Go to the documentation of this file.
71 #define MODULE_NAME "JsonAlertLog"
73 #define LOG_JSON_PAYLOAD BIT_U16(0)
74 #define LOG_JSON_PACKET BIT_U16(1)
75 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
76 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
77 #define LOG_JSON_APP_LAYER BIT_U16(4)
78 #define LOG_JSON_FLOW BIT_U16(5)
79 #define LOG_JSON_HTTP_BODY BIT_U16(6)
80 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
81 #define LOG_JSON_RULE_METADATA BIT_U16(8)
82 #define LOG_JSON_RULE BIT_U16(9)
83 #define LOG_JSON_VERDICT BIT_U16(10)
84 #define LOG_JSON_WEBSOCKET_PAYLOAD BIT_U16(11)
85 #define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64 BIT_U16(12)
86 #define LOG_JSON_PAYLOAD_LENGTH BIT_U16(13)
87 #define LOG_JSON_REFERENCE BIT_U16(14)
89 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
90 LOG_JSON_APP_LAYER | \
91 LOG_JSON_RULE_METADATA)
93 #define JSON_BODY_LOGGING \
94 (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64 | LOG_JSON_WEBSOCKET_PAYLOAD | \
95 LOG_JSON_WEBSOCKET_PAYLOAD_BASE64)
97 #define JSON_STREAM_BUFFER_SIZE 4096
114 static void AlertJsonSourceTarget(
117 SCJbOpenObject(js,
"source");
119 SCJbSetString(js,
"ip", addr->
src_ip);
127 SCJbSetUint(js,
"port", addr->
sp);
131 SCJbSetString(js,
"ip", addr->
dst_ip);
139 SCJbSetUint(js,
"port", addr->
dp);
145 SCJbOpenObject(js,
"target");
147 SCJbSetString(js,
"ip", addr->
dst_ip);
155 SCJbSetUint(js,
"port", addr->
dp);
159 SCJbSetString(js,
"ip", addr->
src_ip);
167 SCJbSetUint(js,
"port", addr->
sp);
174 static void AlertJsonReference(
const PacketAlert *pa, SCJsonBuilder *jb)
181 SCJbOpenArray(jb,
"references");
187 char kv_store[size_needed];
188 snprintf(kv_store, size_needed,
"%s%s", kv->
key, kv->
reference);
189 SCJbAppendString(jb, kv_store);
195 static void AlertJsonMetadata(
const PacketAlert *pa, SCJsonBuilder *js)
205 const char *action =
"allowed";
222 SCJbSetUint(js,
"tx_id", pa->
tx_id);
225 SCJbSetBool(js,
"tx_guessed",
true);
228 SCJbOpenObject(js,
"alert");
230 SCJbSetString(js,
"action", action);
231 SCJbSetUint(js,
"gid", pa->
s->
gid);
232 SCJbSetUint(js,
"signature_id", pa->
s->
id);
233 SCJbSetUint(js,
"rev", pa->
s->
rev);
236 SCJbSetString(js,
"signature", pa->
s->
msg ? pa->
s->
msg :
"");
238 SCJbSetUint(js,
"severity", pa->
s->
prio);
241 SCJbSetUint(js,
"tenant_id", p->
tenant_id);
245 AlertJsonSourceTarget(p, pa, js, addr);
249 AlertJsonReference(pa, js);
253 AlertJsonMetadata(pa, js);
257 SCJbOpenObject(js,
"context");
264 json_info = json_info->
next;
269 SCJbSetString(js,
"rule", pa->
s->
sig_str);
271 if (xff_buffer && xff_buffer[0]) {
272 SCJbSetString(js,
"xff", xff_buffer);
278 static void AlertJsonTunnel(
const Packet *p, SCJsonBuilder *js)
280 if (p->
root == NULL) {
284 SCJbOpenObject(js,
"tunnel");
293 SCJbSetString(js,
"src_ip", addr.
src_ip);
294 SCJbSetUint(js,
"src_port", addr.
sp);
295 SCJbSetString(js,
"dest_ip", addr.
dst_ip);
296 SCJbSetUint(js,
"dest_port", addr.
dp);
297 SCJbSetString(js,
"proto", addr.
proto);
301 SCJbSetUint(js,
"pcap_cnt", pcap_cnt);
323 SCJbSetString(js,
"payload_printable", (
char *)printable_buf);
327 static void AlertAddAppLayer(
328 const Packet *p, SCJsonBuilder *jb,
const uint64_t tx_id,
const uint16_t option_flags)
332 SCJsonBuilderMark mark = { 0, 0, 0 };
333 if (al && al->
LogTx) {
334 void *state = FlowGetAppState(p->
flow);
342 SCJbSetString(jb,
"ts_progress",
344 SCJbSetString(jb,
"tc_progress",
346 SCJbGetMark(jb, &mark);
354 if (!SCWebSocketLogDetails(tx, jb, pp, pb64)) {
355 SCJbRestoreMark(jb, &mark);
361 if (!al->
LogTx(tx, jb)) {
362 SCJbRestoreMark(jb, &mark);
368 void *state = FlowGetAppState(p->
flow);
376 SCJbSetString(jb,
"ts_progress",
378 SCJbSetString(jb,
"tc_progress",
385 SCJbOpenObject(jb,
"http");
397 SCJbGetMark(jb, &mark);
398 SCJbOpenObject(jb,
"smtp");
402 SCJbRestoreMark(jb, &mark);
404 SCJbGetMark(jb, &mark);
405 SCJbOpenObject(jb,
"email");
409 SCJbRestoreMark(jb, &mark);
414 SCJbGetMark(jb, &mark);
415 SCJbOpenObject(jb,
"rpc");
419 SCJbRestoreMark(jb, &mark);
422 SCJbGetMark(jb, &mark);
423 SCJbOpenObject(jb,
"nfs");
427 SCJbRestoreMark(jb, &mark);
431 SCJbGetMark(jb, &mark);
432 SCJbOpenObject(jb,
"smb");
436 SCJbRestoreMark(jb, &mark);
440 SCJbGetMark(jb, &mark);
442 SCJbRestoreMark(jb, &mark);
449 SCJbGetMark(jb, &mark);
450 SCJbOpenObject(jb,
"dcerpc");
451 if (p->
proto == IPPROTO_TCP) {
452 if (!SCDcerpcLogJsonRecordTcp(state, tx, jb)) {
453 SCJbRestoreMark(jb, &mark);
456 if (!SCDcerpcLogJsonRecordUdp(state, tx, jb)) {
457 SCJbRestoreMark(jb, &mark);
470 static void AlertAddFiles(
const Packet *p, SCJsonBuilder *jb,
const uint64_t tx_id)
472 const uint8_t direction =
488 SCJbOpenArray(jb,
"files");
501 static void AlertAddFrame(
502 const Packet *p,
const int64_t frame_id, SCJsonBuilder *jb,
MemBuffer *buffer)
508 if (frames_container == NULL)
513 if (p->
proto == IPPROTO_TCP) {
517 frames = &frames_container->
toserver;
520 frames = &frames_container->
toclient;
526 }
else if (p->
proto == IPPROTO_UDP) {
528 frames = &frames_container->
toserver;
530 frames = &frames_container->
toclient;
547 SCJbOpenObject(jb,
"verdict");
564 SCJbOpenArray(jb,
"reject");
569 SCJbAppendString(jb,
"icmp-prohib");
572 SCJbAppendString(jb,
"tcp-reset");
597 static int AlertJsonStreamDataCallback(
598 void *cb_data,
const uint8_t *input,
const uint32_t input_len,
const uint64_t input_offset)
601 if (input_offset > cbd->
last_re) {
603 cbd->
payload,
"[%" PRIu64
" bytes missing]", input_offset - cbd->
last_re);
608 if (written < input_len)
610 cbd->
last_re = input_offset + input_len;
644 SCJbSetString(jb,
"payload_printable", (
char *)printable_buf);
658 for (
int i = 0; i < p->
alerts.
cnt; i++) {
710 if (PacketIsTunnel(p)) {
711 AlertJsonTunnel(p, jb);
714 if (p->
flow != NULL) {
717 AlertAddAppLayer(p, jb, pa->
tx_id, json_output_ctx->
flags);
721 AlertAddFiles(p, jb, pa->
tx_id);
728 SCJbSetString(jb,
"direction",
"to_server");
730 SCJbSetString(jb,
"direction",
"to_client");
734 SCJbOpenObject(jb,
"flow");
737 SCJbSetString(jb,
"src_ip", addr.
dst_ip);
738 SCJbSetString(jb,
"dest_ip", addr.
src_ip);
740 SCJbSetUint(jb,
"src_port", addr.
dp);
741 SCJbSetUint(jb,
"dest_port", addr.
sp);
744 SCJbSetString(jb,
"src_ip", addr.
src_ip);
745 SCJbSetString(jb,
"dest_ip", addr.
dst_ip);
747 SCJbSetUint(jb,
"src_port", addr.
sp);
748 SCJbSetUint(jb,
"dest_port", addr.
dp);
756 if (json_output_ctx->
flags &
758 int stream = (p->
proto == IPPROTO_TCP) ?
765 if (stream && p->
flow != NULL) {
766 const bool stream_data_logged =
767 AlertJsonStreamData(json_output_ctx, aft, p->
flow, p, jb);
770 AlertAddPayload(json_output_ctx, jb, p);
774 AlertAddPayload(json_output_ctx, jb, p);
777 SCJbSetUint(jb,
"stream", stream);
804 SCJsonBuilder *packetjs =
823 for (
int i = 0; i < p->
alerts.
cnt; i++) {
836 if (PacketIsTunnel(p)) {
837 AlertJsonTunnel(p, jb);
873 if (PacketIsIPv4(p) || PacketIsIPv6(p)) {
874 return AlertJson(
tv, aft, p);
876 return AlertJsonDecoderEvent(
tv, aft, p);
886 static TmEcode JsonAlertLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
892 if (initdata == NULL)
894 SCLogDebug(
"Error getting context for EveLogAlert. \"initdata\" argument NULL");
940 static void JsonAlertLogDeInitCtxSub(
OutputCtx *output_ctx)
942 SCLogDebug(
"cleaning up sub output_ctx %p", output_ctx);
946 if (json_output_ctx != NULL) {
948 if (xff_cfg != NULL) {
956 static void SetFlag(
const SCConfNode *conf,
const char *
name, uint16_t flag, uint16_t *out_flags)
960 if (setting != NULL) {
971 static bool warn_no_meta =
false;
978 if (metadata != NULL) {
1007 static const char *deprecated_flags[] = {
"http",
"tls",
"ssh",
"smtp",
"dnp3",
"app-layer",
1009 for (
int i = 0; deprecated_flags[i] != NULL; i++) {
1011 SCLogWarning(
"Found deprecated eve-log.alert flag \"%s\", this flag has no effect",
1012 deprecated_flags[i]);
1018 if (payload_buffer_value != NULL) {
1022 "payload-buffer-size - %s. Killing engine",
1023 payload_buffer_value);
1025 }
else if (value == 0) {
1027 SCLogError(
"Error payload-buffer-size should not be 0");
1030 payload_buffer_size = value;
1036 SCLogWarning(
"HTTP body logging has been configured, however, "
1037 "metadata logging has not been enabled. HTTP body logging will be "
1040 warn_no_meta =
true;
1058 if (
likely(xff_cfg != NULL)) {
1081 if (
unlikely(json_output_ctx == NULL)) {
1086 json_output_ctx->
eve_ctx = ajt;
1088 JsonAlertLogSetupMetadata(json_output_ctx, conf);
1089 json_output_ctx->
xff_cfg = JsonAlertLogGetXffCfg(conf);
1090 if (json_output_ctx->
xff_cfg == NULL) {
1094 output_ctx->
data = json_output_ctx;
1095 output_ctx->
DeInit = JsonAlertLogDeInitCtxSub;
1097 result.
ctx = output_ctx;
1102 if (json_output_ctx != NULL) {
1105 if (output_ctx != NULL) {
1116 .FlushFunc = JsonAlertFlush,
1117 .ConditionFunc = JsonAlertLogCondition,
1118 .ThreadInitFunc = JsonAlertLogThreadInit,
1119 .ThreadDeinitFunc = JsonAlertLogThreadDeinit,
1120 .ThreadExitPrintStatsFunc = NULL,
1124 JsonAlertLogInitCtxSub, &output_logger_functions);
bool PacketCheckAction(const Packet *p, const uint8_t a)
#define PACKET_ALERT_FLAG_TX_GUESSED
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
int SCConfValIsTrue(const char *val)
Check if a value is true.
const struct Signature_ * s
const char * AppLayerParserGetStateNameById(uint8_t ipproto, AppProto alproto, const int id, const uint8_t direction)
void EveAddFlow(Flow *f, SCJsonBuilder *js)
void HttpXFFGetCfg(SCConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
#define PACKET_ALERT_FLAG_STATE_MATCH
void EveHttpLogJSONBodyPrintable(SCJsonBuilder *js, Flow *f, uint64_t tx_id)
HttpXFFCfg * parent_xff_cfg
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
void EveAddAppProto(Flow *f, SCJsonBuilder *js)
#define SIG_FLAG_DEST_IS_TARGET
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
void AlertJsonHeader(const Packet *p, const PacketAlert *pa, SCJsonBuilder *js, uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
const JsonAddrInfo json_addr_info_zero
#define FLOW_PKT_TOSERVER
#define ACTION_REJECT_ANY
int SCConfValIsFalse(const char *val)
Check if a value is false.
#define ACTION_DROP_REJECT
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
bool SCConfNodeHasChildren(const SCConfNode *node)
Check if a node has any children.
bool EveHttpAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
char * PcapLogGetFilename(void)
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
bool EveSMBAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
size_t strlcpy(char *dst, const char *src, size_t siz)
#define JSON_BODY_LOGGING
#define ACTION_REJECT_DST
void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
bool EveIKEAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
OutputJsonThreadCtx * ctx
struct PacketContextData * json_info
bool EveSMTPAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
#define JB_SET_STRING(jb, key, val)
#define PKT_IS_TOSERVER(p)
#define LOG_JSON_APP_LAYER
#define LOG_JSON_WEBSOCKET_PAYLOAD
Frame * FrameGetById(Frames *frames, const int64_t id)
#define STREAM_BASE_OFFSET(stream)
struct AppLayerGetFileState AppLayerGetFileState
void EveAddVerdict(SCJsonBuilder *jb, const Packet *p)
Build verdict object.
bool EveNFSAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
DetectReference * references
Per thread variable structure.
bool EveNFSAddMetadataRPC(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
const char * PktSrcToString(enum PktSrcEnum pkt_src)
struct JsonAlertLogThread_ JsonAlertLogThread
#define SCLogWarning(...)
Macro used to log WARNING messages.
Signature reference list.
EveJsonSimpleAppLayerLogger * SCEveJsonSimpleGetLogger(AppProto alproto)
void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
FramesContainer * AppLayerFramesGetContainer(Flow *f)
#define JSON_STREAM_BUFFER_SIZE
#define LOG_JSON_PAYLOAD_BASE64
#define SIG_FLAG_HAS_TARGET
#define LOG_JSON_PAYLOAD_LENGTH
#define SIG_FLAG_SRC_IS_TARGET
uint32_t payload_buffer_size
void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
Jsonify a packet.
#define FLOW_PKT_TOCLIENT
struct DetectReference_ * next
#define LOG_JSON_TAGGED_PACKETS
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
#define PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_FRAME
char proto[JSON_PROTO_LEN]
#define ACTION_REJECT_BOTH
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
bool EveEmailAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
#define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64
void(* DeInit)(struct OutputCtx_ *)
char pcap_filename[PATH_MAX]
EveJsonSimpleTxLogFunc LogTx
AlertJsonOutputCtx * json_output_ctx
void MemBufferFree(MemBuffer *buffer)
struct PacketContextData * next
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, OutputPacketLoggerFunctions *output_logger_functions)
Register a packet output sub-module.
int ParseSizeStringU32(const char *size, uint32_t *res)
char src_ip[JSON_ADDR_LEN]
#define PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED
DetectMetadataHead * metadata
#define SCLogError(...)
Macro used to log ERROR messages.
void EveHttpLogJSONBodyBase64(SCJsonBuilder *js, Flow *f, uint64_t tx_id)
struct AlertJsonOutputCtx_ AlertJsonOutputCtx
MemBuffer * payload_buffer
#define LOG_JSON_HTTP_BODY_BASE64
void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, Flow *f, const TcpStream *stream, const Packet *p, SCJsonBuilder *jb, MemBuffer *buffer)
log a single frame
#define PACKET_ALERT_FLAG_TX
char dst_ip[JSON_ADDR_LEN]
#define LOG_JSON_HTTP_BODY
#define METADATA_DEFAULTS
int EngineModeIsIPS(void)
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
void MemBufferWriteString(MemBuffer *dst, const char *fmt,...)
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
void DetectEngineSetParseMetadata(void)
AppProto alproto
application level protocol
int StreamReassembleLog(const TcpSession *ssn, const TcpStream *stream, StreamReassembleRawFunc Callback, void *cb_data, const uint64_t progress_in, uint64_t *progress_out, const bool eof)
#define LOG_JSON_RULE_METADATA
#define DEBUG_VALIDATE_BUG_ON(exp)
#define LOG_JSON_REFERENCE
MemBuffer * MemBufferCreateNew(uint32_t size)
void JsonAlertLogRegister(void)