suricata
output-json-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs alerts in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "threads.h"
34 #include "tm-threads.h"
35 #include "threadvars.h"
36 #include "util-debug.h"
37 
38 #include "util-logopenfile.h"
39 #include "util-misc.h"
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 
43 #include "detect-parse.h"
44 #include "detect-engine.h"
45 #include "detect-engine-mpm.h"
46 #include "detect-reference.h"
47 #include "detect-metadata.h"
48 #include "app-layer-parser.h"
49 #include "app-layer-dnp3.h"
50 #include "app-layer-htp.h"
51 #include "app-layer-htp-xff.h"
52 #include "app-layer-ftp.h"
54 #include "util-syslog.h"
55 #include "util-logopenfile.h"
56 
57 #include "output.h"
58 #include "output-json.h"
59 #include "output-json-alert.h"
60 #include "output-json-dnp3.h"
61 #include "output-json-dns.h"
62 #include "output-json-http.h"
63 #include "output-json-tls.h"
64 #include "output-json-ssh.h"
65 #include "rust.h"
66 #include "output-json-smtp.h"
68 #include "output-json-nfs.h"
69 #include "output-json-smb.h"
70 #include "output-json-flow.h"
71 #include "output-json-sip.h"
72 #include "output-json-rfb.h"
73 #include "output-json-mqtt.h"
74 
75 #include "util-byte.h"
76 #include "util-privs.h"
77 #include "util-print.h"
78 #include "util-proto-name.h"
79 #include "util-optimize.h"
80 #include "util-buffer.h"
81 #include "util-crypt.h"
82 #include "util-validate.h"
83 
84 #define MODULE_NAME "JsonAlertLog"
85 
86 #define LOG_JSON_PAYLOAD BIT_U16(0)
87 #define LOG_JSON_PACKET BIT_U16(1)
88 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
89 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
90 #define LOG_JSON_APP_LAYER BIT_U16(4)
91 #define LOG_JSON_FLOW BIT_U16(5)
92 #define LOG_JSON_HTTP_BODY BIT_U16(6)
93 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
94 #define LOG_JSON_RULE_METADATA BIT_U16(8)
95 #define LOG_JSON_RULE BIT_U16(9)
96 
97 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
98  LOG_JSON_APP_LAYER | \
99  LOG_JSON_RULE_METADATA)
100 
101 #define JSON_BODY_LOGGING (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64)
102 
103 #define JSON_STREAM_BUFFER_SIZE 4096
104 
105 typedef struct AlertJsonOutputCtx_ {
107  uint16_t flags;
113 
114 typedef struct JsonAlertLogThread_ {
115  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
121 
122 /* Callback function to pack payload contents from a stream into a buffer
123  * so we can report them in JSON output. */
124 static int AlertJsonDumpStreamSegmentCallback(const Packet *p, void *data, const uint8_t *buf, uint32_t buflen)
125 {
126  MemBuffer *payload = (MemBuffer *)data;
127  MemBufferWriteRaw(payload, buf, buflen);
128 
129  return 1;
130 }
131 
132 static void AlertJsonTls(const Flow *f, JsonBuilder *js)
133 {
134  SSLState *ssl_state = (SSLState *)FlowGetAppState(f);
135  if (ssl_state) {
136  jb_open_object(js, "tls");
137 
138  JsonTlsLogJSONBasic(js, ssl_state);
139  JsonTlsLogJSONExtended(js, ssl_state);
140 
141  jb_close(js);
142  }
143 
144  return;
145 }
146 
147 static void AlertJsonSsh(const Flow *f, JsonBuilder *js)
148 {
149  void *ssh_state = FlowGetAppState(f);
150  if (ssh_state) {
151  JsonBuilderMark mark = { 0, 0, 0 };
152  void *tx_ptr = rs_ssh_state_get_tx(ssh_state, 0);
153  jb_get_mark(js, &mark);
154  jb_open_object(js, "ssh");
155  if (rs_ssh_log_json(tx_ptr, js)) {
156  jb_close(js);
157  } else {
158  jb_restore_mark(js, &mark);
159  }
160  }
161 
162  return;
163 }
164 
165 static void AlertJsonHttp2(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
166 {
167  void *h2_state = FlowGetAppState(f);
168  if (h2_state) {
169  void *tx_ptr = rs_http2_state_get_tx(h2_state, tx_id);
170  if (tx_ptr) {
171  JsonBuilderMark mark = { 0, 0, 0 };
172  jb_get_mark(js, &mark);
173  jb_open_object(js, "http");
174  if (rs_http2_log_json(tx_ptr, js)) {
175  jb_close(js);
176  } else {
177  jb_restore_mark(js, &mark);
178  }
179  }
180  }
181 
182  return;
183 }
184 
185 static void AlertJsonDnp3(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
186 {
187  DNP3State *dnp3_state = (DNP3State *)FlowGetAppState(f);
188  if (dnp3_state) {
190  dnp3_state, tx_id);
191  if (tx) {
192  JsonBuilderMark mark = { 0, 0, 0 };
193  jb_get_mark(js, &mark);
194  bool logged = false;
195  jb_open_object(js, "dnp3");
196  if (tx->has_request && tx->request_done) {
197  jb_open_object(js, "request");
198  JsonDNP3LogRequest(js, tx);
199  jb_close(js);
200  logged = true;
201  }
202  if (tx->has_response && tx->response_done) {
203  jb_open_object(js, "response");
204  JsonDNP3LogResponse(js, tx);
205  jb_close(js);
206  logged = true;
207  }
208  if (logged) {
209  /* Close dnp3 object. */
210  jb_close(js);
211  } else {
212  jb_restore_mark(js, &mark);
213  }
214  }
215  }
216 }
217 
218 static void AlertJsonDns(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
219 {
220  void *dns_state = (void *)FlowGetAppState(f);
221  if (dns_state) {
222  void *txptr = AppLayerParserGetTx(f->proto, ALPROTO_DNS,
223  dns_state, tx_id);
224  if (txptr) {
225  jb_open_object(js, "dns");
226  JsonBuilder *qjs = JsonDNSLogQuery(txptr, tx_id);
227  if (qjs != NULL) {
228  jb_set_object(js, "query", qjs);
229  jb_free(qjs);
230  }
231  JsonBuilder *ajs = JsonDNSLogAnswer(txptr, tx_id);
232  if (ajs != NULL) {
233  jb_set_object(js, "answer", ajs);
234  jb_free(ajs);
235  }
236  jb_close(js);
237  }
238  }
239  return;
240 }
241 
242 static void AlertJsonSNMP(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
243 {
244  void *snmp_state = (void *)FlowGetAppState(f);
245  if (snmp_state != NULL) {
246  void *tx = AppLayerParserGetTx(f->proto, ALPROTO_SNMP, snmp_state,
247  tx_id);
248  if (tx != NULL) {
249  jb_open_object(js, "snmp");
250  rs_snmp_log_json_response(js, snmp_state, tx);
251  jb_close(js);
252  }
253  }
254 }
255 
256 static void AlertJsonRDP(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
257 {
258  void *rdp_state = (void *)FlowGetAppState(f);
259  if (rdp_state != NULL) {
260  void *tx = AppLayerParserGetTx(f->proto, ALPROTO_RDP, rdp_state,
261  tx_id);
262  if (tx != NULL) {
263  JsonBuilderMark mark = { 0, 0, 0 };
264  jb_get_mark(js, &mark);
265  if (!rs_rdp_to_json(tx, js)) {
266  jb_restore_mark(js, &mark);
267  }
268  }
269  }
270 }
271 
272 static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
273  JsonBuilder *js, JsonAddrInfo *addr)
274 {
275  jb_open_object(js, "source");
276  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
277  jb_set_string(js, "ip", addr->src_ip);
278  switch (p->proto) {
279  case IPPROTO_ICMP:
280  case IPPROTO_ICMPV6:
281  break;
282  case IPPROTO_UDP:
283  case IPPROTO_TCP:
284  case IPPROTO_SCTP:
285  jb_set_uint(js, "port", addr->sp);
286  break;
287  }
288  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
289  jb_set_string(js, "ip", addr->dst_ip);
290  switch (p->proto) {
291  case IPPROTO_ICMP:
292  case IPPROTO_ICMPV6:
293  break;
294  case IPPROTO_UDP:
295  case IPPROTO_TCP:
296  case IPPROTO_SCTP:
297  jb_set_uint(js, "port", addr->dp);
298  break;
299  }
300  }
301  jb_close(js);
302 
303  jb_open_object(js, "target");
304  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
305  jb_set_string(js, "ip", addr->dst_ip);
306  switch (p->proto) {
307  case IPPROTO_ICMP:
308  case IPPROTO_ICMPV6:
309  break;
310  case IPPROTO_UDP:
311  case IPPROTO_TCP:
312  case IPPROTO_SCTP:
313  jb_set_uint(js, "port", addr->dp);
314  break;
315  }
316  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
317  jb_set_string(js, "ip", addr->src_ip);
318  switch (p->proto) {
319  case IPPROTO_ICMP:
320  case IPPROTO_ICMPV6:
321  break;
322  case IPPROTO_UDP:
323  case IPPROTO_TCP:
324  case IPPROTO_SCTP:
325  jb_set_uint(js, "port", addr->sp);
326  break;
327  }
328  }
329  jb_close(js);
330 }
331 
332 static void AlertJsonMetadata(AlertJsonOutputCtx *json_output_ctx,
333  const PacketAlert *pa, JsonBuilder *js)
334 {
335  if (pa->s->metadata && pa->s->metadata->json_str) {
336  jb_set_formatted(js, pa->s->metadata->json_str);
337  }
338 }
339 
340 void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa,
341  JsonBuilder *js, uint16_t flags, JsonAddrInfo *addr)
342 {
343  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *)ctx;
344  const char *action = "allowed";
345  /* use packet action if rate_filter modified the action */
349  action = "blocked";
350  }
351  } else {
353  action = "blocked";
354  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
355  action = "blocked";
356  }
357  }
358 
359  /* Add tx_id to root element for correlation with other events. */
360  /* json_object_del(js, "tx_id"); */
361  if (pa->flags & PACKET_ALERT_FLAG_TX) {
362  jb_set_uint(js, "tx_id", pa->tx_id);
363  }
364 
365  jb_open_object(js, "alert");
366 
367  jb_set_string(js, "action", action);
368  jb_set_uint(js, "gid", pa->s->gid);
369  jb_set_uint(js, "signature_id", pa->s->id);
370  jb_set_uint(js, "rev", pa->s->rev);
371  /* TODO: JsonBuilder should handle unprintable characters like
372  * SCJsonString. */
373  jb_set_string(js, "signature", pa->s->msg ? pa->s->msg: "");
374  jb_set_string(js, "category", pa->s->class_msg ? pa->s->class_msg: "");
375  jb_set_uint(js, "severity", pa->s->prio);
376 
377  if (p->tenant_id > 0) {
378  jb_set_uint(js, "tenant_id", p->tenant_id);
379  }
380 
381  if (addr && pa->s->flags & SIG_FLAG_HAS_TARGET) {
382  AlertJsonSourceTarget(p, pa, js, addr);
383  }
384 
385  if ((json_output_ctx != NULL) && (flags & LOG_JSON_RULE_METADATA)) {
386  AlertJsonMetadata(json_output_ctx, pa, js);
387  }
388 
389  if (flags & LOG_JSON_RULE) {
390  jb_set_string(js, "rule", pa->s->sig_str);
391  }
392 
393  jb_close(js);
394 }
395 
396 static void AlertJsonTunnel(const Packet *p, JsonBuilder *js)
397 {
398  if (p->root == NULL) {
399  return;
400  }
401 
402  jb_open_object(js, "tunnel");
403 
404  /* get a lock to access root packet fields */
405  SCMutex *m = &p->root->tunnel_mutex;
406 
408  SCMutexLock(m);
409  JsonAddrInfoInit(p->root, 0, &addr);
410  SCMutexUnlock(m);
411 
412  jb_set_string(js, "src_ip", addr.src_ip);
413  jb_set_uint(js, "src_port", addr.sp);
414  jb_set_string(js, "dest_ip", addr.dst_ip);
415  jb_set_uint(js, "dest_port", addr.dp);
416  jb_set_string(js, "proto", addr.proto);
417 
418  jb_set_uint(js, "depth", p->recursion_level);
419 
420  jb_close(js);
421 }
422 
423 static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, JsonBuilder *js, const Packet *p)
424 {
425  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
426  unsigned long len = BASE64_BUFFER_SIZE(p->payload_len);
427  uint8_t encoded[len];
428  if (Base64Encode(p->payload, p->payload_len, encoded, &len) == SC_BASE64_OK) {
429  jb_set_string(js, "payload", (char *)encoded);
430  }
431  }
432 
433  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
434  uint8_t printable_buf[p->payload_len + 1];
435  uint32_t offset = 0;
436  PrintStringsToBuffer(printable_buf, &offset,
437  p->payload_len + 1,
438  p->payload, p->payload_len);
439  printable_buf[p->payload_len] = '\0';
440  jb_set_string(js, "payload_printable", (char *)printable_buf);
441  }
442 }
443 
444 static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
445  const uint64_t tx_id, const uint16_t option_flags)
446 {
448  JsonBuilderMark mark = { 0, 0, 0 };
449  switch (proto) {
450  case ALPROTO_HTTP:
451  // TODO: Could result in an empty http object being logged.
452  jb_open_object(jb, "http");
453  if (EveHttpAddMetadata(p->flow, tx_id, jb)) {
454  if (option_flags & LOG_JSON_HTTP_BODY) {
455  EveHttpLogJSONBodyPrintable(jb, p->flow, tx_id);
456  }
457  if (option_flags & LOG_JSON_HTTP_BODY_BASE64) {
458  EveHttpLogJSONBodyBase64(jb, p->flow, tx_id);
459  }
460  }
461  jb_close(jb);
462  break;
463  case ALPROTO_TLS:
464  AlertJsonTls(p->flow, jb);
465  break;
466  case ALPROTO_SSH:
467  AlertJsonSsh(p->flow, jb);
468  break;
469  case ALPROTO_SMTP:
470  jb_get_mark(jb, &mark);
471  jb_open_object(jb, "smtp");
472  if (EveSMTPAddMetadata(p->flow, tx_id, jb)) {
473  jb_close(jb);
474  } else {
475  jb_restore_mark(jb, &mark);
476  }
477  jb_get_mark(jb, &mark);
478  jb_open_object(jb, "email");
479  if (EveEmailAddMetadata(p->flow, tx_id, jb)) {
480  jb_close(jb);
481  } else {
482  jb_restore_mark(jb, &mark);
483  }
484  break;
485  case ALPROTO_NFS:
486  /* rpc */
487  jb_get_mark(jb, &mark);
488  jb_open_object(jb, "rpc");
489  if (EveNFSAddMetadataRPC(p->flow, tx_id, jb)) {
490  jb_close(jb);
491  } else {
492  jb_restore_mark(jb, &mark);
493  }
494  /* nfs */
495  jb_get_mark(jb, &mark);
496  jb_open_object(jb, "nfs");
497  if (EveNFSAddMetadata(p->flow, tx_id, jb)) {
498  jb_close(jb);
499  } else {
500  jb_restore_mark(jb, &mark);
501  }
502  break;
503  case ALPROTO_SMB:
504  jb_get_mark(jb, &mark);
505  jb_open_object(jb, "smb");
506  if (EveSMBAddMetadata(p->flow, tx_id, jb)) {
507  jb_close(jb);
508  } else {
509  jb_restore_mark(jb, &mark);
510  }
511  break;
512  case ALPROTO_SIP:
513  JsonSIPAddMetadata(jb, p->flow, tx_id);
514  break;
515  case ALPROTO_RFB:
516  jb_get_mark(jb, &mark);
517  if (!JsonRFBAddMetadata(p->flow, tx_id, jb)) {
518  jb_restore_mark(jb, &mark);
519  }
520  break;
521  case ALPROTO_FTPDATA:
522  EveFTPDataAddMetadata(p->flow, jb);
523  break;
524  case ALPROTO_DNP3:
525  AlertJsonDnp3(p->flow, tx_id, jb);
526  break;
527  case ALPROTO_HTTP2:
528  AlertJsonHttp2(p->flow, tx_id, jb);
529  break;
530  case ALPROTO_DNS:
531  AlertJsonDns(p->flow, tx_id, jb);
532  break;
533  case ALPROTO_MQTT:
534  jb_get_mark(jb, &mark);
535  if (!JsonMQTTAddMetadata(p->flow, tx_id, jb)) {
536  jb_restore_mark(jb, &mark);
537  }
538  break;
539  case ALPROTO_SNMP:
540  AlertJsonSNMP(p->flow, tx_id, jb);
541  break;
542  case ALPROTO_RDP:
543  AlertJsonRDP(p->flow, tx_id, jb);
544  break;
545  default:
546  break;
547  }
548 }
549 
550 static void AlertAddFiles(const Packet *p, JsonBuilder *jb, const uint64_t tx_id)
551 {
554  if (ffc != NULL) {
555  File *file = ffc->head;
556  bool isopen = false;
557  while (file) {
558  if (tx_id == file->txid) {
559  if (!isopen) {
560  isopen = true;
561  jb_open_array(jb, "files");
562  }
563  jb_start_object(jb);
564  EveFileInfo(jb, file, file->flags & FILE_STORED);
565  jb_close(jb);
566  }
567  file = file->next;
568  }
569  if (isopen) {
570  jb_close(jb);
571  }
572  }
573 }
574 
575 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
576 {
577  MemBuffer *payload = aft->payload_buffer;
578  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
579 
580  if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
581  return TM_ECODE_OK;
582 
583  for (int i = 0; i < p->alerts.cnt; i++) {
584  const PacketAlert *pa = &p->alerts.alerts[i];
585  if (unlikely(pa->s == NULL)) {
586  continue;
587  }
588 
589  /* First initialize the address info (5-tuple). */
591  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
592 
593  /* Check for XFF, overwriting address info if needed. */
594  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ?
595  json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;
596  int have_xff_ip = 0;
597  char xff_buffer[XFF_MAXLEN];
598  if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
599  if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
600  if (pa->flags & PACKET_ALERT_FLAG_TX) {
601  have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg,
602  xff_buffer, XFF_MAXLEN);
603  } else {
604  have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, xff_buffer,
605  XFF_MAXLEN);
606  }
607  }
608 
609  if (have_xff_ip && xff_cfg->flags & XFF_OVERWRITE) {
610  if (p->flowflags & FLOW_PKT_TOCLIENT) {
611  strlcpy(addr.dst_ip, xff_buffer, JSON_ADDR_LEN);
612  } else {
613  strlcpy(addr.src_ip, xff_buffer, JSON_ADDR_LEN);
614  }
615  /* Clear have_xff_ip so the xff field does not get
616  * logged below. */
617  have_xff_ip = false;
618  }
619  }
620 
621  JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "alert", &addr);
622  if (unlikely(jb == NULL))
623  return TM_ECODE_OK;
624  EveAddCommonOptions(&json_output_ctx->cfg, p, p->flow, jb);
625 
627 
628  /* alert */
629  AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags,
630  &addr);
631 
632  if (IS_TUNNEL_PKT(p)) {
633  AlertJsonTunnel(p, jb);
634  }
635 
636  if (p->flow != NULL) {
637  if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {
638  AlertAddAppLayer(p, jb, pa->tx_id, json_output_ctx->flags);
639  }
640  /* including fileinfo data is configured by the metadata setting */
641  if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
642  AlertAddFiles(p, jb, pa->tx_id);
643  }
644 
645  EveAddAppProto(p->flow, jb);
646  if (json_output_ctx->flags & LOG_JSON_FLOW) {
647  jb_open_object(jb, "flow");
648  EveAddFlow(p->flow, jb);
649  jb_close(jb);
650  }
651  }
652 
653  /* payload */
654  if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
655  int stream = (p->proto == IPPROTO_TCP) ?
657  1 : 0) : 0;
658 
659  /* Is this a stream? If so, pack part of it into the payload field */
660  if (stream) {
661  uint8_t flag;
662 
663  MemBufferReset(payload);
664 
665  if (p->flowflags & FLOW_PKT_TOSERVER) {
666  flag = FLOW_PKT_TOCLIENT;
667  } else {
668  flag = FLOW_PKT_TOSERVER;
669  }
670 
671  StreamSegmentForEach((const Packet *)p, flag,
672  AlertJsonDumpStreamSegmentCallback,
673  (void *)payload);
674  if (payload->offset) {
675  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
676  unsigned long len = BASE64_BUFFER_SIZE(json_output_ctx->payload_buffer_size);
677  uint8_t encoded[len];
678  Base64Encode(payload->buffer, payload->offset, encoded, &len);
679  jb_set_string(jb, "payload", (char *)encoded);
680  }
681 
682  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
683  uint8_t printable_buf[payload->offset + 1];
684  uint32_t offset = 0;
685  PrintStringsToBuffer(printable_buf, &offset,
686  sizeof(printable_buf),
687  payload->buffer, payload->offset);
688  jb_set_string(jb, "payload_printable", (char *)printable_buf);
689  }
690  } else if (p->payload_len) {
691  /* Fallback on packet payload */
692  AlertAddPayload(json_output_ctx, jb, p);
693  }
694  } else {
695  /* This is a single packet and not a stream */
696  AlertAddPayload(json_output_ctx, jb, p);
697  }
698 
699  jb_set_uint(jb, "stream", stream);
700  }
701 
702  /* base64-encoded full packet */
703  if (json_output_ctx->flags & LOG_JSON_PACKET) {
704  EvePacket(p, jb, 0);
705  }
706 
707  if (have_xff_ip && xff_cfg->flags & XFF_EXTRADATA) {
708  jb_set_string(jb, "xff", xff_buffer);
709  }
710 
712  jb_free(jb);
713  }
714 
715  if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
718  JsonBuilder *packetjs = CreateEveHeader(p, LOG_DIR_PACKET, "packet", NULL);
719  if (unlikely(packetjs != NULL)) {
720  EvePacket(p, packetjs, 0);
721  OutputJsonBuilderBuffer(packetjs, aft->file_ctx, &aft->json_buffer);
722  jb_free(packetjs);
723  }
724  }
725 
726  return TM_ECODE_OK;
727 }
728 
729 static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
730 {
731  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
732  char timebuf[64];
733 
734  if (p->alerts.cnt == 0)
735  return TM_ECODE_OK;
736 
737  CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf));
738 
739  for (int i = 0; i < p->alerts.cnt; i++) {
741 
742  const PacketAlert *pa = &p->alerts.alerts[i];
743  if (unlikely(pa->s == NULL)) {
744  continue;
745  }
746 
747  JsonBuilder *jb = jb_new_object();
748  if (unlikely(jb == NULL)) {
749  return TM_ECODE_OK;
750  }
751 
752  /* just the timestamp, no tuple */
753  jb_set_string(jb, "timestamp", timebuf);
754 
755  AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, NULL);
756 
758  jb_free(jb);
759  }
760 
761  return TM_ECODE_OK;
762 }
763 
764 static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)
765 {
766  JsonAlertLogThread *aft = thread_data;
767 
768  if (PKT_IS_IPV4(p) || PKT_IS_IPV6(p)) {
769  return AlertJson(tv, aft, p);
770  } else if (p->alerts.cnt > 0) {
771  return AlertJsonDecoderEvent(tv, aft, p);
772  }
773  return 0;
774 }
775 
776 static int JsonAlertLogCondition(ThreadVars *tv, const Packet *p)
777 {
778  if (p->alerts.cnt || (p->flags & PKT_HAS_TAG)) {
779  return TRUE;
780  }
781  return FALSE;
782 }
783 
784 static TmEcode JsonAlertLogThreadInit(ThreadVars *t, const void *initdata, void **data)
785 {
787  if (unlikely(aft == NULL))
788  return TM_ECODE_FAILED;
789 
790  if (initdata == NULL)
791  {
792  SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL");
793  goto error_exit;
794  }
795 
797  if (aft->json_buffer == NULL) {
798  goto error_exit;
799  }
800 
801  /** Use the Output Context (file pointer and mutex) */
802  AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
803 
804  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
805  if (aft->payload_buffer == NULL) {
806  goto error_exit;
807  }
808  aft->file_ctx = LogFileEnsureExists(json_output_ctx->file_ctx, t->id);
809  if (!aft->file_ctx) {
810  goto error_exit;
811  }
812 
813  aft->json_output_ctx = json_output_ctx;
814 
815  *data = (void *)aft;
816  return TM_ECODE_OK;
817 
818 error_exit:
819  if (aft->json_buffer != NULL) {
821  }
822  if (aft->payload_buffer != NULL) {
824  }
825  SCFree(aft);
826  return TM_ECODE_FAILED;
827 }
828 
829 static TmEcode JsonAlertLogThreadDeinit(ThreadVars *t, void *data)
830 {
831  JsonAlertLogThread *aft = (JsonAlertLogThread *)data;
832  if (aft == NULL) {
833  return TM_ECODE_OK;
834  }
835 
838 
839  /* clear memory */
840  memset(aft, 0, sizeof(JsonAlertLogThread));
841 
842  SCFree(aft);
843  return TM_ECODE_OK;
844 }
845 
846 static void JsonAlertLogDeInitCtxSub(OutputCtx *output_ctx)
847 {
848  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
849 
850  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
851 
852  if (json_output_ctx != NULL) {
853  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
854  if (xff_cfg != NULL) {
855  SCFree(xff_cfg);
856  }
857  SCFree(json_output_ctx);
858  }
859  SCFree(output_ctx);
860 }
861 
862 static void SetFlag(const ConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
863 {
864  DEBUG_VALIDATE_BUG_ON(conf == NULL);
865  const char *setting = ConfNodeLookupChildValue(conf, name);
866  if (setting != NULL) {
867  if (ConfValIsTrue(setting)) {
868  *out_flags |= flag;
869  } else {
870  *out_flags &= ~flag;
871  }
872  }
873 }
874 
875 #define DEFAULT_LOG_FILENAME "alert.json"
876 
877 static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
878  ConfNode *conf)
879 {
880  static bool warn_no_meta = false;
881  uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
882  uint16_t flags = METADATA_DEFAULTS;
883 
884  if (conf != NULL) {
885  /* Check for metadata to enable/disable. */
886  ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
887  if (metadata != NULL) {
888  if (metadata->val != NULL && ConfValIsFalse(metadata->val)) {
890  } else if (ConfNodeHasChildren(metadata)) {
891  ConfNode *rule_metadata = ConfNodeLookupChild(metadata, "rule");
892  if (rule_metadata) {
893  SetFlag(rule_metadata, "raw", LOG_JSON_RULE, &flags);
894  SetFlag(rule_metadata, "metadata", LOG_JSON_RULE_METADATA,
895  &flags);
896  }
897  SetFlag(metadata, "flow", LOG_JSON_FLOW, &flags);
898  SetFlag(metadata, "app-layer", LOG_JSON_APP_LAYER, &flags);
899  }
900  }
901 
902  /* Non-metadata toggles. */
903  SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
904  SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
905  SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
906  SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
907  SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
908  SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
909 
910  /* Check for obsolete configuration flags to enable specific
911  * protocols. These are now just aliases for enabling
912  * app-layer logging. */
913  SetFlag(conf, "http", LOG_JSON_APP_LAYER, &flags);
914  SetFlag(conf, "tls", LOG_JSON_APP_LAYER, &flags);
915  SetFlag(conf, "ssh", LOG_JSON_APP_LAYER, &flags);
916  SetFlag(conf, "smtp", LOG_JSON_APP_LAYER, &flags);
917  SetFlag(conf, "dnp3", LOG_JSON_APP_LAYER, &flags);
918 
919  /* And check for obsolete configuration flags for enabling
920  * app-layer and flow as these have been moved under the
921  * metadata key. */
922  SetFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags);
923  SetFlag(conf, "flow", LOG_JSON_FLOW, &flags);
924 
925  const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
926 
927  if (payload_buffer_value != NULL) {
928  uint32_t value;
929  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
930  SCLogError(SC_ERR_ALERT_PAYLOAD_BUFFER, "Error parsing "
931  "payload-buffer-size - %s. Killing engine",
932  payload_buffer_value);
933  exit(EXIT_FAILURE);
934  } else {
935  payload_buffer_size = value;
936  }
937  }
938 
939  if (!warn_no_meta && flags & JSON_BODY_LOGGING) {
940  if (((flags & LOG_JSON_APP_LAYER) == 0)) {
941  SCLogWarning(SC_WARN_ALERT_CONFIG, "HTTP body logging has been configured, however, "
942  "metadata logging has not been enabled. HTTP body logging will be disabled.");
944  warn_no_meta = true;
945  }
946  }
947 
948  json_output_ctx->payload_buffer_size = payload_buffer_size;
949  }
950 
953  }
954 
955  json_output_ctx->flags |= flags;
956 }
957 
958 static HttpXFFCfg *JsonAlertLogGetXffCfg(ConfNode *conf)
959 {
960  HttpXFFCfg *xff_cfg = NULL;
961  if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
962  xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
963  if (likely(xff_cfg != NULL)) {
964  HttpXFFGetCfg(conf, xff_cfg);
965  }
966  }
967  return xff_cfg;
968 }
969 
970 /**
971  * \brief Create a new LogFileCtx for "fast" output style.
972  * \param conf The configuration node for this output.
973  * \return A LogFileCtx pointer on success, NULL on failure.
974  */
975 static OutputInitResult JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
976 {
977  OutputInitResult result = { NULL, false };
978  OutputJsonCtx *ajt = parent_ctx->data;
979  AlertJsonOutputCtx *json_output_ctx = NULL;
980 
981  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
982  if (unlikely(output_ctx == NULL))
983  return result;
984 
985  json_output_ctx = SCMalloc(sizeof(AlertJsonOutputCtx));
986  if (unlikely(json_output_ctx == NULL)) {
987  goto error;
988  }
989  memset(json_output_ctx, 0, sizeof(AlertJsonOutputCtx));
990 
991  json_output_ctx->file_ctx = ajt->file_ctx;
992  json_output_ctx->cfg = ajt->cfg;
993 
994  JsonAlertLogSetupMetadata(json_output_ctx, conf);
995  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
996  if (json_output_ctx->xff_cfg == NULL) {
997  json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
998  }
999 
1000  output_ctx->data = json_output_ctx;
1001  output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
1002 
1003  result.ctx = output_ctx;
1004  result.ok = true;
1005  return result;
1006 
1007 error:
1008  if (json_output_ctx != NULL) {
1009  SCFree(json_output_ctx);
1010  }
1011  if (output_ctx != NULL) {
1012  SCFree(output_ctx);
1013  }
1014 
1015  return result;
1016 }
1017 
1019 {
1021  "eve-log.alert", JsonAlertLogInitCtxSub, JsonAlertLogger,
1022  JsonAlertLogCondition, JsonAlertLogThreadInit, JsonAlertLogThreadDeinit,
1023  NULL);
1024 }
XFF_MAXLEN
#define XFF_MAXLEN
Definition: app-layer-htp-xff.h:39
util-byte.h
tm-threads.h
Packet_::proto
uint8_t proto
Definition: decode.h:437
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:233
FileContainer_
Definition: util-file.h:107
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectMetadataHead::json_str
char * json_str
Definition: detect-metadata.h:40
DNP3Transaction_::response_done
uint8_t response_done
Definition: app-layer-dnp3.h:232
detect-engine.h
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:291
EveSMTPAddMetadata
bool EveSMTPAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-smtp.c:101
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:280
EveHttpLogJSONBodyPrintable
void EveHttpLogJSONBodyPrintable(JsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:410
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:105
Signature_::sig_str
char * sig_str
Definition: detect.h:580
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:293
CreateIsoTimeString
void CreateIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:213
XFF_EXTRADATA
#define XFF_EXTRADATA
Definition: app-layer-htp-xff.h:31
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
JsonAlertLogThread_::json_buffer
MemBuffer * json_buffer
Definition: output-json-alert.c:117
JsonTlsLogJSONBasic
void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
Definition: output-json-tls.c:293
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:259
ConfNode_::val
char * val
Definition: conf.h:34
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:104
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
output-json-mqtt.h
LOG_JSON_RULE
#define LOG_JSON_RULE
Definition: output-json-alert.c:95
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DNP3Transaction_::request_done
uint8_t request_done
Definition: app-layer-dnp3.h:218
AlertJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-alert.c:106
PacketAlerts_::alerts
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:301
AlertJsonOutputCtx_::parent_xff_cfg
HttpXFFCfg * parent_xff_cfg
Definition: output-json-alert.c:110
Flow_::proto
uint8_t proto
Definition: flow.h:365
StreamSegmentForEach
int StreamSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
Run callback for all segments.
Definition: stream.c:39
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:73
Packet_::payload
uint8_t * payload
Definition: decode.h:550
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:300
DNP3Transaction_::has_request
uint8_t has_request
Definition: app-layer-dnp3.h:217
SIG_FLAG_DEST_IS_TARGET
#define SIG_FLAG_DEST_IS_TARGET
Definition: detect.h:251
Packet_::flags
uint32_t flags
Definition: decode.h:450
JSON_OUTPUT_BUFFER_SIZE
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:63
threads.h
LOGGER_JSON_ALERT
@ LOGGER_JSON_ALERT
Definition: suricata-common.h:480
OutputJsonCtx_
Definition: output-json.h:101
AlertJsonHeader
void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js, uint16_t flags, JsonAddrInfo *addr)
Definition: output-json-alert.c:340
Flow_
Flow data structure.
Definition: flow.h:347
OutputJsonCommonSettings_
Definition: output-json.h:91
util-syslog.h
logged
int logged
Definition: app-layer-htp.h:1
LogFileCtx_
Definition: util-logopenfile.h:60
EveNFSAddMetadata
bool EveNFSAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-nfs.c:63
output-json-tls.h
ALPROTO_SIP
@ ALPROTO_SIP
Definition: app-layer-protos.h:53
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:89
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:984
output-json-sip.h
rust.h
AppLayerParserGetFiles
FileContainer * AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
Definition: app-layer-parser.c:863
util-privs.h
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, JsonBuilder *js)
Definition: output-json.c:440
proto
uint8_t proto
Definition: decode-template.h:0
m
SCMutex m
Definition: flow-hash.h:6
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:34
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:446
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:551
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:565
SC_BASE64_OK
@ SC_BASE64_OK
Definition: util-crypt.h:39
util-unittest.h
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:30
EveHttpAddMetadata
bool EveHttpAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-http.c:528
DNP3Transaction_::has_response
uint8_t has_response
Definition: app-layer-dnp3.h:231
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:565
FlowGetAppState
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1102
util-unittest-helper.h
HttpXFFGetIP
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:177
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:228
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:281
JsonDNSLogAnswer
JsonBuilder * JsonDNSLogAnswer(void *txptr, uint64_t tx_id)
Definition: output-json-dns.c:297
OutputCtx_
Definition: tm-modules.h:78
app-layer-htp-xff.h
PacketAlert_::action
uint8_t action
Definition: decode.h:278
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
JSON_BODY_LOGGING
#define JSON_BODY_LOGGING
Definition: output-json-alert.c:101
detect-reference.h
ALPROTO_SNMP
@ ALPROTO_SNMP
Definition: app-layer-protos.h:52
Signature_::gid
uint32_t gid
Definition: detect.h:547
output-json-dnp3.h
ACTION_REJECT_DST
#define ACTION_REJECT_DST
Definition: action-globals.h:32
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:53
app-layer-htp.h
Base64Encode
int Base64Encode(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen)
Definition: util-crypt.c:35
util-debug.h
output-json-flow.h
MODULE_NAME
#define MODULE_NAME
Definition: output-json-alert.c:84
JsonRFBAddMetadata
bool JsonRFBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-rfb.c:60
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:44
output-json-rfb.h
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr)
Definition: output-json.c:852
LOG_JSON_APP_LAYER
#define LOG_JSON_APP_LAYER
Definition: output-json-alert.c:90
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:44
app-layer-dnp3.h
output-json.h
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
MemBufferWriteRaw
#define MemBufferWriteRaw(dst, raw_buffer, raw_buffer_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.h:133
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
LOG_JSON_PAYLOAD
#define LOG_JSON_PAYLOAD
Definition: output-json-alert.c:86
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
AlertJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-alert.c:107
SC_ERR_ALERT_PAYLOAD_BUFFER
@ SC_ERR_ALERT_PAYLOAD_BUFFER
Definition: util-error.h:310
util-print.h
detect-engine-mpm.h
util-crypt.h
FileContainer_::head
File * head
Definition: util-file.h:108
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
LogFileEnsureExists
LogFileCtx * LogFileEnsureExists(LogFileCtx *parent_ctx, int thread_id)
LogFileEnsureExists() Ensure a log file context for the thread exists.
Definition: util-logopenfile.c:659
EveFileInfo
void EveFileInfo(JsonBuilder *jb, const File *ff, const bool stored)
Definition: output-json.c:141
JsonAlertLogThread
struct JsonAlertLogThread_ JsonAlertLogThread
output-json-email-common.h
OutputInitResult_::ok
bool ok
Definition: output.h:45
JsonDNP3LogResponse
void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *dnp3tx)
Definition: output-json-dnp3.c:176
EveHttpLogJSONBodyBase64
void EveHttpLogJSONBodyBase64(JsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:445
app-layer-parser.h
JsonAlertLogThread_
Definition: output-json-alert.c:114
TRUE
#define TRUE
Definition: suricata-common.h:33
ThreadVars_::id
int id
Definition: threadvars.h:87
SC_WARN_ALERT_CONFIG
@ SC_WARN_ALERT_CONFIG
Definition: util-error.h:357
FALSE
#define FALSE
Definition: suricata-common.h:34
Signature_::flags
uint32_t flags
Definition: detect.h:514
JsonAddrInfo_
Definition: output-json.h:49
Packet_
Definition: decode.h:415
ALPROTO_RDP
@ ALPROTO_RDP
Definition: app-layer-protos.h:58
JSON_STREAM_BUFFER_SIZE
#define JSON_STREAM_BUFFER_SIZE
Definition: output-json-alert.c:103
LOG_JSON_PAYLOAD_BASE64
#define LOG_JSON_PAYLOAD_BASE64
Definition: output-json-alert.c:88
conf.h
SIG_FLAG_HAS_TARGET
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:253
XFF_OVERWRITE
#define XFF_OVERWRITE
Definition: app-layer-htp-xff.h:33
TmEcode
TmEcode
Definition: tm-threads-common.h:79
SIG_FLAG_SRC_IS_TARGET
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:249
EveNFSAddMetadataRPC
bool EveNFSAddMetadataRPC(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-nfs.c:51
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:896
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
AlertJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-alert.c:108
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:59
util-proto-name.h
ConfNodeHasChildren
bool ConfNodeHasChildren(const ConfNode *node)
Check if a node has any children.
Definition: conf.c:795
MemBuffer_
Definition: util-buffer.h:27
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:220
LOG_JSON_TAGGED_PACKETS
#define LOG_JSON_TAGGED_PACKETS
Definition: output-json-alert.c:89
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1073
EveEmailAddMetadata
bool EveEmailAddMetadata(const Flow *f, uint32_t tx_id, JsonBuilder *js)
Definition: output-json-email-common.c:374
AlertJsonOutputCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json-alert.c:109
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:54
Signature_::class_msg
char * class_msg
Definition: detect.h:574
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:814
PacketAlert_::flags
uint8_t flags
Definition: decode.h:279
ACTION_REJECT_BOTH
#define ACTION_REJECT_BOTH
Definition: action-globals.h:33
File_::flags
uint16_t flags
Definition: util-file.h:73
MemBufferReset
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
PACKET_ALERT_RATE_FILTER_MODIFIED
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:295
File_
Definition: util-file.h:72
OutputInitResult_
Definition: output.h:43
Packet_::flow
struct Flow_ * flow
Definition: decode.h:452
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:604
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
flags
uint8_t flags
Definition: decode-gre.h:0
Packet_::ts
struct timeval ts
Definition: decode.h:458
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:52
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:214
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:45
AlertJsonOutputCtx_
Definition: output-json-alert.c:105
detect-metadata.h
JsonAlertLogThread_::json_output_ctx
AlertJsonOutputCtx * json_output_ctx
Definition: output-json-alert.c:119
output-json-nfs.h
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
FILE_STORED
#define FILE_STORED
Definition: util-file.h:56
File_::next
struct File_ * next
Definition: util-file.h:86
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:47
EveAddAppProto
void EveAddAppProto(Flow *f, JsonBuilder *js)
Definition: output-json-flow.c:178
Signature_::rev
uint32_t rev
Definition: detect.h:548
util-classification-config.h
EvePacket
void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length)
Jsonify a packet.
Definition: output-json.c:464
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
Signature_::prio
int prio
Definition: detect.h:549
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:185
output-json-alert.h
util-optimize.h
threadvars.h
util-validate.h
output-json-dns.h
FlowGetAppProtocol
AppProto FlowGetAppProtocol(const Flow *f)
Definition: flow.c:1097
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
Packet_::root
struct Packet_ * root
Definition: decode.h:587
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:50
HttpXFFCfg_::flags
uint8_t flags
Definition: app-layer-htp-xff.h:42
Signature_::metadata
DetectMetadataHead * metadata
Definition: detect.h:578
AlertJsonOutputCtx
struct AlertJsonOutputCtx_ AlertJsonOutputCtx
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
JsonAlertLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-alert.c:118
SCFree
#define SCFree(p)
Definition: util-mem.h:61
JsonAlertLogThread_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-alert.c:116
ConfNode_
Definition: conf.h:32
util-logopenfile.h
Signature_::id
uint32_t id
Definition: detect.h:546
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:440
LOG_JSON_HTTP_BODY_BASE64
#define LOG_JSON_HTTP_BODY_BASE64
Definition: output-json-alert.c:93
detect-parse.h
util-buffer.h
LOG_JSON_PACKET
#define LOG_JSON_PACKET
Definition: output-json-alert.c:87
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:55
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:590
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:51
EveFTPDataAddMetadata
void EveFTPDataAddMetadata(const Flow *f, JsonBuilder *jb)
Definition: app-layer-ftp.c:1399
output-json-ssh.h
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:102
JsonDNSLogQuery
JsonBuilder * JsonDNSLogQuery(void *txptr, uint64_t tx_id)
Definition: output-json-dns.c:275
LOG_JSON_HTTP_BODY
#define LOG_JSON_HTTP_BODY
Definition: output-json-alert.c:92
METADATA_DEFAULTS
#define METADATA_DEFAULTS
Definition: output-json-alert.c:97
DNP3State_
Per flow DNP3 state.
Definition: app-layer-dnp3.h:258
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:243
BASE64_BUFFER_SIZE
#define BASE64_BUFFER_SIZE(x)
Definition: util-crypt.h:36
LOG_JSON_FLOW
#define LOG_JSON_FLOW
Definition: output-json-alert.c:91
JsonDNP3LogRequest
void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *dnp3tx)
Definition: output-json-dnp3.c:147
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:54
PacketAlert_
Definition: decode.h:276
AlertJsonOutputCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json-alert.c:111
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:505
File_::txid
uint64_t txid
Definition: util-file.h:77
HttpXFFGetCfg
void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:202
output-json-smb.h
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
likely
#define likely(expr)
Definition: util-optimize.h:32
HttpXFFGetIPFromTx
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:113
output-json-smtp.h
MemBuffer_::buffer
uint8_t * buffer
Definition: util-buffer.h:28
output-json-http.h
util-misc.h
PKT_HAS_TAG
#define PKT_HAS_TAG
Definition: decode.h:1109
Signature_::msg
char * msg
Definition: detect.h:571
flow.h
DetectEngineSetParseMetadata
void DetectEngineSetParseMetadata(void)
Definition: detect-engine.c:4155
EveSMBAddMetadata
bool EveSMBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-smb.c:50
JsonTlsLogJSONExtended
void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState *state)
Definition: output-json-tls.c:361
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LOG_JSON_RULE_METADATA
#define LOG_JSON_RULE_METADATA
Definition: output-json-alert.c:94
XFF_DISABLED
#define XFF_DISABLED
Definition: app-layer-htp-xff.h:29
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:258
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:289
JsonSIPAddMetadata
void JsonSIPAddMetadata(JsonBuilder *js, const Flow *f, uint64_t tx_id)
Definition: output-json-sip.c:63
JsonMQTTAddMetadata
bool JsonMQTTAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-mqtt.c:63
SCMutex
#define SCMutex
Definition: threads-debug.h:114
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
debug.h
output.h
Packet_::tunnel_mutex
SCMutex tunnel_mutex
Definition: decode.h:597
JsonAlertLogRegister
void JsonAlertLogRegister(void)
Definition: output-json-alert.c:1018
DNP3Transaction_
DNP3 transaction.
Definition: app-layer-dnp3.h:210
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:872
EveAddFlow
void EveAddFlow(Flow *f, JsonBuilder *js)
Definition: output-json-flow.c:199
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:842