_UNKNOWN_VALUE(aft->buffer);
392  }
393  break;
394  case LOG_TLS_CF_SUBJECT:
395  if (ssl_state->server_connp.cert0_subject != NULL) {
396  MemBufferWriteString(aft->buffer, "%s",
397  ssl_state->server_connp.cert0_subject);
398  } else {
399  LOG_CF_WRITE_UNKNOWN_VALUE(aft->buffer);
400  }
401  break;
402  case LOG_TLS_CF_ISSUER:
403  if (ssl_state->server_connp.cert0_issuerdn != NULL) {
404  MemBufferWriteString(aft->buffer, "%s",
405  ssl_state->server_connp.cert0_issuerdn);
406  } else {
407  LOG_CF_WRITE_UNKNOWN_VALUE(aft->buffer);
408  }
409  break;
410  case LOG_TLS_CF_EXTENDED:
411  /* Extended format */
412  LogTlsLogExtended(aft, ssl_state);
413  break;
414  default:
415  /* NO MATCH */
416  MemBufferWriteString(aft->buffer, LOG_CF_NONE);
417  SCLogDebug("No matching parameter %%%c for custom tls log.", node->type);
418  break;
419  }
420  }
421  MemBufferWriteString(aft->buffer, "\n");
422 }
423 
424 
425 static int LogTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
426  Flow *f, void *state, void *tx, uint64_t tx_id)
427 {
428  LogTlsLogThread *aft = (LogTlsLogThread *)thread_data;
429  LogTlsFileCtx *hlog = aft->tlslog_ctx;
430  char timebuf[64];
431  int ipproto = (PKT_IS_IPV4(p)) ? AF_INET : AF_INET6;
432 
433  SSLState *ssl_state = (SSLState *)state;
434  if (unlikely(ssl_state == NULL)) {
435  return 0;
436  }
437 
438  if (((hlog->flags & LOG_TLS_SESSION_RESUMPTION) == 0 ||
439  (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) == 0) &&
440  (ssl_state->server_connp.cert0_issuerdn == NULL ||
441  ssl_state->server_connp.cert0_subject == NULL) &&
442  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
443  return 0;
444  }
445 
446 #define PRINT_BUF_LEN 46
447  char srcip[PRINT_BUF_LEN], dstip[PRINT_BUF_LEN];
448  Port sp, dp;
449  if (!TLSGetIPInformations(p, srcip, PRINT_BUF_LEN, &sp, dstip,
450  PRINT_BUF_LEN, &dp, ipproto)) {
451  return 0;
452  }
453 
454  /* Custom format */
455  if (hlog->flags & LOG_TLS_CUSTOM) {
456  LogTlsLogCustom(aft, ssl_state, &p->ts, srcip, sp, dstip, dp);
457  } else {
458 
459  MemBufferReset(aft->buffer);
460  CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
461  MemBufferWriteString(aft->buffer,
462  "%s %s:%d -> %s:%d TLS:",
463  timebuf, srcip, sp, dstip, dp);
464 
465  if (ssl_state->server_connp.cert0_subject != NULL) {
466  MemBufferWriteString(aft->buffer, " Subject='%s'",
467  ssl_state->server_connp.cert0_subject);
468  }
469  if (ssl_state->server_connp.cert0_issuerdn != NULL) {
470  MemBufferWriteString(aft->buffer, " Issuerdn='%s'",
471  ssl_state->server_connp.cert0_issuerdn);
472  }
473  if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
474  /* Only log a session as 'resumed' if a certificate has not
475  been seen. */
476  if ((ssl_state->server_connp.cert0_issuerdn == NULL) &&
477  (ssl_state->server_connp.cert0_subject == NULL) &&
478  (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
479  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
480  MemBufferWriteString(aft->buffer, " Session='resumed'");
481  }
482  }
483 
484  if (hlog->flags & LOG_TLS_EXTENDED) {
485  LogTlsLogExtended(aft, ssl_state);
486  MemBufferWriteString(aft->buffer, "\n");
487  } else {
488  MemBufferWriteString(aft->buffer, "\n");
489  }
490  }
491 
492  aft->tls_cnt++;
493 
494  hlog->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer),
495  MEMBUFFER_OFFSET(aft->buffer), hlog->file_ctx);
496 
497  return 0;
498 }
499 
500 void LogTlsLogRegister(void)
501 {
502  OutputRegisterTxModuleWithProgress(LOGGER_TLS, MODULE_NAME, "tls-log",
503  LogTlsLogInitCtx, ALPROTO_TLS, LogTlsLogger, TLS_HANDSHAKE_DONE,
504  TLS_HANDSHAKE_DONE, LogTlsLogThreadInit, LogTlsLogThreadDeinit,
505  LogTlsLogExitPrintStats);
506 }
LOG_TLS_CF_DATE_NOT_AFTER
#define LOG_TLS_CF_DATE_NOT_AFTER
Definition: log-tlslog.c:73
LogTlsLogThread
struct LogTlsLogThread_ LogTlsLogThread
SSL_AL_FLAG_SESSION_RESUMED
#define SSL_AL_FLAG_SESSION_RESUMED
Definition: app-layer-ssl.h:104
LogTlsFileCtx_::flags
uint32_t flags
Definition: log-tlslog.c:82
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
GET_IPV4_SRC_ADDR_PTR
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:212
SSL_AL_FLAG_STATE_SERVER_HELLO
#define SSL_AL_FLAG_STATE_SERVER_HELLO
Definition: app-layer-ssl.h:84
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:195
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
SSLStateConnp_::cert0_not_before
time_t cert0_not_before
Definition: app-layer-ssl.h:198
SSLState_::flags
uint32_t flags
Definition: app-layer-ssl.h:227
LogCustomFormatParse
int LogCustomFormatParse(LogCustomFormat *cf, const char *format)
Parses and saves format nodes for custom format.
Definition: log-cf-common.c:94
LOG_CF_LITERAL
#define LOG_CF_LITERAL
Definition: log-cf-common.h:40
MemBufferWriteString
#define MemBufferWriteString(dst,...)
Write a string buffer to the Membuffer dst.
Definition: util-buffer.h:162
LOG_TLS_DEFAULT
#define LOG_TLS_DEFAULT
Definition: log-tlslog.c:66
LogCustomFormatNode_::data
char data[LOG_NODE_STRLEN]
Definition: log-cf-common.h:69
LOG_TLS_EXTENDED
#define LOG_TLS_EXTENDED
Definition: log-tlslog.c:67
OutputCtx_
Definition: tm-modules.h:78
LOG_CF_WRITE_SPACE_SEPARATOR
#define LOG_CF_WRITE_SPACE_SEPARATOR(buffer)
Definition: log-cf-common.h:56
LOG_TLS_CF_VERSION
#define LOG_TLS_CF_VERSION
Definition: log-tlslog.c:71
LogCustomFormat_::cf_n
uint32_t cf_n
Definition: log-cf-common.h:74
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:182
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
LogTlsFileCtx_::cf
LogCustomFormat * cf
Definition: log-tlslog.c:83
GET_IPV4_DST_ADDR_PTR
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:213
Packet_::sp
Port sp
Definition: decode.h:413
SSLStateConnp_::cert0_fingerprint
char * cert0_fingerprint
Definition: app-layer-ssl.h:200
MemBufferReset
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
LogTlsFileCtx_
Definition: log-tlslog.c:80
Packet_::dp
Port dp
Definition: decode.h:421
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:249
MIN
#define MIN(x, y)
Definition: suricata-common.h:362
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
LOG_TLS_CF_SUBJECT
#define LOG_TLS_CF_SUBJECT
Definition: log-tlslog.c:76
SSLStateConnp_::cert0_not_after
time_t cert0_not_after
Definition: app-layer-ssl.h:199
LogTlsLogThread_::buffer
MemBuffer * buffer
Definition: log-tlslog.c:92
CreateUtcIsoTimeString
void CreateUtcIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:195
LOG_CF_CLIENT_PORT
#define LOG_CF_CLIENT_PORT
Definition: log-cf-common.h:45
SSLStateConnp_::sni
char * sni
Definition: app-layer-ssl.h:203
LogTlsLogThread_::tls_cnt
uint32_t tls_cnt
Definition: log-tlslog.c:90
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:249
SSLVersionToString
void SSLVersionToString(uint16_t version, char *buffer)
Definition: app-layer-ssl.c:265
OutputInitResult_
Definition: output.h:41
SSL_VERSION_MAX_STRLEN
#define SSL_VERSION_MAX_STRLEN
Definition: app-layer-ssl.h:132
LOG_TLS_CF_EXTENDED
#define LOG_TLS_CF_EXTENDED
Definition: log-tlslog.c:78
LogTlsFileCtx_::file_ctx
LogFileCtx * file_ctx
Definition: log-tlslog.c:81
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:223
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:197
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843
LOG_CF_SERVER_PORT
#define LOG_CF_SERVER_PORT
Definition: log-cf-common.h:46
LogCustomFormat_::cf_nodes
LogCustomFormatNode * cf_nodes[LOG_MAXN_NODES]
Definition: log-cf-common.h:75
LogTlsLogThread_::tlslog_ctx
LogTlsFileCtx * tlslog_ctx
Definition: log-tlslog.c:87
LogTlsFileCtx
struct LogTlsFileCtx_ LogTlsFileCtx
LOG_TLS_CF_SNI
#define LOG_TLS_CF_SNI
Definition: log-tlslog.c:75
TLSGetIPInformations
int TLSGetIPInformations(const Packet *p, char *srcip, size_t srcip_len, Port *sp, char *dstip, size_t dstip_len, Port *dp, int ipproto)
Definition: log-tlslog.c:145
LOG_TLS_CF_SHA1
#define LOG_TLS_CF_SHA1
Definition: log-tlslog.c:74
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:218
OutputInitResult_::ok
bool ok
Definition: output.h:43
MemBuffer_::size
uint32_t size
Definition: util-buffer.h:29
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
LOG_CF_WRITE_UNKNOWN_VALUE
#define LOG_CF_WRITE_UNKNOWN_VALUE(buffer)
Definition: log-cf-common.h:59
LOG_CF_TIMESTAMP_U
#define LOG_CF_TIMESTAMP_U
Definition: log-cf-common.h:42
LOG_TLS_CF_ISSUER
#define LOG_TLS_CF_ISSUER
Definition: log-tlslog.c:77
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:467
LogTlsLogThread_
Definition: log-tlslog.c:86
OutputRegisterTxModuleWithProgress
void OutputRegisterTxModuleWithProgress(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, int tc_log_progress, int ts_log_progress, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a tx output module with progress.
Definition: output.c:355
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:519
MemBuffer_::buffer
uint8_t * buffer
Definition: util-buffer.h:28
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:255
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: log-tlslog.c:59
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:305
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:267
LOG_TLS_CF_DATE_NOT_BEFORE
#define LOG_TLS_CF_DATE_NOT_BEFORE
Definition: log-tlslog.c:72
LOG_TLS_SESSION_RESUMPTION
#define LOG_TLS_SESSION_RESUMPTION
Definition: log-tlslog.c:69
Port
uint16_t Port
Definition: decode.h:233
Packet_
Definition: decode.h:405
LOG_TLS_CUSTOM
#define LOG_TLS_CUSTOM
Definition: log-tlslog.c:68
LOG_CF_CLIENT_IP
#define LOG_CF_CLIENT_IP
Definition: log-cf-common.h:43
LOG_CF_TIMESTAMP
#define LOG_CF_TIMESTAMP
Definition: log-cf-common.h:41
MEMBUFFER_BUFFER
#define MEMBUFFER_BUFFER(mem_buffer)
Get the MemBuffers underlying buffer.
Definition: util-buffer.h:50
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
PrintRawUriBuf
void PrintRawUriBuf(char *retbuf, uint32_t *offset, uint32_t retbuflen, uint8_t *buf, uint32_t buflen)
Definition: util-print.c:118
ConfNode_
Definition: conf.h:32
LogFileCtx_::Write
int(* Write)(const char *buffer, int buffer_len, struct LogFileCtx_ *fp)
Definition: util-logopenfile.h:68
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:42
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:166
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:217
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:541
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
OUTPUT_BUFFER_SIZE
#define OUTPUT_BUFFER_SIZE
Definition: log-tlslog.c:63
version
uint8_t version
Definition: decode-gre.h:405
SCFree
#define SCFree(a)
Definition: util-mem.h:228
LogCustomFormat_
Definition: log-cf-common.h:73
tx_id
uint16_t tx_id
Definition: app-layer-dns-common.h:245
MEMBUFFER_OFFSET
#define MEMBUFFER_OFFSET(mem_buffer)
Get the MemBuffers current offset.
Definition: util-buffer.h:55
MODULE_NAME
#define MODULE_NAME
Definition: log-tlslog.c:61
ts
uint64_t ts
Definition: source-erf-file.c:30
OutputCtx_::data
void * data
Definition: tm-modules.h:81
PRINT_BUF_LEN
#define PRINT_BUF_LEN
LogCustomFormatNode_::type
uint32_t type
Definition: log-cf-common.h:67
LOG_CF_SERVER_IP
#define LOG_CF_SERVER_IP
Definition: log-cf-common.h:44
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
Packet_::ts
struct timeval ts
Definition: decode.h:449
LOG_CF_NONE
#define LOG_CF_NONE
Definition: log-cf-common.h:39
LogCustomFormatNode_
Definition: log-cf-common.h:66
LogCustomFormatWriteTimestamp
void LogCustomFormatWriteTimestamp(MemBuffer *buffer, const char *fmt, const struct timeval *ts)
Writes a timestamp with given format into a MemBuffer.
Definition: log-cf-common.c:209
MemBuffer_
Definition: util-buffer.h:27
SSL_AL_FLAG_LOG_WITHOUT_CERT
#define SSL_AL_FLAG_LOG_WITHOUT_CERT
Definition: app-layer-ssl.h:111
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:30
LogTlsLogRegister
void LogTlsLogRegister(void)
Definition: log-tlslog.c:500
Flow_
Flow data structure.
Definition: flow.h:324
LogFileCtx_
Definition: util-logopenfile.h:52
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:248
SSLStateConnp_::cert0_issuerdn
char * cert0_issuerdn
Definition: app-layer-ssl.h:196
SSLStateConnp_::cert0_serial
char * cert0_serial
Definition: app-layer-ssl.h:197
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
LogCustomFormatFree
void LogCustomFormatFree(LogCustomFormat *cf)
Frees memory held by a custom format.
Definition: log-cf-common.c:78
CreateTimeString
void CreateTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:237
LogCustomFormatAlloc
LogCustomFormat * LogCustomFormatAlloc()
Creates a custom format.
Definition: log-cf-common.c:52