#include "suricata-common.h"
#include "packet.h"
#include "detect.h"
#include "flow.h"
#include "conf.h"
#include "stream.h"
#include "threadvars.h"
#include "util-debug.h"
#include "stream-tcp.h"
#include "util-logopenfile.h"
#include "util-misc.h"
#include "util-time.h"
#include "detect-engine.h"
#include "detect-metadata.h"
#include "app-layer-parser.h"
#include "app-layer-htp-xff.h"
#include "app-layer-ftp.h"
#include "app-layer-frames.h"
#include "log-pcap.h"
#include "output.h"
#include "output-json.h"
#include "output-json-alert.h"
#include "output-json-http.h"
#include "rust.h"
#include "output-json-smtp.h"
#include "output-json-email-common.h"
#include "output-json-nfs.h"
#include "output-json-smb.h"
#include "output-json-flow.h"
#include "output-json-ike.h"
#include "output-json-frame.h"
#include "util-print.h"
#include "util-optimize.h"
#include "util-buffer.h"
#include "util-reference-config.h"
#include "util-validate.h"
#include "action-globals.h"

Include dependency graph for output-json-alert.c:

Data Structures
struct	AlertJsonOutputCtx_

struct	JsonAlertLogThread_

struct	AlertJsonStreamDataCallbackData

Macros
#define	MODULE_NAME "JsonAlertLog"

#define	LOG_JSON_PAYLOAD BIT_U16(0)

#define	LOG_JSON_PACKET BIT_U16(1)

#define	LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)

#define	LOG_JSON_TAGGED_PACKETS BIT_U16(3)

#define	LOG_JSON_APP_LAYER BIT_U16(4)

#define	LOG_JSON_FLOW BIT_U16(5)

#define	LOG_JSON_HTTP_BODY BIT_U16(6)

#define	LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)

#define	LOG_JSON_RULE_METADATA BIT_U16(8)

#define	LOG_JSON_RULE BIT_U16(9)

#define	LOG_JSON_VERDICT BIT_U16(10)

#define	LOG_JSON_WEBSOCKET_PAYLOAD BIT_U16(11)

#define	LOG_JSON_WEBSOCKET_PAYLOAD_BASE64 BIT_U16(12)

#define	LOG_JSON_PAYLOAD_LENGTH BIT_U16(13)

#define	LOG_JSON_REFERENCE BIT_U16(14)

#define	METADATA_DEFAULTS

#define	JSON_BODY_LOGGING

#define	JSON_STREAM_BUFFER_SIZE 4096

Typedefs
typedef struct AlertJsonOutputCtx_	AlertJsonOutputCtx

typedef struct JsonAlertLogThread_	JsonAlertLogThread

Functions
void	AlertJsonHeader (const Packet p, const PacketAlert pa, SCJsonBuilder js, uint16_t flags, JsonAddrInfo addr, char *xff_buffer)

void	EveAddVerdict (SCJsonBuilder jb, const Packet p)
	Build verdict object. More...

void	JsonAlertLogRegister (void)

Detailed Description

Author: Tom DeCanio td@np.nosp@m.ulse.nosp@m.tech..nosp@m.com

Logs alerts in JSON format.

Definition in file output-json-alert.c.

Macro Definition Documentation

◆ JSON_BODY_LOGGING

#define JSON_BODY_LOGGING

Value:

(LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64 | LOG_JSON_WEBSOCKET_PAYLOAD | \

LOG_JSON_WEBSOCKET_PAYLOAD_BASE64)

Definition at line 94 of file output-json-alert.c.

◆ JSON_STREAM_BUFFER_SIZE

#define JSON_STREAM_BUFFER_SIZE 4096

Definition at line 98 of file output-json-alert.c.

◆ LOG_JSON_APP_LAYER

#define LOG_JSON_APP_LAYER BIT_U16(4)

Definition at line 78 of file output-json-alert.c.

◆ LOG_JSON_FLOW

#define LOG_JSON_FLOW BIT_U16(5)

Definition at line 79 of file output-json-alert.c.

◆ LOG_JSON_HTTP_BODY

#define LOG_JSON_HTTP_BODY BIT_U16(6)

Definition at line 80 of file output-json-alert.c.

◆ LOG_JSON_HTTP_BODY_BASE64

#define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)

Definition at line 81 of file output-json-alert.c.

◆ LOG_JSON_PACKET

#define LOG_JSON_PACKET BIT_U16(1)

Definition at line 75 of file output-json-alert.c.

◆ LOG_JSON_PAYLOAD

#define LOG_JSON_PAYLOAD BIT_U16(0)

Definition at line 74 of file output-json-alert.c.

◆ LOG_JSON_PAYLOAD_BASE64

#define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)

Definition at line 76 of file output-json-alert.c.

◆ LOG_JSON_PAYLOAD_LENGTH

#define LOG_JSON_PAYLOAD_LENGTH BIT_U16(13)

Definition at line 87 of file output-json-alert.c.

◆ LOG_JSON_REFERENCE

#define LOG_JSON_REFERENCE BIT_U16(14)

Definition at line 88 of file output-json-alert.c.

◆ LOG_JSON_RULE

#define LOG_JSON_RULE BIT_U16(9)

Definition at line 83 of file output-json-alert.c.

◆ LOG_JSON_RULE_METADATA

#define LOG_JSON_RULE_METADATA BIT_U16(8)

Definition at line 82 of file output-json-alert.c.

◆ LOG_JSON_TAGGED_PACKETS

#define LOG_JSON_TAGGED_PACKETS BIT_U16(3)

Definition at line 77 of file output-json-alert.c.

◆ LOG_JSON_VERDICT

#define LOG_JSON_VERDICT BIT_U16(10)

Definition at line 84 of file output-json-alert.c.

◆ LOG_JSON_WEBSOCKET_PAYLOAD

#define LOG_JSON_WEBSOCKET_PAYLOAD BIT_U16(11)

Definition at line 85 of file output-json-alert.c.

◆ LOG_JSON_WEBSOCKET_PAYLOAD_BASE64

#define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64 BIT_U16(12)

Definition at line 86 of file output-json-alert.c.

◆ METADATA_DEFAULTS

#define METADATA_DEFAULTS

Value:

            ( LOG_JSON_FLOW |                        \
            LOG_JSON_APP_LAYER  |                                  \
            LOG_JSON_RULE_METADATA)

Definition at line 90 of file output-json-alert.c.

◆ MODULE_NAME

#define MODULE_NAME "JsonAlertLog"

Definition at line 72 of file output-json-alert.c.

Typedef Documentation

◆ AlertJsonOutputCtx

typedef struct AlertJsonOutputCtx_ AlertJsonOutputCtx

◆ JsonAlertLogThread

typedef struct JsonAlertLogThread_ JsonAlertLogThread

Function Documentation

◆ AlertJsonHeader()

void AlertJsonHeader	(	const Packet *	p,
		const PacketAlert *	pa,
		SCJsonBuilder *	js,
		uint16_t	flags,
		JsonAddrInfo *	addr,
		char *	xff_buffer
	)

Definition at line 203 of file output-json-alert.c.

References PacketAlert_::action, ACTION_DROP, ACTION_DROP_REJECT, ACTION_REJECT_ANY, Signature_::class_msg, EngineModeIsIPS(), PacketAlert_::flags, Signature_::flags, Signature_::gid, Signature_::id, Signature_::msg, PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED, PACKET_ALERT_FLAG_TX, PACKET_ALERT_FLAG_TX_GUESSED, PacketCheckAction(), Signature_::prio, Signature_::rev, PacketAlert_::s, SIG_FLAG_HAS_TARGET, Packet_::tenant_id, PacketAlert_::tx_id, and unlikely.

Here is the call graph for this function:

◆ EveAddVerdict()

void EveAddVerdict	(	SCJsonBuilder *	jb,
		const Packet *	p
	)

Build verdict object.

Parameters

p	Pointer to Packet current being logged

Definition at line 546 of file output-json-alert.c.

References PacketAlert_::action, ACTION_ACCEPT, ACTION_DROP, ACTION_PASS, ACTION_REJECT, ACTION_REJECT_ANY, ACTION_REJECT_BOTH, ACTION_REJECT_DST, PacketAlerts_::alerts, Packet_::alerts, PacketAlerts_::cnt, EngineModeIsIPS(), JB_SET_STRING, PacketCheckAction(), and Packet_::proto.