suricata
output-json-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs alerts in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "packet.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "stream.h"
34 #include "threadvars.h"
35 #include "util-debug.h"
36 #include "stream-tcp.h"
37 
38 #include "util-logopenfile.h"
39 #include "util-misc.h"
40 #include "util-time.h"
41 
42 #include "detect-engine.h"
43 #include "detect-metadata.h"
44 #include "app-layer-parser.h"
45 #include "app-layer-htp-xff.h"
46 #include "app-layer-ftp.h"
47 #include "app-layer-frames.h"
48 #include "log-pcap.h"
49 
50 #include "output.h"
51 #include "output-json.h"
52 #include "output-json-alert.h"
53 #include "output-json-http.h"
54 #include "rust.h"
55 #include "output-json-smtp.h"
57 #include "output-json-nfs.h"
58 #include "output-json-smb.h"
59 #include "output-json-flow.h"
60 #include "output-json-ike.h"
61 #include "output-json-frame.h"
62 
63 #include "util-print.h"
64 #include "util-optimize.h"
65 #include "util-buffer.h"
66 #include "util-reference-config.h"
67 #include "util-validate.h"
68 
69 #include "action-globals.h"
70 
71 #define MODULE_NAME "JsonAlertLog"
72 
73 #define LOG_JSON_PAYLOAD BIT_U16(0)
74 #define LOG_JSON_PACKET BIT_U16(1)
75 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
76 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
77 #define LOG_JSON_APP_LAYER BIT_U16(4)
78 #define LOG_JSON_FLOW BIT_U16(5)
79 #define LOG_JSON_HTTP_BODY BIT_U16(6)
80 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
81 #define LOG_JSON_RULE_METADATA BIT_U16(8)
82 #define LOG_JSON_RULE BIT_U16(9)
83 #define LOG_JSON_VERDICT BIT_U16(10)
84 #define LOG_JSON_WEBSOCKET_PAYLOAD BIT_U16(11)
85 #define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64 BIT_U16(12)
86 #define LOG_JSON_PAYLOAD_LENGTH BIT_U16(13)
87 #define LOG_JSON_REFERENCE BIT_U16(14)
88 
89 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
90  LOG_JSON_APP_LAYER | \
91  LOG_JSON_RULE_METADATA)
92 
93 #define JSON_BODY_LOGGING \
94  (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64 | LOG_JSON_WEBSOCKET_PAYLOAD | \
95  LOG_JSON_WEBSOCKET_PAYLOAD_BASE64)
96 
97 #define JSON_STREAM_BUFFER_SIZE 4096
98 
99 typedef struct AlertJsonOutputCtx_ {
101  uint16_t flags;
107 
108 typedef struct JsonAlertLogThread_ {
113 
114 static void AlertJsonSourceTarget(
115  const Packet *p, const PacketAlert *pa, SCJsonBuilder *js, JsonAddrInfo *addr)
116 {
117  SCJbOpenObject(js, "source");
118  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
119  SCJbSetString(js, "ip", addr->src_ip);
120  switch (p->proto) {
121  case IPPROTO_ICMP:
122  case IPPROTO_ICMPV6:
123  break;
124  case IPPROTO_UDP:
125  case IPPROTO_TCP:
126  case IPPROTO_SCTP:
127  SCJbSetUint(js, "port", addr->sp);
128  break;
129  }
130  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
131  SCJbSetString(js, "ip", addr->dst_ip);
132  switch (p->proto) {
133  case IPPROTO_ICMP:
134  case IPPROTO_ICMPV6:
135  break;
136  case IPPROTO_UDP:
137  case IPPROTO_TCP:
138  case IPPROTO_SCTP:
139  SCJbSetUint(js, "port", addr->dp);
140  break;
141  }
142  }
143  SCJbClose(js);
144 
145  SCJbOpenObject(js, "target");
146  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
147  SCJbSetString(js, "ip", addr->dst_ip);
148  switch (p->proto) {
149  case IPPROTO_ICMP:
150  case IPPROTO_ICMPV6:
151  break;
152  case IPPROTO_UDP:
153  case IPPROTO_TCP:
154  case IPPROTO_SCTP:
155  SCJbSetUint(js, "port", addr->dp);
156  break;
157  }
158  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
159  SCJbSetString(js, "ip", addr->src_ip);
160  switch (p->proto) {
161  case IPPROTO_ICMP:
162  case IPPROTO_ICMPV6:
163  break;
164  case IPPROTO_UDP:
165  case IPPROTO_TCP:
166  case IPPROTO_SCTP:
167  SCJbSetUint(js, "port", addr->sp);
168  break;
169  }
170  }
171  SCJbClose(js);
172 }
173 
174 static void AlertJsonReference(const PacketAlert *pa, SCJsonBuilder *jb)
175 {
176  if (!pa->s->references) {
177  return;
178  }
179 
180  const DetectReference *kv = pa->s->references;
181  SCJbOpenArray(jb, "references");
182  while (kv) {
183  /* Note that the key and reference sizes have been bound
184  * checked during parsing
185  */
186  const size_t size_needed = kv->key_len + kv->reference_len + 1;
187  char kv_store[size_needed];
188  snprintf(kv_store, size_needed, "%s%s", kv->key, kv->reference);
189  SCJbAppendString(jb, kv_store);
190  kv = kv->next;
191  }
192  SCJbClose(jb);
193 }
194 
195 static void AlertJsonMetadata(const PacketAlert *pa, SCJsonBuilder *js)
196 {
197  if (pa->s->metadata && pa->s->metadata->json_str) {
198  SCJbSetFormatted(js, pa->s->metadata->json_str);
199  }
200 }
201 
202 void AlertJsonHeader(const Packet *p, const PacketAlert *pa, SCJsonBuilder *js, uint16_t flags,
203  JsonAddrInfo *addr, char *xff_buffer)
204 {
205  const char *action = "allowed";
206  /* use packet action if rate_filter modified the action */
209  action = "blocked";
210  }
211  } else {
212  if (pa->action & ACTION_REJECT_ANY) {
213  action = "blocked";
214  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
215  action = "blocked";
216  }
217  }
218 
219  /* Add tx_id to root element for correlation with other events. */
220  /* json_object_del(js, "tx_id"); */
221  if (pa->flags & PACKET_ALERT_FLAG_TX) {
222  SCJbSetUint(js, "tx_id", pa->tx_id);
223  }
225  SCJbSetBool(js, "tx_guessed", true);
226  }
227 
228  SCJbOpenObject(js, "alert");
229 
230  SCJbSetString(js, "action", action);
231  SCJbSetUint(js, "gid", pa->s->gid);
232  SCJbSetUint(js, "signature_id", pa->s->id);
233  SCJbSetUint(js, "rev", pa->s->rev);
234  /* TODO: SCJsonBuilder should handle unprintable characters like
235  * SCJsonString. */
236  SCJbSetString(js, "signature", pa->s->msg ? pa->s->msg : "");
237  SCJbSetString(js, "category", pa->s->class_msg ? pa->s->class_msg : "");
238  SCJbSetUint(js, "severity", pa->s->prio);
239 
240  if (p->tenant_id > 0) {
241  SCJbSetUint(js, "tenant_id", p->tenant_id);
242  }
243 
244  if (addr && pa->s->flags & SIG_FLAG_HAS_TARGET) {
245  AlertJsonSourceTarget(p, pa, js, addr);
246  }
247 
248  if ((flags & LOG_JSON_REFERENCE)) {
249  AlertJsonReference(pa, js);
250  }
251 
253  AlertJsonMetadata(pa, js);
254  }
255 
256  if (flags & LOG_JSON_RULE) {
257  SCJbSetString(js, "rule", pa->s->sig_str);
258  }
259  if (xff_buffer && xff_buffer[0]) {
260  SCJbSetString(js, "xff", xff_buffer);
261  }
262 
263  SCJbClose(js);
264 }
265 
266 static void AlertJsonTunnel(const Packet *p, SCJsonBuilder *js)
267 {
268  if (p->root == NULL) {
269  return;
270  }
271 
272  SCJbOpenObject(js, "tunnel");
273 
274  enum PktSrcEnum pkt_src;
275  uint64_t pcap_cnt;
277  JsonAddrInfoInit(p->root, 0, &addr);
278  pcap_cnt = p->root->pcap_cnt;
279  pkt_src = p->root->pkt_src;
280 
281  SCJbSetString(js, "src_ip", addr.src_ip);
282  SCJbSetUint(js, "src_port", addr.sp);
283  SCJbSetString(js, "dest_ip", addr.dst_ip);
284  SCJbSetUint(js, "dest_port", addr.dp);
285  SCJbSetString(js, "proto", addr.proto);
286 
287  SCJbSetUint(js, "depth", p->recursion_level);
288  if (pcap_cnt != 0) {
289  SCJbSetUint(js, "pcap_cnt", pcap_cnt);
290  }
291  SCJbSetString(js, "pkt_src", PktSrcToString(pkt_src));
292  SCJbClose(js);
293 }
294 
295 static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, SCJsonBuilder *js, const Packet *p)
296 {
297  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
298  SCJbSetBase64(js, "payload", p->payload, p->payload_len);
299  }
300  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_LENGTH) {
301  SCJbSetUint(js, "payload_length", p->payload_len);
302  }
303 
304  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
305  uint8_t printable_buf[p->payload_len + 1];
306  uint32_t offset = 0;
307  PrintStringsToBuffer(printable_buf, &offset,
308  p->payload_len + 1,
309  p->payload, p->payload_len);
310  printable_buf[p->payload_len] = '\0';
311  SCJbSetString(js, "payload_printable", (char *)printable_buf);
312  }
313 }
314 
315 static void AlertAddAppLayer(
316  const Packet *p, SCJsonBuilder *jb, const uint64_t tx_id, const uint16_t option_flags)
317 {
318  const AppProto proto = FlowGetAppProtocol(p->flow);
320  SCJsonBuilderMark mark = { 0, 0, 0 };
321  if (al && al->LogTx) {
322  void *state = FlowGetAppState(p->flow);
323  if (state) {
324  void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
325  if (tx) {
326  const int ts =
327  AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
328  const int tc =
329  AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
330  SCJbSetString(jb, "ts_progress",
331  AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
332  SCJbSetString(jb, "tc_progress",
333  AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
334  SCJbGetMark(jb, &mark);
335  switch (proto) {
336  // first check some protocols need special options for alerts logging
337  case ALPROTO_WEBSOCKET:
338  if (option_flags &
340  bool pp = (option_flags & LOG_JSON_WEBSOCKET_PAYLOAD) != 0;
341  bool pb64 = (option_flags & LOG_JSON_WEBSOCKET_PAYLOAD_BASE64) != 0;
342  if (!SCWebSocketLogDetails(tx, jb, pp, pb64)) {
343  SCJbRestoreMark(jb, &mark);
344  }
345  // nothing more to log or do
346  return;
347  }
348  }
349  if (!al->LogTx(tx, jb)) {
350  SCJbRestoreMark(jb, &mark);
351  }
352  }
353  }
354  return;
355  }
356  void *state = FlowGetAppState(p->flow);
357  if (state) {
358  void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
359  if (tx) {
360  const int ts =
361  AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
362  const int tc =
363  AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
364  SCJbSetString(jb, "ts_progress",
365  AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
366  SCJbSetString(jb, "tc_progress",
367  AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
368  }
369  }
370  switch (proto) {
371  case ALPROTO_HTTP1:
372  // TODO: Could result in an empty http object being logged.
373  SCJbOpenObject(jb, "http");
374  if (EveHttpAddMetadata(p->flow, tx_id, jb)) {
375  if (option_flags & LOG_JSON_HTTP_BODY) {
376  EveHttpLogJSONBodyPrintable(jb, p->flow, tx_id);
377  }
378  if (option_flags & LOG_JSON_HTTP_BODY_BASE64) {
379  EveHttpLogJSONBodyBase64(jb, p->flow, tx_id);
380  }
381  }
382  SCJbClose(jb);
383  break;
384  case ALPROTO_SMTP:
385  SCJbGetMark(jb, &mark);
386  SCJbOpenObject(jb, "smtp");
387  if (EveSMTPAddMetadata(p->flow, tx_id, jb)) {
388  SCJbClose(jb);
389  } else {
390  SCJbRestoreMark(jb, &mark);
391  }
392  SCJbGetMark(jb, &mark);
393  SCJbOpenObject(jb, "email");
394  if (EveEmailAddMetadata(p->flow, tx_id, jb)) {
395  SCJbClose(jb);
396  } else {
397  SCJbRestoreMark(jb, &mark);
398  }
399  break;
400  case ALPROTO_NFS:
401  /* rpc */
402  SCJbGetMark(jb, &mark);
403  SCJbOpenObject(jb, "rpc");
404  if (EveNFSAddMetadataRPC(p->flow, tx_id, jb)) {
405  SCJbClose(jb);
406  } else {
407  SCJbRestoreMark(jb, &mark);
408  }
409  /* nfs */
410  SCJbGetMark(jb, &mark);
411  SCJbOpenObject(jb, "nfs");
412  if (EveNFSAddMetadata(p->flow, tx_id, jb)) {
413  SCJbClose(jb);
414  } else {
415  SCJbRestoreMark(jb, &mark);
416  }
417  break;
418  case ALPROTO_SMB:
419  SCJbGetMark(jb, &mark);
420  SCJbOpenObject(jb, "smb");
421  if (EveSMBAddMetadata(p->flow, tx_id, jb)) {
422  SCJbClose(jb);
423  } else {
424  SCJbRestoreMark(jb, &mark);
425  }
426  break;
427  case ALPROTO_IKE:
428  SCJbGetMark(jb, &mark);
429  if (!EveIKEAddMetadata(p->flow, tx_id, jb)) {
430  SCJbRestoreMark(jb, &mark);
431  }
432  break;
433  case ALPROTO_DCERPC: {
434  if (state) {
435  void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
436  if (tx) {
437  SCJbGetMark(jb, &mark);
438  SCJbOpenObject(jb, "dcerpc");
439  if (p->proto == IPPROTO_TCP) {
440  if (!SCDcerpcLogJsonRecordTcp(state, tx, jb)) {
441  SCJbRestoreMark(jb, &mark);
442  }
443  } else {
444  if (!SCDcerpcLogJsonRecordUdp(state, tx, jb)) {
445  SCJbRestoreMark(jb, &mark);
446  }
447  }
448  SCJbClose(jb);
449  }
450  }
451  break;
452  }
453  default:
454  break;
455  }
456 }
457 
458 static void AlertAddFiles(const Packet *p, SCJsonBuilder *jb, const uint64_t tx_id)
459 {
460  const uint8_t direction =
461  (p->flowflags & FLOW_PKT_TOSERVER) ? STREAM_TOSERVER : STREAM_TOCLIENT;
462  FileContainer *ffc = NULL;
463  if (p->flow->alstate != NULL) {
464  void *tx = AppLayerParserGetTx(p->flow->proto, p->flow->alproto, p->flow->alstate, tx_id);
465  if (tx) {
466  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, direction);
467  ffc = files.fc;
468  }
469  }
470  if (ffc != NULL) {
471  File *file = ffc->head;
472  bool isopen = false;
473  while (file) {
474  if (!isopen) {
475  isopen = true;
476  SCJbOpenArray(jb, "files");
477  }
478  SCJbStartObject(jb);
479  EveFileInfo(jb, file, tx_id, file->flags);
480  SCJbClose(jb);
481  file = file->next;
482  }
483  if (isopen) {
484  SCJbClose(jb);
485  }
486  }
487 }
488 
489 static void AlertAddFrame(
490  const Packet *p, const int64_t frame_id, SCJsonBuilder *jb, MemBuffer *buffer)
491 {
492  if (p->flow == NULL || (p->proto == IPPROTO_TCP && p->flow->protoctx == NULL))
493  return;
494 
495  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
496  if (frames_container == NULL)
497  return;
498 
499  Frames *frames = NULL;
500  TcpStream *stream = NULL;
501  if (p->proto == IPPROTO_TCP) {
502  TcpSession *ssn = p->flow->protoctx;
503  if (PKT_IS_TOSERVER(p)) {
504  stream = &ssn->client;
505  frames = &frames_container->toserver;
506  } else {
507  stream = &ssn->server;
508  frames = &frames_container->toclient;
509  }
510  Frame *frame = FrameGetById(frames, frame_id);
511  if (frame != NULL) {
512  FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb, buffer);
513  }
514  } else if (p->proto == IPPROTO_UDP) {
515  if (PKT_IS_TOSERVER(p)) {
516  frames = &frames_container->toserver;
517  } else {
518  frames = &frames_container->toclient;
519  }
520  Frame *frame = FrameGetById(frames, frame_id);
521  if (frame != NULL) {
522  FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb, buffer);
523  }
524  }
525 }
526 
527 /**
528  * \brief Build verdict object
529  *
530  * \param p Pointer to Packet current being logged
531  *
532  */
533 void EveAddVerdict(SCJsonBuilder *jb, const Packet *p)
534 {
535  SCJbOpenObject(jb, "verdict");
536 
537  /* add verdict info */
539  // check rule to define type of reject packet sent
540  if (EngineModeIsIPS()) {
541  JB_SET_STRING(jb, "action", "drop");
542  } else {
543  JB_SET_STRING(jb, "action", "alert");
544  }
546  JB_SET_STRING(jb, "reject-target", "to_client");
547  } else if (PacketCheckAction(p, ACTION_REJECT_DST)) {
548  JB_SET_STRING(jb, "reject-target", "to_server");
549  } else if (PacketCheckAction(p, ACTION_REJECT_BOTH)) {
550  JB_SET_STRING(jb, "reject-target", "both");
551  }
552  SCJbOpenArray(jb, "reject");
553  switch (p->proto) {
554  case IPPROTO_UDP:
555  case IPPROTO_ICMP:
556  case IPPROTO_ICMPV6:
557  SCJbAppendString(jb, "icmp-prohib");
558  break;
559  case IPPROTO_TCP:
560  SCJbAppendString(jb, "tcp-reset");
561  break;
562  }
563  SCJbClose(jb);
564 
565  } else if (PacketCheckAction(p, ACTION_DROP) && EngineModeIsIPS()) {
566  JB_SET_STRING(jb, "action", "drop");
567  } else if (p->alerts.alerts[p->alerts.cnt].action & ACTION_PASS) {
568  JB_SET_STRING(jb, "action", "pass");
569  } else {
570  // TODO make sure we don't have a situation where this wouldn't work
571  JB_SET_STRING(jb, "action", "alert");
572  }
573 
574  /* Close verdict */
575  SCJbClose(jb);
576 }
577 
580  uint64_t last_re;
581 };
582 
583 static int AlertJsonStreamDataCallback(
584  void *cb_data, const uint8_t *input, const uint32_t input_len, const uint64_t input_offset)
585 {
586  struct AlertJsonStreamDataCallbackData *cbd = cb_data;
587  if (input_offset > cbd->last_re) {
589  cbd->payload, "[%" PRIu64 " bytes missing]", input_offset - cbd->last_re);
590  }
591 
592  int done = 0;
593  uint32_t written = MemBufferWriteRaw(cbd->payload, input, input_len);
594  if (written < input_len)
595  done = 1;
596  cbd->last_re = input_offset + input_len;
597  return done;
598 }
599 
600 /** \internal
601  * \brief try to log stream data into payload/payload_printable
602  * \retval true stream data logged
603  * \retval false stream data not logged
604  */
605 static bool AlertJsonStreamData(const AlertJsonOutputCtx *json_output_ctx, JsonAlertLogThread *aft,
606  Flow *f, const Packet *p, SCJsonBuilder *jb)
607 {
608  TcpSession *ssn = f->protoctx;
609  TcpStream *stream = (PKT_IS_TOSERVER(p)) ? &ssn->client : &ssn->server;
610 
611  MemBufferReset(aft->payload_buffer);
613  .last_re = STREAM_BASE_OFFSET(stream) };
614  uint64_t unused = 0;
615  StreamReassembleLog(ssn, stream, AlertJsonStreamDataCallback, &cbd, STREAM_BASE_OFFSET(stream),
616  &unused, false);
617  if (cbd.payload->offset) {
618  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
619  SCJbSetBase64(jb, "payload", cbd.payload->buffer, cbd.payload->offset);
620  }
621  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_LENGTH) {
622  SCJbSetUint(jb, "payload_length", cbd.payload->offset);
623  }
624 
625  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
626  uint8_t printable_buf[cbd.payload->offset + 1];
627  uint32_t offset = 0;
628  PrintStringsToBuffer(printable_buf, &offset, cbd.payload->offset + 1,
629  cbd.payload->buffer, cbd.payload->offset);
630  SCJbSetString(jb, "payload_printable", (char *)printable_buf);
631  }
632  return true;
633  }
634  return false;
635 }
636 
637 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
638 {
639  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
640 
641  if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
642  return TM_ECODE_OK;
643 
644  for (int i = 0; i < p->alerts.cnt; i++) {
645  const PacketAlert *pa = &p->alerts.alerts[i];
646  if (unlikely(pa->s == NULL)) {
647  continue;
648  }
649 
650  /* First initialize the address info (5-tuple). */
652  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
653 
654  /* Check for XFF, overwriting address info if needed. */
655  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ? json_output_ctx->xff_cfg
656  : json_output_ctx->parent_xff_cfg;
657  int have_xff_ip = 0;
658  char xff_buffer[XFF_MAXLEN];
659  xff_buffer[0] = 0;
660  if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
661  if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP1) {
662  if (pa->flags & PACKET_ALERT_FLAG_TX) {
663  have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg,
664  xff_buffer, XFF_MAXLEN);
665  } else {
666  have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, xff_buffer,
667  XFF_MAXLEN);
668  }
669  }
670 
671  if (have_xff_ip && xff_cfg->flags & XFF_OVERWRITE) {
672  if (p->flowflags & FLOW_PKT_TOCLIENT) {
673  strlcpy(addr.dst_ip, xff_buffer, JSON_ADDR_LEN);
674  } else {
675  strlcpy(addr.src_ip, xff_buffer, JSON_ADDR_LEN);
676  }
677  /* Clear have_xff_ip so the xff field does not get
678  * logged below. */
679  have_xff_ip = false;
680  }
681  if (have_xff_ip && !(xff_cfg->flags & XFF_EXTRADATA)) {
682  // reset xff_buffer so as not to log it
683  xff_buffer[0] = 0;
684  }
685  }
686 
687  SCJsonBuilder *jb =
688  CreateEveHeader(p, LOG_DIR_PACKET, "alert", &addr, json_output_ctx->eve_ctx);
689  if (unlikely(jb == NULL))
690  return TM_ECODE_OK;
691 
692 
693  /* alert */
694  AlertJsonHeader(p, pa, jb, json_output_ctx->flags, &addr, xff_buffer);
695 
696  if (PacketIsTunnel(p)) {
697  AlertJsonTunnel(p, jb);
698  }
699 
700  if (p->flow != NULL) {
701  if (pa->flags & PACKET_ALERT_FLAG_TX) {
702  if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {
703  AlertAddAppLayer(p, jb, pa->tx_id, json_output_ctx->flags);
704  }
705  /* including fileinfo data is configured by the metadata setting */
706  if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
707  AlertAddFiles(p, jb, pa->tx_id);
708  }
709  }
710 
711  EveAddAppProto(p->flow, jb);
712 
713  if (p->flowflags & FLOW_PKT_TOSERVER) {
714  SCJbSetString(jb, "direction", "to_server");
715  } else {
716  SCJbSetString(jb, "direction", "to_client");
717  }
718 
719  if (json_output_ctx->flags & LOG_JSON_FLOW) {
720  SCJbOpenObject(jb, "flow");
721  EveAddFlow(p->flow, jb);
722  if (p->flowflags & FLOW_PKT_TOCLIENT) {
723  SCJbSetString(jb, "src_ip", addr.dst_ip);
724  SCJbSetString(jb, "dest_ip", addr.src_ip);
725  if (addr.sp > 0) {
726  SCJbSetUint(jb, "src_port", addr.dp);
727  SCJbSetUint(jb, "dest_port", addr.sp);
728  }
729  } else {
730  SCJbSetString(jb, "src_ip", addr.src_ip);
731  SCJbSetString(jb, "dest_ip", addr.dst_ip);
732  if (addr.sp > 0) {
733  SCJbSetUint(jb, "src_port", addr.sp);
734  SCJbSetUint(jb, "dest_port", addr.dp);
735  }
736  }
737  SCJbClose(jb);
738  }
739  }
740 
741  /* payload */
742  if (json_output_ctx->flags &
744  int stream = (p->proto == IPPROTO_TCP) ?
746  1 : 0) : 0;
747  // should be impossible, as stream implies flow
748  DEBUG_VALIDATE_BUG_ON(stream && p->flow == NULL);
749 
750  /* Is this a stream? If so, pack part of it into the payload field */
751  if (stream && p->flow != NULL) {
752  const bool stream_data_logged =
753  AlertJsonStreamData(json_output_ctx, aft, p->flow, p, jb);
754  if (!stream_data_logged && p->payload_len) {
755  /* Fallback on packet payload */
756  AlertAddPayload(json_output_ctx, jb, p);
757  }
758  } else {
759  /* This is a single packet and not a stream */
760  AlertAddPayload(json_output_ctx, jb, p);
761  }
762 
763  SCJbSetUint(jb, "stream", stream);
764  }
765 
766  if (pa->flags & PACKET_ALERT_FLAG_FRAME) {
767  AlertAddFrame(p, pa->frame_id, jb, aft->payload_buffer);
768  }
769 
770  /* base64-encoded full packet */
771  if (json_output_ctx->flags & LOG_JSON_PACKET) {
772  EvePacket(p, jb, 0);
773  }
774 
776  if (pcap_filename != NULL) {
777  SCJbSetString(jb, "capture_file", pcap_filename);
778  }
779 
780  if (json_output_ctx->flags & LOG_JSON_VERDICT) {
781  EveAddVerdict(jb, p);
782  }
783 
784  OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
785  SCJbFree(jb);
786  }
787 
788  if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
790  SCJsonBuilder *packetjs =
791  CreateEveHeader(p, LOG_DIR_PACKET, "packet", NULL, json_output_ctx->eve_ctx);
792  if (unlikely(packetjs != NULL)) {
793  EvePacket(p, packetjs, 0);
794  OutputJsonBuilderBuffer(tv, p, p->flow, packetjs, aft->ctx);
795  SCJbFree(packetjs);
796  }
797  }
798 
799  return TM_ECODE_OK;
800 }
801 
802 static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
803 {
804  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
805 
806  if (p->alerts.cnt == 0)
807  return TM_ECODE_OK;
808 
809  for (int i = 0; i < p->alerts.cnt; i++) {
810  const PacketAlert *pa = &p->alerts.alerts[i];
811  if (unlikely(pa->s == NULL)) {
812  continue;
813  }
814 
815  SCJsonBuilder *jb =
816  CreateEveHeader(p, LOG_DIR_PACKET, "alert", NULL, json_output_ctx->eve_ctx);
817  if (unlikely(jb == NULL))
818  return TM_ECODE_OK;
819 
820  AlertJsonHeader(p, pa, jb, json_output_ctx->flags, NULL, NULL);
821 
822  if (PacketIsTunnel(p)) {
823  AlertJsonTunnel(p, jb);
824  }
825 
826  /* base64-encoded full packet */
827  if (json_output_ctx->flags & LOG_JSON_PACKET) {
828  EvePacket(p, jb, 0);
829  }
830 
832  if (pcap_filename != NULL) {
833  SCJbSetString(jb, "capture_file", pcap_filename);
834  }
835 
836  if (json_output_ctx->flags & LOG_JSON_VERDICT) {
837  EveAddVerdict(jb, p);
838  }
839 
840  OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
841  SCJbFree(jb);
842  }
843 
844  return TM_ECODE_OK;
845 }
846 
847 static int JsonAlertFlush(ThreadVars *tv, void *thread_data, const Packet *p)
848 {
849  JsonAlertLogThread *aft = thread_data;
850  SCLogDebug("%s flushing %s", tv->name, ((LogFileCtx *)(aft->ctx->file_ctx))->filename);
851  OutputJsonFlush(aft->ctx);
852  return 0;
853 }
854 
855 static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)
856 {
857  JsonAlertLogThread *aft = thread_data;
858 
859  if (PacketIsIPv4(p) || PacketIsIPv6(p)) {
860  return AlertJson(tv, aft, p);
861  } else if (p->alerts.cnt > 0) {
862  return AlertJsonDecoderEvent(tv, aft, p);
863  }
864  return 0;
865 }
866 
867 static bool JsonAlertLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
868 {
869  return (p->alerts.cnt || (p->flags & PKT_HAS_TAG));
870 }
871 
872 static TmEcode JsonAlertLogThreadInit(ThreadVars *t, const void *initdata, void **data)
873 {
875  if (unlikely(aft == NULL))
876  return TM_ECODE_FAILED;
877 
878  if (initdata == NULL)
879  {
880  SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL");
881  goto error_exit;
882  }
883 
884  /** Use the Output Context (file pointer and mutex) */
885  AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
886 
887  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
888  if (aft->payload_buffer == NULL) {
889  goto error_exit;
890  }
891  aft->ctx = CreateEveThreadCtx(t, json_output_ctx->eve_ctx);
892  if (!aft->ctx) {
893  goto error_exit;
894  }
895 
896  aft->json_output_ctx = json_output_ctx;
897 
898  *data = (void *)aft;
899  return TM_ECODE_OK;
900 
901 error_exit:
902  if (aft->payload_buffer != NULL) {
904  }
905  SCFree(aft);
906  return TM_ECODE_FAILED;
907 }
908 
909 static TmEcode JsonAlertLogThreadDeinit(ThreadVars *t, void *data)
910 {
911  JsonAlertLogThread *aft = (JsonAlertLogThread *)data;
912  if (aft == NULL) {
913  return TM_ECODE_OK;
914  }
915 
917  FreeEveThreadCtx(aft->ctx);
918 
919  /* clear memory */
920  memset(aft, 0, sizeof(JsonAlertLogThread));
921 
922  SCFree(aft);
923  return TM_ECODE_OK;
924 }
925 
926 static void JsonAlertLogDeInitCtxSub(OutputCtx *output_ctx)
927 {
928  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
929 
930  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
931 
932  if (json_output_ctx != NULL) {
933  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
934  if (xff_cfg != NULL) {
935  SCFree(xff_cfg);
936  }
937  SCFree(json_output_ctx);
938  }
939  SCFree(output_ctx);
940 }
941 
942 static void SetFlag(const SCConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
943 {
944  DEBUG_VALIDATE_BUG_ON(conf == NULL);
945  const char *setting = SCConfNodeLookupChildValue(conf, name);
946  if (setting != NULL) {
947  if (SCConfValIsTrue(setting)) {
948  *out_flags |= flag;
949  } else {
950  *out_flags &= ~flag;
951  }
952  }
953 }
954 
955 static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx, SCConfNode *conf)
956 {
957  static bool warn_no_meta = false;
958  uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
959  uint16_t flags = METADATA_DEFAULTS;
960 
961  if (conf != NULL) {
962  /* Check for metadata to enable/disable. */
963  SCConfNode *metadata = SCConfNodeLookupChild(conf, "metadata");
964  if (metadata != NULL) {
965  if (metadata->val != NULL && SCConfValIsFalse(metadata->val)) {
967  } else if (SCConfNodeHasChildren(metadata)) {
968  SCConfNode *rule_metadata = SCConfNodeLookupChild(metadata, "rule");
969  if (rule_metadata) {
970  SetFlag(rule_metadata, "raw", LOG_JSON_RULE, &flags);
971  SetFlag(rule_metadata, "metadata", LOG_JSON_RULE_METADATA,
972  &flags);
973  SetFlag(rule_metadata, "reference", LOG_JSON_REFERENCE, &flags);
974  }
975  SetFlag(metadata, "flow", LOG_JSON_FLOW, &flags);
976  SetFlag(metadata, "app-layer", LOG_JSON_APP_LAYER, &flags);
977  }
978  }
979 
980  /* Non-metadata toggles. */
981  SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
982  SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
983  SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
984  SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
985  SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
986  SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
987  SetFlag(conf, "websocket-payload-printable", LOG_JSON_WEBSOCKET_PAYLOAD, &flags);
988  SetFlag(conf, "websocket-payload", LOG_JSON_WEBSOCKET_PAYLOAD_BASE64, &flags);
989  SetFlag(conf, "verdict", LOG_JSON_VERDICT, &flags);
990  SetFlag(conf, "payload-length", LOG_JSON_PAYLOAD_LENGTH, &flags);
991 
992  /* Check for obsolete flags and warn that they have no effect. */
993  static const char *deprecated_flags[] = { "http", "tls", "ssh", "smtp", "dnp3", "app-layer",
994  "flow", NULL };
995  for (int i = 0; deprecated_flags[i] != NULL; i++) {
996  if (SCConfNodeLookupChildValue(conf, deprecated_flags[i]) != NULL) {
997  SCLogWarning("Found deprecated eve-log.alert flag \"%s\", this flag has no effect",
998  deprecated_flags[i]);
999  }
1000  }
1001 
1002  const char *payload_buffer_value = SCConfNodeLookupChildValue(conf, "payload-buffer-size");
1003 
1004  if (payload_buffer_value != NULL) {
1005  uint32_t value;
1006  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
1007  SCLogError("Error parsing "
1008  "payload-buffer-size - %s. Killing engine",
1009  payload_buffer_value);
1010  exit(EXIT_FAILURE);
1011  } else {
1012  payload_buffer_size = value;
1013  }
1014  }
1015 
1016  if (!warn_no_meta && flags & JSON_BODY_LOGGING) {
1017  if (((flags & LOG_JSON_APP_LAYER) == 0)) {
1018  SCLogWarning("HTTP body logging has been configured, however, "
1019  "metadata logging has not been enabled. HTTP body logging will be "
1020  "disabled.");
1022  warn_no_meta = true;
1023  }
1024  }
1025  }
1026 
1027  if (flags & LOG_JSON_RULE_METADATA) {
1029  }
1030 
1031  json_output_ctx->payload_buffer_size = payload_buffer_size;
1032  json_output_ctx->flags |= flags;
1033 }
1034 
1035 static HttpXFFCfg *JsonAlertLogGetXffCfg(SCConfNode *conf)
1036 {
1037  HttpXFFCfg *xff_cfg = NULL;
1038  if (conf != NULL && SCConfNodeLookupChild(conf, "xff") != NULL) {
1039  xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
1040  if (likely(xff_cfg != NULL)) {
1041  HttpXFFGetCfg(conf, xff_cfg);
1042  }
1043  }
1044  return xff_cfg;
1045 }
1046 
1047 /**
1048  * \brief Create a new LogFileCtx for "fast" output style.
1049  * \param conf The configuration node for this output.
1050  * \return A LogFileCtx pointer on success, NULL on failure.
1051  */
1052 static OutputInitResult JsonAlertLogInitCtxSub(SCConfNode *conf, OutputCtx *parent_ctx)
1053 {
1054  OutputInitResult result = { NULL, false };
1055  OutputJsonCtx *ajt = parent_ctx->data;
1056  AlertJsonOutputCtx *json_output_ctx = NULL;
1057 
1058  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
1059  if (unlikely(output_ctx == NULL))
1060  return result;
1061 
1062  json_output_ctx = SCCalloc(1, sizeof(AlertJsonOutputCtx));
1063  if (unlikely(json_output_ctx == NULL)) {
1064  goto error;
1065  }
1066 
1067  json_output_ctx->file_ctx = ajt->file_ctx;
1068  json_output_ctx->eve_ctx = ajt;
1069 
1070  JsonAlertLogSetupMetadata(json_output_ctx, conf);
1071  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
1072  if (json_output_ctx->xff_cfg == NULL) {
1073  json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
1074  }
1075 
1076  output_ctx->data = json_output_ctx;
1077  output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
1078 
1079  result.ctx = output_ctx;
1080  result.ok = true;
1081  return result;
1082 
1083 error:
1084  if (json_output_ctx != NULL) {
1085  SCFree(json_output_ctx);
1086  }
1087  if (output_ctx != NULL) {
1088  SCFree(output_ctx);
1089  }
1090 
1091  return result;
1092 }
1093 
1095 {
1096  OutputPacketLoggerFunctions output_logger_functions = {
1097  .LogFunc = JsonAlertLogger,
1098  .FlushFunc = JsonAlertFlush,
1099  .ConditionFunc = JsonAlertLogCondition,
1100  .ThreadInitFunc = JsonAlertLogThreadInit,
1101  .ThreadDeinitFunc = JsonAlertLogThreadDeinit,
1102  .ThreadExitPrintStatsFunc = NULL,
1103  };
1104 
1105  OutputRegisterPacketSubModule(LOGGER_JSON_ALERT, "eve-log", MODULE_NAME, "eve-log.alert",
1106  JsonAlertLogInitCtxSub, &output_logger_functions);
1107 }
XFF_MAXLEN
#define XFF_MAXLEN
Definition: app-layer-htp-xff.h:39
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:49
Packet_::proto
uint8_t proto
Definition: decode.h:506
OutputJsonFlush
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
Definition: output-json.c:986
TcpStream_
Definition: stream-tcp-private.h:106
FileContainer_
Definition: util-file.h:113
ts
uint64_t ts
Definition: source-erf-file.c:55
DetectMetadataHead::json_str
char * json_str
Definition: detect-metadata.h:40
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:551
detect-engine.h
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:257
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:247
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:55
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:79
MemBuffer_::buffer
uint8_t buffer[]
Definition: util-buffer.h:30
Signature_::sig_str
char * sig_str
Definition: detect.h:746
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
ThreadVars_::name
char name[16]
Definition: threadvars.h:65
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
AppLayerParserGetStateNameById
const char * AppLayerParserGetStateNameById(uint8_t ipproto, AppProto alproto, const int id, const uint8_t direction)
Definition: app-layer-parser.c:1626
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:259
XFF_EXTRADATA
#define XFF_EXTRADATA
Definition: app-layer-htp-xff.h:31
EveAddFlow
void EveAddFlow(Flow *f, SCJsonBuilder *js)
Definition: output-json-flow.c:190
stream-tcp.h
HttpXFFGetCfg
void HttpXFFGetCfg(SCConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:202
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
EveHttpLogJSONBodyPrintable
void EveHttpLogJSONBodyPrintable(SCJsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:391
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
LOG_JSON_RULE
#define LOG_JSON_RULE
Definition: output-json-alert.c:82
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:609
AlertJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-alert.c:100
AlertJsonOutputCtx_::parent_xff_cfg
HttpXFFCfg * parent_xff_cfg
Definition: output-json-alert.c:104
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
Flow_::proto
uint8_t proto
Definition: flow.h:378
EveAddAppProto
void EveAddAppProto(Flow *f, SCJsonBuilder *js)
Definition: output-json-flow.c:170
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:85
AlertJsonStreamDataCallbackData::last_re
uint64_t last_re
Definition: output-json-alert.c:580
Packet_::payload
uint8_t * payload
Definition: decode.h:588
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:273
SIG_FLAG_DEST_IS_TARGET
#define SIG_FLAG_DEST_IS_TARGET
Definition: detect.h:284
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1096
action-globals.h
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:74
Packet_::flags
uint32_t flags
Definition: decode.h:527
CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:834
LOGGER_JSON_ALERT
@ LOGGER_JSON_ALERT
Definition: suricata-common.h:489
OutputJsonCtx_
Definition: output-json.h:75
Frame
Definition: app-layer-frames.h:45
Flow_
Flow data structure.
Definition: flow.h:356
LogFileCtx_
Definition: util-logopenfile.h:72
output-json-frame.h
AlertJsonHeader
void AlertJsonHeader(const Packet *p, const PacketAlert *pa, SCJsonBuilder *js, uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
Definition: output-json-alert.c:202
PacketAlerts_::alerts
PacketAlert * alerts
Definition: decode.h:276
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29
AlertJsonStreamDataCallbackData::payload
MemBuffer * payload
Definition: output-json-alert.c:579
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:233
rust.h
Frames
Definition: app-layer-frames.h:60
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:38
FramesContainer
Definition: app-layer-frames.h:73
SCConfValIsFalse
int SCConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:576
ACTION_DROP_REJECT
#define ACTION_DROP_REJECT
Definition: action-globals.h:40
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:992
proto
uint8_t proto
Definition: decode-template.h:0
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:824
AlertJsonOutputCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-alert.c:105
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:515
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
Flow_::protoctx
void * protoctx
Definition: flow.h:441
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:589
SCConfNodeHasChildren
bool SCConfNodeHasChildren(const SCConfNode *node)
Check if a node has any children.
Definition: conf.c:777
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:603
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:29
EveHttpAddMetadata
bool EveHttpAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
Definition: output-json-http.c:499
HttpXFFGetIP
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:177
OutputCtx_::data
void * data
Definition: tm-modules.h:87
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
PcapLogGetFilename
char * PcapLogGetFilename(void)
Definition: log-pcap.c:1822
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:195
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:878
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:248
EveSMBAddMetadata
bool EveSMBAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
Definition: output-json-smb.c:34
OutputCtx_
Definition: tm-modules.h:84
app-layer-htp-xff.h
PacketAlert_::action
uint8_t action
Definition: decode.h:245
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
JSON_BODY_LOGGING
#define JSON_BODY_LOGGING
Definition: output-json-alert.c:93
OutputJsonThreadCtx_
Definition: output-json.h:83
Signature_::gid
uint32_t gid
Definition: detect.h:715
ACTION_REJECT_DST
#define ACTION_REJECT_DST
Definition: action-globals.h:32
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:470
EveIKEAddMetadata
bool EveIKEAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
Definition: output-json-ike.c:65
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:45
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:75
JsonAlertLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-alert.c:111
EveSMTPAddMetadata
bool EveSMTPAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
Definition: output-json-smtp.c:96
util-debug.h
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition: rust.h:26
output-json-flow.h
MODULE_NAME
#define MODULE_NAME
Definition: output-json-alert.c:71
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:238
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
LOG_JSON_APP_LAYER
#define LOG_JSON_APP_LAYER
Definition: output-json-alert.c:77
LOG_JSON_WEBSOCKET_PAYLOAD
#define LOG_JSON_WEBSOCKET_PAYLOAD
Definition: output-json-alert.c:84
output-json.h
FrameGetById
Frame * FrameGetById(Frames *frames, const int64_t id)
Definition: app-layer-frames.c:124
DetectReference_::key_len
uint16_t key_len
Definition: detect-reference.h:40
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:38
LOG_JSON_PAYLOAD
#define LOG_JSON_PAYLOAD
Definition: output-json-alert.c:73
STREAM_BASE_OFFSET
#define STREAM_BASE_OFFSET(stream)
Definition: stream-tcp-private.h:144
PktSrcEnum
PktSrcEnum
Definition: decode.h:51
util-reference-config.h
AlertJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-alert.c:101
EveAddVerdict
void EveAddVerdict(SCJsonBuilder *jb, const Packet *p)
Build verdict object.
Definition: output-json-alert.c:533
util-print.h
EveNFSAddMetadata
bool EveNFSAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
Definition: output-json-nfs.c:62
Signature_::references
DetectReference * references
Definition: detect.h:742
FileContainer_::head
File * head
Definition: util-file.h:114
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
EveNFSAddMetadataRPC
bool EveNFSAddMetadataRPC(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
Definition: output-json-nfs.c:50
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:826
JsonAlertLogThread
struct JsonAlertLogThread_ JsonAlertLogThread
output-json-email-common.h
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:48
PACKET_ALERT_FLAG_TX_GUESSED
#define PACKET_ALERT_FLAG_TX_GUESSED
Definition: decode.h:265
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
app-layer-parser.h
JsonAlertLogThread_
Definition: output-json-alert.c:108
DetectReference_
Signature reference list.
Definition: detect-reference.h:30
SCEveJsonSimpleGetLogger
EveJsonSimpleAppLayerLogger * SCEveJsonSimpleGetLogger(AppProto alproto)
Definition: output.c:865
Signature_::flags
uint32_t flags
Definition: detect.h:670
stream.h
DetectReference_::reference_len
uint16_t reference_len
Definition: detect-reference.h:41
JsonAddrInfo_
Definition: output-json.h:41
Packet_
Definition: decode.h:484
EveFileInfo
void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
Definition: output-json.c:124
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:182
DetectReference_::reference
char * reference
Definition: detect-reference.h:34
JSON_STREAM_BUFFER_SIZE
#define JSON_STREAM_BUFFER_SIZE
Definition: output-json-alert.c:97
LOG_JSON_PAYLOAD_BASE64
#define LOG_JSON_PAYLOAD_BASE64
Definition: output-json-alert.c:75
conf.h
SIG_FLAG_HAS_TARGET
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:286
XFF_OVERWRITE
#define XFF_OVERWRITE
Definition: app-layer-htp-xff.h:33
LOG_JSON_PAYLOAD_LENGTH
#define LOG_JSON_PAYLOAD_LENGTH
Definition: output-json-alert.c:86
TmEcode
TmEcode
Definition: tm-threads-common.h:80
name
const char * name
Definition: tm-threads.c:2135
SIG_FLAG_SRC_IS_TARGET
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:282
OutputJsonThreadCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:85
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
AlertJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-alert.c:102
EvePacket
void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
Jsonify a packet.
Definition: output-json.c:425
MemBuffer_
Definition: util-buffer.h:27
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:234
EveJsonSimpleAppLayerLogger
Definition: output-eve-bindgen.h:40
DetectReference_::next
struct DetectReference_ * next
Definition: detect-reference.h:43
LOG_JSON_TAGGED_PACKETS
#define LOG_JSON_TAGGED_PACKETS
Definition: output-json-alert.c:76
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1118
AlertJsonOutputCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json-alert.c:103
log-pcap.h
PacketAlert_::frame_id
int64_t frame_id
Definition: decode.h:249
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:46
Signature_::class_msg
char * class_msg
Definition: detect.h:740
PacketAlert_::flags
uint8_t flags
Definition: decode.h:246
ACTION_REJECT_BOTH
#define ACTION_REJECT_BOTH
Definition: action-globals.h:33
File_::flags
uint16_t flags
Definition: util-file.h:80
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:796
PACKET_ALERT_RATE_FILTER_MODIFIED
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:261
File_
Definition: util-file.h:79
OutputInitResult_
Definition: output.h:46
app-layer-frames.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:529
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:648
EveEmailAddMetadata
bool EveEmailAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
Definition: output-json-email-common.c:195
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
LOG_JSON_WEBSOCKET_PAYLOAD_BASE64
#define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64
Definition: output-json-alert.c:85
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:44
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:90
pcap_filename
char pcap_filename[PATH_MAX]
Definition: source-pcap-file-helper.c:116
EveJsonSimpleAppLayerLogger::LogTx
EveJsonSimpleTxLogFunc LogTx
Definition: output-eve-bindgen.h:41
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:37
AlertJsonOutputCtx_
Definition: output-json-alert.c:99
detect-metadata.h
JsonAlertLogThread_::json_output_ctx
AlertJsonOutputCtx * json_output_ctx
Definition: output-json-alert.c:110
output-json-nfs.h
packet.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:86
LOG_JSON_VERDICT
#define LOG_JSON_VERDICT
Definition: output-json-alert.c:83
File_::next
struct File_ * next
Definition: util-file.h:92
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
OutputPacketLoggerFunctions_::LogFunc
PacketLogger LogFunc
Definition: output.h:88
Signature_::rev
uint32_t rev
Definition: detect.h:716
ALPROTO_WEBSOCKET
@ ALPROTO_WEBSOCKET
Definition: app-layer-protos.h:64
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:297
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, OutputPacketLoggerFunctions *output_logger_functions)
Register a packet output sub-module.
Definition: output.c:211
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Signature_::prio
int prio
Definition: detect.h:717
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:173
output-json-alert.h
util-optimize.h
threadvars.h
util-validate.h
Packet_::root
struct Packet_ * root
Definition: decode.h:636
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:296
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:42
HttpXFFCfg_::flags
uint8_t flags
Definition: app-layer-htp-xff.h:42
Signature_::metadata
DetectMetadataHead * metadata
Definition: detect.h:744
PACKET_ALERT_FLAG_FRAME
#define PACKET_ALERT_FLAG_FRAME
Definition: decode.h:263
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
EveHttpLogJSONBodyBase64
void EveHttpLogJSONBodyBase64(SCJsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:422
AlertJsonOutputCtx
struct AlertJsonOutputCtx_ AlertJsonOutputCtx
JsonAlertLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-alert.c:109
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:594
DetectReference_::key
char * key
Definition: detect-reference.h:32
util-logopenfile.h
Flow_::alstate
void * alstate
Definition: flow.h:479
Signature_::id
uint32_t id
Definition: detect.h:714
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:509
LOG_JSON_HTTP_BODY_BASE64
#define LOG_JSON_HTTP_BODY_BASE64
Definition: output-json-alert.c:80
output-json-ike.h
FrameJsonLogOneFrame
void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, Flow *f, const TcpStream *stream, const Packet *p, SCJsonBuilder *jb, MemBuffer *buffer)
log a single frame
Definition: output-json-frame.c:253
util-buffer.h
LOG_JSON_PACKET
#define LOG_JSON_PACKET
Definition: output-json-alert.c:74
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:43
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:76
LOG_JSON_HTTP_BODY
#define LOG_JSON_HTTP_BODY
Definition: output-json-alert.c:79
METADATA_DEFAULTS
#define METADATA_DEFAULTS
Definition: output-json-alert.c:89
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:234
LOG_JSON_FLOW
#define LOG_JSON_FLOW
Definition: output-json-alert.c:78
MemBufferWriteRaw
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.c:115
PacketAlert_
Definition: decode.h:243
MemBufferWriteString
void MemBufferWriteString(MemBuffer *dst, const char *fmt,...)
Definition: util-buffer.c:130
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-eve-bindgen.h:32
output-json-smb.h
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:1207
HttpXFFGetIPFromTx
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:116
output-json-smtp.h
TcpSession_
Definition: stream-tcp-private.h:283
output-json-http.h
util-misc.h
PKT_HAS_TAG
#define PKT_HAS_TAG
Definition: decode.h:1235
Signature_::msg
char * msg
Definition: detect.h:737
flow.h
DetectEngineSetParseMetadata
void DetectEngineSetParseMetadata(void)
Definition: detect-engine.c:5106
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
StreamReassembleLog
int StreamReassembleLog(const TcpSession *ssn, const TcpStream *stream, StreamReassembleRawFunc Callback, void *cb_data, const uint64_t progress_in, uint64_t *progress_out, const bool eof)
Definition: stream-tcp-reassemble.c:1974
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCConfNode_
Definition: conf.h:32
LOG_JSON_RULE_METADATA
#define LOG_JSON_RULE_METADATA
Definition: output-json-alert.c:81
OutputPacketLoggerFunctions_
Definition: output.h:87
SCConfNode_::val
char * val
Definition: conf.h:34
XFF_DISABLED
#define XFF_DISABLED
Definition: app-layer-htp-xff.h:29
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:255
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
LOG_JSON_REFERENCE
#define LOG_JSON_REFERENCE
Definition: output-json-alert.c:87
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:51
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
output.h
JsonAlertLogRegister
void JsonAlertLogRegister(void)
Definition: output-json-alert.c:1094
AlertJsonStreamDataCallbackData
Definition: output-json-alert.c:578