suricata
output-json-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs alerts in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "threads.h"
34 #include "tm-threads.h"
35 #include "threadvars.h"
36 #include "util-debug.h"
37 
38 #include "util-misc.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 
42 #include "detect-parse.h"
43 #include "detect-engine.h"
44 #include "detect-engine-mpm.h"
45 #include "detect-reference.h"
46 #include "detect-metadata.h"
47 #include "app-layer-parser.h"
48 #include "app-layer-dnp3.h"
49 #include "app-layer-dns-common.h"
50 #include "app-layer-htp.h"
51 #include "app-layer-htp-xff.h"
52 #include "app-layer-ftp.h"
54 #include "util-syslog.h"
55 #include "util-logopenfile.h"
56 
57 #include "output.h"
58 #include "output-json.h"
59 #include "output-json-alert.h"
60 #include "output-json-dnp3.h"
61 #include "output-json-dns.h"
62 #include "output-json-http.h"
63 #include "output-json-tls.h"
64 #include "output-json-ssh.h"
65 #include "output-json-smtp.h"
67 #include "output-json-nfs.h"
68 #include "output-json-smb.h"
69 #include "output-json-flow.h"
70 
71 #include "util-byte.h"
72 #include "util-privs.h"
73 #include "util-print.h"
74 #include "util-proto-name.h"
75 #include "util-optimize.h"
76 #include "util-buffer.h"
77 #include "util-crypt.h"
78 #include "util-validate.h"
79 
80 #define MODULE_NAME "JsonAlertLog"
81 
82 #ifdef HAVE_LIBJANSSON
83 
84 #define LOG_JSON_PAYLOAD BIT_U16(0)
85 #define LOG_JSON_PACKET BIT_U16(1)
86 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
87 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
88 #define LOG_JSON_APP_LAYER BIT_U16(4)
89 #define LOG_JSON_FLOW BIT_U16(5)
90 #define LOG_JSON_HTTP_BODY BIT_U16(6)
91 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
92 #define LOG_JSON_RULE_METADATA BIT_U16(8)
93 #define LOG_JSON_RULE BIT_U16(9)
94 
95 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
96  LOG_JSON_APP_LAYER | \
97  LOG_JSON_RULE_METADATA)
98 
99 #define JSON_STREAM_BUFFER_SIZE 4096
100 
101 typedef struct AlertJsonOutputCtx_ {
102  LogFileCtx* file_ctx;
103  uint16_t flags;
104  uint32_t payload_buffer_size;
105  HttpXFFCfg *xff_cfg;
106  HttpXFFCfg *parent_xff_cfg;
107  OutputJsonCommonSettings cfg;
108 } AlertJsonOutputCtx;
109 
110 typedef struct JsonAlertLogThread_ {
111  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
112  LogFileCtx* file_ctx;
113  MemBuffer *json_buffer;
114  MemBuffer *payload_buffer;
115  AlertJsonOutputCtx* json_output_ctx;
116 } JsonAlertLogThread;
117 
118 /* Callback function to pack payload contents from a stream into a buffer
119  * so we can report them in JSON output. */
120 static int AlertJsonDumpStreamSegmentCallback(const Packet *p, void *data, const uint8_t *buf, uint32_t buflen)
121 {
122  MemBuffer *payload = (MemBuffer *)data;
123  MemBufferWriteRaw(payload, buf, buflen);
124 
125  return 1;
126 }
127 
128 static void AlertJsonTls(const Flow *f, json_t *js)
129 {
130  SSLState *ssl_state = (SSLState *)FlowGetAppState(f);
131  if (ssl_state) {
132  json_t *tjs = json_object();
133  if (unlikely(tjs == NULL))
134  return;
135 
136  JsonTlsLogJSONBasic(tjs, ssl_state);
137  JsonTlsLogJSONExtended(tjs, ssl_state);
138 
139  json_object_set_new(js, "tls", tjs);
140  }
141 
142  return;
143 }
144 
145 static void AlertJsonSsh(const Flow *f, json_t *js)
146 {
147  SshState *ssh_state = (SshState *)FlowGetAppState(f);
148  if (ssh_state) {
149  json_t *tjs = json_object();
150  if (unlikely(tjs == NULL))
151  return;
152 
153  JsonSshLogJSON(tjs, ssh_state);
154 
155  json_object_set_new(js, "ssh", tjs);
156  }
157 
158  return;
159 }
160 
161 static void AlertJsonDnp3(const Flow *f, const uint64_t tx_id, json_t *js)
162 {
163  DNP3State *dnp3_state = (DNP3State *)FlowGetAppState(f);
164  if (dnp3_state) {
166  dnp3_state, tx_id);
167  if (tx) {
168  json_t *dnp3js = json_object();
169  if (likely(dnp3js != NULL)) {
170  if (tx->has_request && tx->request_done) {
171  json_t *request = JsonDNP3LogRequest(tx);
172  if (request != NULL) {
173  json_object_set_new(dnp3js, "request", request);
174  }
175  }
176  if (tx->has_response && tx->response_done) {
177  json_t *response = JsonDNP3LogResponse(tx);
178  if (response != NULL) {
179  json_object_set_new(dnp3js, "response", response);
180  }
181  }
182  json_object_set_new(js, "dnp3", dnp3js);
183  }
184  }
185  }
186 
187  return;
188 }
189 
190 static void AlertJsonDns(const Flow *f, const uint64_t tx_id, json_t *js)
191 {
192  RSDNSState *dns_state = (RSDNSState *)FlowGetAppState(f);
193  if (dns_state) {
194  void *txptr = AppLayerParserGetTx(f->proto, ALPROTO_DNS,
195  dns_state, tx_id);
196  if (txptr) {
197  json_t *dnsjs = json_object();
198  if (unlikely(dnsjs == NULL)) {
199  return;
200  }
201  json_t *qjs = JsonDNSLogQuery(txptr, tx_id);
202  if (qjs != NULL) {
203  json_object_set_new(dnsjs, "query", qjs);
204  }
205  json_t *ajs = JsonDNSLogAnswer(txptr, tx_id);
206  if (ajs != NULL) {
207  json_object_set_new(dnsjs, "answer", ajs);
208  }
209  json_object_set_new(js, "dns", dnsjs);
210  }
211  }
212  return;
213 }
214 
215 static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
216  json_t *js, json_t* ajs)
217 {
218  json_t *sjs = json_object();
219  if (sjs == NULL) {
220  return;
221  }
222 
223  json_t *tjs = json_object();
224  if (tjs == NULL) {
225  json_decref(sjs);
226  return;
227  }
228 
229  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
230  json_object_set(sjs, "ip", json_object_get(js, "src_ip"));
231  json_object_set(tjs, "ip", json_object_get(js, "dest_ip"));
232  switch (p->proto) {
233  case IPPROTO_ICMP:
234  case IPPROTO_ICMPV6:
235  break;
236  case IPPROTO_UDP:
237  case IPPROTO_TCP:
238  case IPPROTO_SCTP:
239  json_object_set(sjs, "port", json_object_get(js, "src_port"));
240  json_object_set(tjs, "port", json_object_get(js, "dest_port"));
241  break;
242  }
243  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
244  json_object_set(sjs, "ip", json_object_get(js, "dest_ip"));
245  json_object_set(tjs, "ip", json_object_get(js, "src_ip"));
246  switch (p->proto) {
247  case IPPROTO_ICMP:
248  case IPPROTO_ICMPV6:
249  break;
250  case IPPROTO_UDP:
251  case IPPROTO_TCP:
252  case IPPROTO_SCTP:
253  json_object_set(sjs, "port", json_object_get(js, "dest_port"));
254  json_object_set(tjs, "port", json_object_get(js, "src_port"));
255  break;
256  }
257  }
258  json_object_set_new(ajs, "source", sjs);
259  json_object_set_new(ajs, "target", tjs);
260 }
261 
262 static void AlertJsonMetadata(AlertJsonOutputCtx *json_output_ctx, const PacketAlert *pa, json_t *ajs)
263 {
264  if (pa->s->metadata) {
265  const DetectMetadata* kv = pa->s->metadata;
266  json_t *mjs = json_object();
267  if (unlikely(mjs == NULL)) {
268  return;
269  }
270  while (kv) {
271  json_t *jkey = json_object_get(mjs, kv->key);
272  if (jkey == NULL) {
273  jkey = json_array();
274  if (unlikely(jkey == NULL))
275  break;
276  json_array_append_new(jkey, json_string(kv->value));
277  json_object_set_new(mjs, kv->key, jkey);
278  } else {
279  json_array_append_new(jkey, json_string(kv->value));
280  }
281 
282  kv = kv->next;
283  }
284 
285  if (json_object_size(mjs) == 0) {
286  json_decref(mjs);
287  } else {
288  json_object_set_new(ajs, "metadata", mjs);
289  }
290  }
291 }
292 
293 
294 void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, json_t *js,
295  uint16_t flags)
296 {
297  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *)ctx;
298  const char *action = "allowed";
299  /* use packet action if rate_filter modified the action */
303  action = "blocked";
304  }
305  } else {
307  action = "blocked";
308  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
309  action = "blocked";
310  }
311  }
312 
313  /* Add tx_id to root element for correlation with other events. */
314  json_object_del(js, "tx_id");
315  if (pa->flags & PACKET_ALERT_FLAG_TX)
316  json_object_set_new(js, "tx_id", json_integer(pa->tx_id));
317 
318  json_t *ajs = json_object();
319  if (ajs == NULL) {
320  return;
321  }
322 
323  json_object_set_new(ajs, "action", json_string(action));
324  json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
325  json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
326  json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
327  json_object_set_new(ajs, "signature",
328  SCJsonString((pa->s->msg) ? pa->s->msg : ""));
329  json_object_set_new(ajs, "category",
330  SCJsonString((pa->s->class_msg) ? pa->s->class_msg : ""));
331  json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
332 
333  if (p->tenant_id > 0)
334  json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));
335 
336  if (pa->s->flags & SIG_FLAG_HAS_TARGET) {
337  AlertJsonSourceTarget(p, pa, js, ajs);
338  }
339 
340  if ((json_output_ctx != NULL) && (flags & LOG_JSON_RULE_METADATA)) {
341  AlertJsonMetadata(json_output_ctx, pa, ajs);
342  }
343 
344  /* alert */
345  json_object_set_new(js, "alert", ajs);
346 }
347 
348 static void AlertJsonTunnel(const Packet *p, json_t *js)
349 {
350  json_t *tunnel = json_object();
351  if (tunnel == NULL)
352  return;
353 
354  if (p->root == NULL) {
355  json_decref(tunnel);
356  return;
357  }
358 
359  /* get a lock to access root packet fields */
360  SCMutex *m = &p->root->tunnel_mutex;
361 
362  SCMutexLock(m);
363  JsonFiveTuple((const Packet *)p->root, 0, tunnel);
364  SCMutexUnlock(m);
365 
366  json_object_set_new(tunnel, "depth", json_integer(p->recursion_level));
367 
368  json_object_set_new(js, "tunnel", tunnel);
369 }
370 
371 static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, json_t *js, const Packet *p)
372 {
373  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
374  unsigned long len = p->payload_len * 2 + 1;
375  uint8_t encoded[len];
376  if (Base64Encode(p->payload, p->payload_len, encoded, &len) == SC_BASE64_OK) {
377  json_object_set_new(js, "payload", json_string((char *)encoded));
378  }
379  }
380 
381  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
382  uint8_t printable_buf[p->payload_len + 1];
383  uint32_t offset = 0;
384  PrintStringsToBuffer(printable_buf, &offset,
385  p->payload_len + 1,
386  p->payload, p->payload_len);
387  printable_buf[p->payload_len] = '\0';
388  json_object_set_new(js, "payload_printable", json_string((char *)printable_buf));
389  }
390 }
391 
392 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
393 {
394  MemBuffer *payload = aft->payload_buffer;
395  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
396  json_t *hjs = NULL;
397 
398  int i;
399 
400  if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
401  return TM_ECODE_OK;
402 
403  json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "alert");
404  if (unlikely(js == NULL))
405  return TM_ECODE_OK;
406 
407  JsonAddCommonOptions(&json_output_ctx->cfg, p, p->flow, js);
408 
409  for (i = 0; i < p->alerts.cnt; i++) {
410  const PacketAlert *pa = &p->alerts.alerts[i];
411  if (unlikely(pa->s == NULL)) {
412  continue;
413  }
414 
415  MemBufferReset(aft->json_buffer);
416 
417  /* alert */
418  AlertJsonHeader(json_output_ctx, p, pa, js, json_output_ctx->flags);
419 
420  if (IS_TUNNEL_PKT(p)) {
421  AlertJsonTunnel(p, js);
422  }
423 
424  if (json_output_ctx->flags & LOG_JSON_APP_LAYER && p->flow != NULL) {
425  uint16_t proto = FlowGetAppProtocol(p->flow);
426 
427  /* http alert */
428  if (proto == ALPROTO_HTTP) {
429  hjs = JsonHttpAddMetadata(p->flow, pa->tx_id);
430  if (hjs) {
431  if (json_output_ctx->flags & LOG_JSON_HTTP_BODY) {
432  JsonHttpLogJSONBodyPrintable(hjs, p->flow, pa->tx_id);
433  }
434  if (json_output_ctx->flags & LOG_JSON_HTTP_BODY_BASE64) {
435  JsonHttpLogJSONBodyBase64(hjs, p->flow, pa->tx_id);
436  }
437  json_object_set_new(js, "http", hjs);
438  }
439  }
440 
441  /* tls alert */
442  if (proto == ALPROTO_TLS) {
443  AlertJsonTls(p->flow, js);
444  }
445 
446  /* ssh alert */
447  if (proto == ALPROTO_SSH) {
448  AlertJsonSsh(p->flow, js);
449  }
450 
451  /* smtp alert */
452  if (proto == ALPROTO_SMTP) {
453  hjs = JsonSMTPAddMetadata(p->flow, pa->tx_id);
454  if (hjs) {
455  json_object_set_new(js, "smtp", hjs);
456  }
457 
458  hjs = JsonEmailAddMetadata(p->flow, pa->tx_id);
459  if (hjs) {
460  json_object_set_new(js, "email", hjs);
461  }
462  }
463 
464 #ifdef HAVE_RUST
465  if (proto == ALPROTO_NFS) {
466  hjs = JsonNFSAddMetadataRPC(p->flow, pa->tx_id);
467  if (hjs)
468  json_object_set_new(js, "rpc", hjs);
469  hjs = JsonNFSAddMetadata(p->flow, pa->tx_id);
470  if (hjs)
471  json_object_set_new(js, "nfs", hjs);
472  } else if (proto == ALPROTO_SMB) {
473  hjs = JsonSMBAddMetadata(p->flow, pa->tx_id);
474  if (hjs)
475  json_object_set_new(js, "smb", hjs);
476  }
477 #endif
478  if (proto == ALPROTO_FTPDATA) {
479  hjs = JsonFTPDataAddMetadata(p->flow);
480  if (hjs)
481  json_object_set_new(js, "ftp-data", hjs);
482  }
483 
484  /* dnp3 alert */
485  if (proto == ALPROTO_DNP3) {
486  AlertJsonDnp3(p->flow, pa->tx_id, js);
487  }
488 
489  if (proto == ALPROTO_DNS) {
490  AlertJsonDns(p->flow, pa->tx_id, js);
491  }
492  }
493 
494  if (p->flow) {
495  if (json_output_ctx->flags & LOG_JSON_FLOW) {
496  hjs = json_object();
497  if (hjs != NULL) {
498  JsonAddFlow(p->flow, js, hjs);
499  json_object_set_new(js, "flow", hjs);
500  }
501  } else {
502  json_object_set_new(js, "app_proto",
503  json_string(AppProtoToString(p->flow->alproto)));
504  }
505  }
506 
507  /* payload */
508  if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
509  int stream = (p->proto == IPPROTO_TCP) ?
511  1 : 0) : 0;
512 
513  /* Is this a stream? If so, pack part of it into the payload field */
514  if (stream) {
515  uint8_t flag;
516 
517  MemBufferReset(payload);
518 
519  if (p->flowflags & FLOW_PKT_TOSERVER) {
520  flag = FLOW_PKT_TOCLIENT;
521  } else {
522  flag = FLOW_PKT_TOSERVER;
523  }
524 
525  StreamSegmentForEach((const Packet *)p, flag,
526  AlertJsonDumpStreamSegmentCallback,
527  (void *)payload);
528  if (payload->offset) {
529  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
530  unsigned long len = json_output_ctx->payload_buffer_size * 2;
531  uint8_t encoded[len];
532  Base64Encode(payload->buffer, payload->offset, encoded, &len);
533  json_object_set_new(js, "payload", json_string((char *)encoded));
534  }
535 
536  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
537  uint8_t printable_buf[payload->offset + 1];
538  uint32_t offset = 0;
539  PrintStringsToBuffer(printable_buf, &offset,
540  sizeof(printable_buf),
541  payload->buffer, payload->offset);
542  json_object_set_new(js, "payload_printable",
543  json_string((char *)printable_buf));
544  }
545  } else if (p->payload_len) {
546  /* Fallback on packet payload */
547  AlertAddPayload(json_output_ctx, js, p);
548  }
549  } else {
550  /* This is a single packet and not a stream */
551  AlertAddPayload(json_output_ctx, js, p);
552  }
553 
554  json_object_set_new(js, "stream", json_integer(stream));
555  }
556 
557  /* base64-encoded full packet */
558  if (json_output_ctx->flags & LOG_JSON_PACKET) {
559  JsonPacket(p, js, 0);
560  }
561 
562  /* signature text */
563  if (json_output_ctx->flags & LOG_JSON_RULE) {
564  hjs = json_object_get(js, "alert");
565  if (json_is_object(hjs))
566  json_object_set_new(hjs, "rule", json_string(pa->s->sig_str));
567  }
568 
569  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ?
570  json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;
571 
572  /* xff header */
573  if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
574  int have_xff_ip = 0;
575  char buffer[XFF_MAXLEN];
576 
577  if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
578  if (pa->flags & PACKET_ALERT_FLAG_TX) {
579  have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN);
580  } else {
581  have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, buffer, XFF_MAXLEN);
582  }
583  }
584 
585  if (have_xff_ip) {
586  if (xff_cfg->flags & XFF_EXTRADATA) {
587  json_object_set_new(js, "xff", json_string(buffer));
588  }
589  else if (xff_cfg->flags & XFF_OVERWRITE) {
590  if (p->flowflags & FLOW_PKT_TOCLIENT) {
591  json_object_set(js, "dest_ip", json_string(buffer));
592  } else {
593  json_object_set(js, "src_ip", json_string(buffer));
594  }
595  }
596  }
597  }
598 
599  OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer);
600  json_object_del(js, "alert");
601  }
602  json_object_clear(js);
603  json_decref(js);
604 
605  if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
606  LOG_JSON_TAGGED_PACKETS)) {
607  MemBufferReset(aft->json_buffer);
608  json_t *packetjs = CreateJSONHeader(p, LOG_DIR_PACKET, "packet");
609  if (unlikely(packetjs != NULL)) {
610  JsonPacket(p, packetjs, 0);
611  OutputJSONBuffer(packetjs, aft->file_ctx, &aft->json_buffer);
612  json_decref(packetjs);
613  }
614  }
615 
616  return TM_ECODE_OK;
617 }
618 
619 static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
620 {
621  int i;
622  char timebuf[64];
623  json_t *js;
624 
625  if (p->alerts.cnt == 0)
626  return TM_ECODE_OK;
627 
628  CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf));
629 
630  for (i = 0; i < p->alerts.cnt; i++) {
631  MemBufferReset(aft->json_buffer);
632 
633  const PacketAlert *pa = &p->alerts.alerts[i];
634  if (unlikely(pa->s == NULL)) {
635  continue;
636  }
637 
638  const char *action = "allowed";
640  action = "blocked";
641  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
642  action = "blocked";
643  }
644 
645  js = json_object();
646  if (js == NULL)
647  return TM_ECODE_OK;
648 
649  json_t *ajs = json_object();
650  if (ajs == NULL) {
651  json_decref(js);
652  return TM_ECODE_OK;
653  }
654 
655  /* time & tx */
656  json_object_set_new(js, "timestamp", json_string(timebuf));
657 
658  /* tuple */
659  //json_object_set_new(js, "srcip", json_string(srcip));
660  //json_object_set_new(js, "sp", json_integer(p->sp));
661  //json_object_set_new(js, "dstip", json_string(dstip));
662  //json_object_set_new(js, "dp", json_integer(p->dp));
663  //json_object_set_new(js, "proto", json_integer(proto));
664 
665  json_object_set_new(ajs, "action", json_string(action));
666  json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
667  json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
668  json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
669  json_object_set_new(ajs, "signature",
670  json_string((pa->s->msg) ? pa->s->msg : ""));
671  json_object_set_new(ajs, "category",
672  json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
673  json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
674 
675  if (p->tenant_id > 0)
676  json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));
677 
678  /* alert */
679  json_object_set_new(js, "alert", ajs);
680  OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer);
681  json_object_clear(js);
682  json_decref(js);
683  }
684 
685  return TM_ECODE_OK;
686 }
687 
688 static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)
689 {
690  JsonAlertLogThread *aft = thread_data;
691 
692  if (PKT_IS_IPV4(p) || PKT_IS_IPV6(p)) {
693  return AlertJson(tv, aft, p);
694  } else if (p->alerts.cnt > 0) {
695  return AlertJsonDecoderEvent(tv, aft, p);
696  }
697  return 0;
698 }
699 
700 static int JsonAlertLogCondition(ThreadVars *tv, const Packet *p)
701 {
702  if (p->alerts.cnt || (p->flags & PKT_HAS_TAG)) {
703  return TRUE;
704  }
705  return FALSE;
706 }
707 
708 static TmEcode JsonAlertLogThreadInit(ThreadVars *t, const void *initdata, void **data)
709 {
710  JsonAlertLogThread *aft = SCMalloc(sizeof(JsonAlertLogThread));
711  if (unlikely(aft == NULL))
712  return TM_ECODE_FAILED;
713  memset(aft, 0, sizeof(JsonAlertLogThread));
714  if(initdata == NULL)
715  {
716  SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL");
717  SCFree(aft);
718  return TM_ECODE_FAILED;
719  }
720 
721  aft->json_buffer = MemBufferCreateNew(JSON_OUTPUT_BUFFER_SIZE);
722  if (aft->json_buffer == NULL) {
723  SCFree(aft);
724  return TM_ECODE_FAILED;
725  }
726 
727  /** Use the Output Context (file pointer and mutex) */
728  AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
729  aft->file_ctx = json_output_ctx->file_ctx;
730  aft->json_output_ctx = json_output_ctx;
731 
732  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
733  if (aft->payload_buffer == NULL) {
734  MemBufferFree(aft->json_buffer);
735  SCFree(aft);
736  return TM_ECODE_FAILED;
737  }
738 
739  *data = (void *)aft;
740  return TM_ECODE_OK;
741 }
742 
743 static TmEcode JsonAlertLogThreadDeinit(ThreadVars *t, void *data)
744 {
745  JsonAlertLogThread *aft = (JsonAlertLogThread *)data;
746  if (aft == NULL) {
747  return TM_ECODE_OK;
748  }
749 
750  MemBufferFree(aft->json_buffer);
751  MemBufferFree(aft->payload_buffer);
752 
753  /* clear memory */
754  memset(aft, 0, sizeof(JsonAlertLogThread));
755 
756  SCFree(aft);
757  return TM_ECODE_OK;
758 }
759 
760 static void JsonAlertLogDeInitCtx(OutputCtx *output_ctx)
761 {
762  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
763  if (json_output_ctx != NULL) {
764  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
765  if (xff_cfg != NULL) {
766  SCFree(xff_cfg);
767  }
768  LogFileFreeCtx(json_output_ctx->file_ctx);
769  SCFree(json_output_ctx);
770  }
771  SCFree(output_ctx);
772 }
773 
774 static void JsonAlertLogDeInitCtxSub(OutputCtx *output_ctx)
775 {
776  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
777 
778  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
779 
780  if (json_output_ctx != NULL) {
781  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
782  if (xff_cfg != NULL) {
783  SCFree(xff_cfg);
784  }
785  SCFree(json_output_ctx);
786  }
787  SCFree(output_ctx);
788 }
789 
790 static void SetFlag(const ConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
791 {
792  DEBUG_VALIDATE_BUG_ON(conf == NULL);
793  const char *setting = ConfNodeLookupChildValue(conf, name);
794  if (setting != NULL) {
795  if (ConfValIsTrue(setting)) {
796  *out_flags |= flag;
797  } else {
798  *out_flags &= ~flag;
799  }
800  }
801 }
802 
803 #define DEFAULT_LOG_FILENAME "alert.json"
804 
805 static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
806  ConfNode *conf)
807 {
808  uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
809  uint16_t flags = METADATA_DEFAULTS;
810 
811  if (conf != NULL) {
812  /* Check for metadata to enable/disable. */
813  ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
814  if (metadata != NULL) {
815  if (metadata->val != NULL && ConfValIsFalse(metadata->val)) {
816  flags &= ~METADATA_DEFAULTS;
817  } else if (ConfNodeHasChildren(metadata)) {
818  ConfNode *rule_metadata = ConfNodeLookupChild(metadata, "rule");
819  if (rule_metadata) {
820  SetFlag(rule_metadata, "raw", LOG_JSON_RULE, &flags);
821  SetFlag(rule_metadata, "metadata", LOG_JSON_RULE_METADATA,
822  &flags);
823  }
824  SetFlag(metadata, "flow", LOG_JSON_FLOW, &flags);
825  SetFlag(metadata, "app-layer", LOG_JSON_APP_LAYER, &flags);
826  }
827  }
828 
829  /* Non-metadata toggles. */
830  SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
831  SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
832  SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
833  SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
834  SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
835  SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
836 
837  /* Check for obsolete configuration flags to enable specific
838  * protocols. These are now just aliases for enabling
839  * app-layer logging. */
840  SetFlag(conf, "http", LOG_JSON_APP_LAYER, &flags);
841  SetFlag(conf, "tls", LOG_JSON_APP_LAYER, &flags);
842  SetFlag(conf, "ssh", LOG_JSON_APP_LAYER, &flags);
843  SetFlag(conf, "smtp", LOG_JSON_APP_LAYER, &flags);
844  SetFlag(conf, "dnp3", LOG_JSON_APP_LAYER, &flags);
845 
846  /* And check for obsolete configuration flags for enabling
847  * app-layer and flow as these have been moved under the
848  * metadata key. */
849  SetFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags);
850  SetFlag(conf, "flow", LOG_JSON_FLOW, &flags);
851 
852  const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
853 
854  if (payload_buffer_value != NULL) {
855  uint32_t value;
856  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
857  SCLogError(SC_ERR_ALERT_PAYLOAD_BUFFER, "Error parsing "
858  "payload-buffer-size - %s. Killing engine",
859  payload_buffer_value);
860  exit(EXIT_FAILURE);
861  } else {
862  payload_buffer_size = value;
863  }
864  }
865 
866  json_output_ctx->payload_buffer_size = payload_buffer_size;
867  }
868 
869  if (flags & LOG_JSON_RULE_METADATA) {
871  }
872 
873  json_output_ctx->flags |= flags;
874 }
875 
876 static HttpXFFCfg *JsonAlertLogGetXffCfg(ConfNode *conf)
877 {
878  HttpXFFCfg *xff_cfg = NULL;
879  if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
880  xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
881  if (likely(xff_cfg != NULL)) {
882  HttpXFFGetCfg(conf, xff_cfg);
883  }
884  }
885  return xff_cfg;
886 }
887 
888 /**
889  * \brief Create a new LogFileCtx for "fast" output style.
890  * \param conf The configuration node for this output.
891  * \return A LogFileCtx pointer on success, NULL on failure.
892  */
893 static OutputInitResult JsonAlertLogInitCtx(ConfNode *conf)
894 {
895  OutputInitResult result = { NULL, false };
896  AlertJsonOutputCtx *json_output_ctx = NULL;
897  LogFileCtx *logfile_ctx = LogFileNewCtx();
898  if (logfile_ctx == NULL) {
899  SCLogDebug("AlertFastLogInitCtx2: Could not create new LogFileCtx");
900  return result;
901  }
902 
903  if (SCConfLogOpenGeneric(conf, logfile_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
904  LogFileFreeCtx(logfile_ctx);
905  return result;
906  }
907 
908  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
909  if (unlikely(output_ctx == NULL)) {
910  LogFileFreeCtx(logfile_ctx);
911  return result;
912  }
913 
914  json_output_ctx = SCMalloc(sizeof(AlertJsonOutputCtx));
915  if (unlikely(json_output_ctx == NULL)) {
916  LogFileFreeCtx(logfile_ctx);
917  SCFree(output_ctx);
918  return result;
919  }
920  memset(json_output_ctx, 0, sizeof(AlertJsonOutputCtx));
921 
922  json_output_ctx->file_ctx = logfile_ctx;
923 
924  JsonAlertLogSetupMetadata(json_output_ctx, conf);
925  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
926 
927  output_ctx->data = json_output_ctx;
928  output_ctx->DeInit = JsonAlertLogDeInitCtx;
929 
930  result.ctx = output_ctx;
931  result.ok = true;
932  return result;
933 }
934 
935 /**
936  * \brief Create a new LogFileCtx for "fast" output style.
937  * \param conf The configuration node for this output.
938  * \return A LogFileCtx pointer on success, NULL on failure.
939  */
940 static OutputInitResult JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
941 {
942  OutputInitResult result = { NULL, false };
943  OutputJsonCtx *ajt = parent_ctx->data;
944  AlertJsonOutputCtx *json_output_ctx = NULL;
945 
946  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
947  if (unlikely(output_ctx == NULL))
948  return result;
949 
950  json_output_ctx = SCMalloc(sizeof(AlertJsonOutputCtx));
951  if (unlikely(json_output_ctx == NULL)) {
952  goto error;
953  }
954  memset(json_output_ctx, 0, sizeof(AlertJsonOutputCtx));
955 
956  json_output_ctx->file_ctx = ajt->file_ctx;
957  json_output_ctx->cfg = ajt->cfg;
958 
959  JsonAlertLogSetupMetadata(json_output_ctx, conf);
960  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
961  if (json_output_ctx->xff_cfg == NULL) {
962  json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
963  }
964 
965  output_ctx->data = json_output_ctx;
966  output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
967 
968  result.ctx = output_ctx;
969  result.ok = true;
970  return result;
971 
972 error:
973  if (json_output_ctx != NULL) {
974  SCFree(json_output_ctx);
975  }
976  if (output_ctx != NULL) {
977  SCFree(output_ctx);
978  }
979 
980  return result;
981 }
982 
983 void JsonAlertLogRegister (void)
984 {
986  JsonAlertLogInitCtx, JsonAlertLogger, JsonAlertLogCondition,
987  JsonAlertLogThreadInit, JsonAlertLogThreadDeinit, NULL);
989  "eve-log.alert", JsonAlertLogInitCtxSub, JsonAlertLogger,
990  JsonAlertLogCondition, JsonAlertLogThreadInit, JsonAlertLogThreadDeinit,
991  NULL);
992 }
993 
994 #else
995 
997 {
998 }
999 
1000 #endif
1001 
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:284
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
#define SCMutex
int StreamSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
Run callback for all segments.
Definition: stream.c:39
uint16_t flags
#define SCLogDebug(...)
Definition: util-debug.h:335
#define MemBufferWriteRaw(dst, raw_buffer, raw_buffer_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.h:133
DetectMetadata * metadata
Definition: detect.h:582
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
struct Flow_ * flow
Definition: decode.h:445
json_t * JsonSMBAddMetadata(const Flow *f, uint64_t tx_id)
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:286
#define ACTION_REJECT_DST
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:857
uint32_t flags
Definition: detect.h:518
uint8_t proto
Definition: flow.h:344
char * msg
Definition: detect.h:575
uint32_t id
Definition: detect.h:550
#define FALSE
void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
#define unlikely(expr)
Definition: util-optimize.h:35
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
int prio
Definition: detect.h:553
Per flow DNP3 state.
#define ACTION_REJECT
uint8_t action
Definition: decode.h:271
uint64_t offset
#define IS_TUNNEL_PKT(p)
Definition: decode.h:881
#define PKT_IS_IPV6(p)
Definition: decode.h:252
const char * value
const char * key
DNP3 transaction.
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
AppProto FlowGetAppProtocol(const Flow *f)
Definition: flow.c:1063
char * val
Definition: conf.h:34
#define MODULE_NAME
int EngineModeIsIPS(void)
Definition: suricata.c:245
#define SIG_FLAG_DEST_IS_TARGET
Definition: detect.h:247
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:815
#define TRUE
#define SCMutexLock(mut)
#define PKT_IS_IPV4(p)
Definition: decode.h:251
Signature metadata list.
#define XFF_MAXLEN
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:245
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:294
const struct Signature_ * s
Definition: decode.h:273
SSLv[2.0|3.[0|1|2|3]] state structure.
#define SCCalloc(nm, a)
Definition: util-mem.h:253
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:161
#define SCMutexUnlock(mut)
void CreateIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:187
uint8_t proto
Definition: decode.h:430
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:202
#define ACTION_REJECT_BOTH
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
uint8_t recursion_level
Definition: decode.h:433
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow...
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
uint8_t flowflags
Definition: decode.h:439
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:591
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
uint8_t * buffer
Definition: util-buffer.h:28
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:224
uint32_t gid
Definition: detect.h:551
uint8_t proto
void JsonAlertLogRegister(void)
uint64_t tx_id
Definition: decode.h:274
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
char * class_msg
Definition: detect.h:578
Definition: conf.h:32
OutputCtx * ctx
Definition: output.h:42
#define DEFAULT_LOG_FILENAME
#define SCMalloc(a)
Definition: util-mem.h:222
SCMutex tunnel_mutex
Definition: decode.h:587
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:249
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
#define XFF_OVERWRITE
char * sig_str
Definition: detect.h:584
#define SCFree(a)
Definition: util-mem.h:322
uint16_t tx_id
uint8_t flags
Definition: decode.h:272
void * data
Definition: tm-modules.h:81
#define PKT_HAS_TAG
Definition: decode.h:1086
SCMutex m
Definition: flow-hash.h:105
uint32_t rev
Definition: detect.h:552
PacketAlerts alerts
Definition: decode.h:555
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1068
int Base64Encode(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen)
Definition: util-crypt.c:272
struct RSDNSState_ RSDNSState
#define XFF_DISABLED
json_t * JsonDNSLogAnswer(void *txptr, uint64_t tx_id)
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:282
bool ConfNodeHasChildren(const ConfNode *node)
Check if a node has any children.
Definition: conf.c:796
json_t * JsonDNSLogQuery(void *txptr, uint64_t tx_id)
struct DetectMetadata_ * next
uint16_t cnt
Definition: decode.h:293
void DetectEngineSetParseMetadata(void)
uint32_t tenant_id
Definition: decode.h:594
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
struct timeval ts
Definition: decode.h:451
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:186
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
AppProto alproto
application level protocol
Definition: flow.h:409
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:288
#define ACTION_DROP
uint32_t flags
Definition: decode.h:443
uint16_t payload_len
Definition: decode.h:541
#define likely(expr)
Definition: util-optimize.h:32
uint32_t offset
Definition: util-buffer.h:30
Flow data structure.
Definition: flow.h:325
uint8_t * payload
Definition: decode.h:540
#define XFF_EXTRADATA
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
struct Packet_ * root
Definition: decode.h:577
#define DEBUG_VALIDATE_BUG_ON(exp)