suricata
output-json-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs alerts in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "threads.h"
34 #include "tm-threads.h"
35 #include "threadvars.h"
36 #include "util-debug.h"
37 
38 #include "util-misc.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 
42 #include "detect-parse.h"
43 #include "detect-engine.h"
44 #include "detect-engine-mpm.h"
45 #include "detect-reference.h"
46 #include "detect-metadata.h"
47 #include "app-layer-parser.h"
48 #include "app-layer-dnp3.h"
49 #include "app-layer-dns-common.h"
50 #include "app-layer-htp.h"
51 #include "app-layer-htp-xff.h"
52 #include "app-layer-ftp.h"
54 #include "util-syslog.h"
55 #include "util-logopenfile.h"
56 
57 #include "output.h"
58 #include "output-json.h"
59 #include "output-json-alert.h"
60 #include "output-json-dnp3.h"
61 #include "output-json-dns.h"
62 #include "output-json-http.h"
63 #include "output-json-tls.h"
64 #include "output-json-ssh.h"
65 #include "output-json-smtp.h"
67 #include "output-json-nfs.h"
68 #include "output-json-smb.h"
69 #include "output-json-flow.h"
70 
71 #include "util-byte.h"
72 #include "util-privs.h"
73 #include "util-print.h"
74 #include "util-proto-name.h"
75 #include "util-optimize.h"
76 #include "util-buffer.h"
77 #include "util-crypt.h"
78 #include "util-validate.h"
79 
80 #define MODULE_NAME "JsonAlertLog"
81 
82 #ifdef HAVE_LIBJANSSON
83 
84 #define LOG_JSON_PAYLOAD BIT_U16(0)
85 #define LOG_JSON_PACKET BIT_U16(1)
86 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
87 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
88 #define LOG_JSON_APP_LAYER BIT_U16(4)
89 #define LOG_JSON_FLOW BIT_U16(5)
90 #define LOG_JSON_HTTP_BODY BIT_U16(6)
91 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
92 #define LOG_JSON_RULE_METADATA BIT_U16(8)
93 #define LOG_JSON_RULE BIT_U16(9)
94 
95 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
96  LOG_JSON_APP_LAYER | \
97  LOG_JSON_RULE_METADATA)
98 
99 #define JSON_STREAM_BUFFER_SIZE 4096
100 
101 typedef struct AlertJsonOutputCtx_ {
102  LogFileCtx* file_ctx;
103  uint16_t flags;
104  uint32_t payload_buffer_size;
105  HttpXFFCfg *xff_cfg;
106  HttpXFFCfg *parent_xff_cfg;
107  OutputJsonCommonSettings cfg;
108 } AlertJsonOutputCtx;
109 
110 typedef struct JsonAlertLogThread_ {
111  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
112  LogFileCtx* file_ctx;
113  MemBuffer *json_buffer;
114  MemBuffer *payload_buffer;
115  AlertJsonOutputCtx* json_output_ctx;
116 } JsonAlertLogThread;
117 
118 /* Callback function to pack payload contents from a stream into a buffer
119  * so we can report them in JSON output. */
120 static int AlertJsonDumpStreamSegmentCallback(const Packet *p, void *data, const uint8_t *buf, uint32_t buflen)
121 {
122  MemBuffer *payload = (MemBuffer *)data;
123  MemBufferWriteRaw(payload, buf, buflen);
124 
125  return 1;
126 }
127 
128 static void AlertJsonTls(const Flow *f, json_t *js)
129 {
130  SSLState *ssl_state = (SSLState *)FlowGetAppState(f);
131  if (ssl_state) {
132  json_t *tjs = json_object();
133  if (unlikely(tjs == NULL))
134  return;
135 
136  JsonTlsLogJSONBasic(tjs, ssl_state);
137  JsonTlsLogJSONExtended(tjs, ssl_state);
138 
139  json_object_set_new(js, "tls", tjs);
140  }
141 
142  return;
143 }
144 
145 static void AlertJsonSsh(const Flow *f, json_t *js)
146 {
147  SshState *ssh_state = (SshState *)FlowGetAppState(f);
148  if (ssh_state) {
149  json_t *tjs = json_object();
150  if (unlikely(tjs == NULL))
151  return;
152 
153  JsonSshLogJSON(tjs, ssh_state);
154 
155  json_object_set_new(js, "ssh", tjs);
156  }
157 
158  return;
159 }
160 
161 static void AlertJsonDnp3(const Flow *f, const uint64_t tx_id, json_t *js)
162 {
163  DNP3State *dnp3_state = (DNP3State *)FlowGetAppState(f);
164  if (dnp3_state) {
166  dnp3_state, tx_id);
167  if (tx) {
168  json_t *dnp3js = json_object();
169  if (likely(dnp3js != NULL)) {
170  if (tx->has_request && tx->request_done) {
171  json_t *request = JsonDNP3LogRequest(tx);
172  if (request != NULL) {
173  json_object_set_new(dnp3js, "request", request);
174  }
175  }
176  if (tx->has_response && tx->response_done) {
177  json_t *response = JsonDNP3LogResponse(tx);
178  if (response != NULL) {
179  json_object_set_new(dnp3js, "response", response);
180  }
181  }
182  json_object_set_new(js, "dnp3", dnp3js);
183  }
184  }
185  }
186 
187  return;
188 }
189 
190 static void AlertJsonDns(const Flow *f, const uint64_t tx_id, json_t *js)
191 {
192  DNSState *dns_state = (DNSState *)FlowGetAppState(f);
193  if (dns_state) {
194  void *txptr = AppLayerParserGetTx(f->proto, ALPROTO_DNS,
195  dns_state, tx_id);
196  if (txptr) {
197  json_t *dnsjs = json_object();
198  if (unlikely(dnsjs == NULL)) {
199  return;
200  }
201  json_t *qjs = JsonDNSLogQuery(txptr, tx_id);
202  if (qjs != NULL) {
203  json_object_set_new(dnsjs, "query", qjs);
204  }
205  json_t *ajs = JsonDNSLogAnswer(txptr, tx_id);
206  if (ajs != NULL) {
207  json_object_set_new(dnsjs, "answer", ajs);
208  }
209  json_object_set_new(js, "dns", dnsjs);
210  }
211  }
212  return;
213 }
214 
215 static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
216  json_t *js, json_t* ajs)
217 {
218  json_t *sjs = json_object();
219  if (sjs == NULL) {
220  return;
221  }
222 
223  json_t *tjs = json_object();
224  if (tjs == NULL) {
225  json_decref(sjs);
226  return;
227  }
228 
229  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
230  json_object_set(sjs, "ip", json_object_get(js, "src_ip"));
231  json_object_set(tjs, "ip", json_object_get(js, "dest_ip"));
232  switch (p->proto) {
233  case IPPROTO_ICMP:
234  case IPPROTO_ICMPV6:
235  break;
236  case IPPROTO_UDP:
237  case IPPROTO_TCP:
238  case IPPROTO_SCTP:
239  json_object_set(sjs, "port", json_object_get(js, "src_port"));
240  json_object_set(tjs, "port", json_object_get(js, "dest_port"));
241  break;
242  }
243  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
244  json_object_set(sjs, "ip", json_object_get(js, "dest_ip"));
245  json_object_set(tjs, "ip", json_object_get(js, "src_ip"));
246  switch (p->proto) {
247  case IPPROTO_ICMP:
248  case IPPROTO_ICMPV6:
249  break;
250  case IPPROTO_UDP:
251  case IPPROTO_TCP:
252  case IPPROTO_SCTP:
253  json_object_set(sjs, "port", json_object_get(js, "dest_port"));
254  json_object_set(tjs, "port", json_object_get(js, "src_port"));
255  break;
256  }
257  }
258  json_object_set_new(ajs, "source", sjs);
259  json_object_set_new(ajs, "target", tjs);
260 }
261 
262 static void AlertJsonMetadata(AlertJsonOutputCtx *json_output_ctx, const PacketAlert *pa, json_t *ajs)
263 {
264  if (pa->s->metadata) {
265  const DetectMetadata* kv = pa->s->metadata;
266  json_t *mjs = json_object();
267  if (unlikely(mjs == NULL)) {
268  return;
269  }
270  while (kv) {
271  json_t *jkey = json_object_get(mjs, kv->key);
272  if (jkey == NULL) {
273  jkey = json_array();
274  if (unlikely(jkey == NULL))
275  break;
276  json_array_append_new(jkey, json_string(kv->value));
277  json_object_set_new(mjs, kv->key, jkey);
278  } else {
279  json_array_append_new(jkey, json_string(kv->value));
280  }
281 
282  kv = kv->next;
283  }
284 
285  if (json_object_size(mjs) == 0) {
286  json_decref(mjs);
287  } else {
288  json_object_set_new(ajs, "metadata", mjs);
289  }
290  }
291 }
292 
293 
294 void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, json_t *js,
295  uint16_t flags)
296 {
297  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *)ctx;
298  const char *action = "allowed";
299  /* use packet action if rate_filter modified the action */
303  action = "blocked";
304  }
305  } else {
307  action = "blocked";
308  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
309  action = "blocked";
310  }
311  }
312 
313  /* Add tx_id to root element for correlation with other events. */
314  json_object_del(js, "tx_id");
315  if (pa->flags & PACKET_ALERT_FLAG_TX)
316  json_object_set_new(js, "tx_id", json_integer(pa->tx_id));
317 
318  json_t *ajs = json_object();
319  if (ajs == NULL) {
320  return;
321  }
322 
323  json_object_set_new(ajs, "action", json_string(action));
324  json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
325  json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
326  json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
327  json_object_set_new(ajs, "signature",
328  SCJsonString((pa->s->msg) ? pa->s->msg : ""));
329  json_object_set_new(ajs, "category",
330  SCJsonString((pa->s->class_msg) ? pa->s->class_msg : ""));
331  json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
332 
333  if (p->tenant_id > 0)
334  json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));
335 
336  if (pa->s->flags & SIG_FLAG_HAS_TARGET) {
337  AlertJsonSourceTarget(p, pa, js, ajs);
338  }
339 
340  if ((json_output_ctx != NULL) && (flags & LOG_JSON_RULE_METADATA)) {
341  AlertJsonMetadata(json_output_ctx, pa, ajs);
342  }
343 
344  /* alert */
345  json_object_set_new(js, "alert", ajs);
346 }
347 
348 static void AlertJsonTunnel(const Packet *p, json_t *js)
349 {
350  json_t *tunnel = json_object();
351  if (tunnel == NULL)
352  return;
353 
354  if (p->root == NULL) {
355  json_decref(tunnel);
356  return;
357  }
358 
359  /* get a lock to access root packet fields */
360  SCMutex *m = &p->root->tunnel_mutex;
361 
362  SCMutexLock(m);
363  JsonFiveTuple((const Packet *)p->root, 0, tunnel);
364  SCMutexUnlock(m);
365 
366  json_object_set_new(tunnel, "depth", json_integer(p->recursion_level));
367 
368  json_object_set_new(js, "tunnel", tunnel);
369 }
370 
371 static void AlertJsonPacket(const Packet *p, json_t *js)
372 {
373  unsigned long len = GET_PKT_LEN(p) * 2;
374  uint8_t encoded_packet[len];
375  Base64Encode((unsigned char*) GET_PKT_DATA(p), GET_PKT_LEN(p),
376  encoded_packet, &len);
377  json_object_set_new(js, "packet", json_string((char *)encoded_packet));
378 
379  /* Create packet info. */
380  json_t *packetinfo_js = json_object();
381  if (unlikely(packetinfo_js == NULL)) {
382  return;
383  }
384  json_object_set_new(packetinfo_js, "linktype", json_integer(p->datalink));
385  json_object_set_new(js, "packet_info", packetinfo_js);
386 }
387 
388 static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, json_t *js, const Packet *p)
389 {
390  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
391  unsigned long len = p->payload_len * 2 + 1;
392  uint8_t encoded[len];
393  if (Base64Encode(p->payload, p->payload_len, encoded, &len) == SC_BASE64_OK) {
394  json_object_set_new(js, "payload", json_string((char *)encoded));
395  }
396  }
397 
398  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
399  uint8_t printable_buf[p->payload_len + 1];
400  uint32_t offset = 0;
401  PrintStringsToBuffer(printable_buf, &offset,
402  p->payload_len + 1,
403  p->payload, p->payload_len);
404  printable_buf[p->payload_len] = '\0';
405  json_object_set_new(js, "payload_printable", json_string((char *)printable_buf));
406  }
407 }
408 
409 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
410 {
411  MemBuffer *payload = aft->payload_buffer;
412  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
413  json_t *hjs = NULL;
414 
415  int i;
416 
417  if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
418  return TM_ECODE_OK;
419 
420  json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "alert");
421  if (unlikely(js == NULL))
422  return TM_ECODE_OK;
423 
424  JsonAddCommonOptions(&json_output_ctx->cfg, p, p->flow, js);
425 
426  for (i = 0; i < p->alerts.cnt; i++) {
427  const PacketAlert *pa = &p->alerts.alerts[i];
428  if (unlikely(pa->s == NULL)) {
429  continue;
430  }
431 
432  MemBufferReset(aft->json_buffer);
433 
434  /* alert */
435  AlertJsonHeader(json_output_ctx, p, pa, js, json_output_ctx->flags);
436 
437  if (IS_TUNNEL_PKT(p)) {
438  AlertJsonTunnel(p, js);
439  }
440 
441  if (json_output_ctx->flags & LOG_JSON_APP_LAYER && p->flow != NULL) {
442  uint16_t proto = FlowGetAppProtocol(p->flow);
443 
444  /* http alert */
445  if (proto == ALPROTO_HTTP) {
446  hjs = JsonHttpAddMetadata(p->flow, pa->tx_id);
447  if (hjs) {
448  if (json_output_ctx->flags & LOG_JSON_HTTP_BODY) {
449  JsonHttpLogJSONBodyPrintable(hjs, p->flow, pa->tx_id);
450  }
451  if (json_output_ctx->flags & LOG_JSON_HTTP_BODY_BASE64) {
452  JsonHttpLogJSONBodyBase64(hjs, p->flow, pa->tx_id);
453  }
454  json_object_set_new(js, "http", hjs);
455  }
456  }
457 
458  /* tls alert */
459  if (proto == ALPROTO_TLS) {
460  AlertJsonTls(p->flow, js);
461  }
462 
463  /* ssh alert */
464  if (proto == ALPROTO_SSH) {
465  AlertJsonSsh(p->flow, js);
466  }
467 
468  /* smtp alert */
469  if (proto == ALPROTO_SMTP) {
470  hjs = JsonSMTPAddMetadata(p->flow, pa->tx_id);
471  if (hjs) {
472  json_object_set_new(js, "smtp", hjs);
473  }
474 
475  hjs = JsonEmailAddMetadata(p->flow, pa->tx_id);
476  if (hjs) {
477  json_object_set_new(js, "email", hjs);
478  }
479  }
480 
481 #ifdef HAVE_RUST
482  if (proto == ALPROTO_NFS) {
483  hjs = JsonNFSAddMetadataRPC(p->flow, pa->tx_id);
484  if (hjs)
485  json_object_set_new(js, "rpc", hjs);
486  hjs = JsonNFSAddMetadata(p->flow, pa->tx_id);
487  if (hjs)
488  json_object_set_new(js, "nfs", hjs);
489  } else if (proto == ALPROTO_SMB) {
490  hjs = JsonSMBAddMetadata(p->flow, pa->tx_id);
491  if (hjs)
492  json_object_set_new(js, "smb", hjs);
493  }
494 #endif
495  if (proto == ALPROTO_FTPDATA) {
496  hjs = JsonFTPDataAddMetadata(p->flow);
497  if (hjs)
498  json_object_set_new(js, "ftp-data", hjs);
499  }
500 
501  /* dnp3 alert */
502  if (proto == ALPROTO_DNP3) {
503  AlertJsonDnp3(p->flow, pa->tx_id, js);
504  }
505 
506  if (proto == ALPROTO_DNS) {
507  AlertJsonDns(p->flow, pa->tx_id, js);
508  }
509  }
510 
511  if (p->flow) {
512  if (json_output_ctx->flags & LOG_JSON_FLOW) {
513  hjs = json_object();
514  if (hjs != NULL) {
515  JsonAddFlow(p->flow, js, hjs);
516  json_object_set_new(js, "flow", hjs);
517  }
518  } else {
519  json_object_set_new(js, "app_proto",
520  json_string(AppProtoToString(p->flow->alproto)));
521  }
522  }
523 
524  /* payload */
525  if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
526  int stream = (p->proto == IPPROTO_TCP) ?
528  1 : 0) : 0;
529 
530  /* Is this a stream? If so, pack part of it into the payload field */
531  if (stream) {
532  uint8_t flag;
533 
534  MemBufferReset(payload);
535 
536  if (p->flowflags & FLOW_PKT_TOSERVER) {
537  flag = FLOW_PKT_TOCLIENT;
538  } else {
539  flag = FLOW_PKT_TOSERVER;
540  }
541 
542  StreamSegmentForEach((const Packet *)p, flag,
543  AlertJsonDumpStreamSegmentCallback,
544  (void *)payload);
545  if (payload->offset) {
546  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
547  unsigned long len = json_output_ctx->payload_buffer_size * 2;
548  uint8_t encoded[len];
549  Base64Encode(payload->buffer, payload->offset, encoded, &len);
550  json_object_set_new(js, "payload", json_string((char *)encoded));
551  }
552 
553  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
554  uint8_t printable_buf[payload->offset + 1];
555  uint32_t offset = 0;
556  PrintStringsToBuffer(printable_buf, &offset,
557  sizeof(printable_buf),
558  payload->buffer, payload->offset);
559  json_object_set_new(js, "payload_printable",
560  json_string((char *)printable_buf));
561  }
562  } else if (p->payload_len) {
563  /* Fallback on packet payload */
564  AlertAddPayload(json_output_ctx, js, p);
565  }
566  } else {
567  /* This is a single packet and not a stream */
568  AlertAddPayload(json_output_ctx, js, p);
569  }
570 
571  json_object_set_new(js, "stream", json_integer(stream));
572  }
573 
574  /* base64-encoded full packet */
575  if (json_output_ctx->flags & LOG_JSON_PACKET) {
576  AlertJsonPacket(p, js);
577  }
578 
579  /* signature text */
580  if (json_output_ctx->flags & LOG_JSON_RULE) {
581  hjs = json_object_get(js, "alert");
582  if (json_is_object(hjs))
583  json_object_set_new(hjs, "rule", json_string(pa->s->sig_str));
584  }
585 
586  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ?
587  json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;
588 
589  /* xff header */
590  if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
591  int have_xff_ip = 0;
592  char buffer[XFF_MAXLEN];
593 
594  if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
595  if (pa->flags & PACKET_ALERT_FLAG_TX) {
596  have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN);
597  } else {
598  have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, buffer, XFF_MAXLEN);
599  }
600  }
601 
602  if (have_xff_ip) {
603  if (xff_cfg->flags & XFF_EXTRADATA) {
604  json_object_set_new(js, "xff", json_string(buffer));
605  }
606  else if (xff_cfg->flags & XFF_OVERWRITE) {
607  if (p->flowflags & FLOW_PKT_TOCLIENT) {
608  json_object_set(js, "dest_ip", json_string(buffer));
609  } else {
610  json_object_set(js, "src_ip", json_string(buffer));
611  }
612  }
613  }
614  }
615 
616  OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer);
617  json_object_del(js, "alert");
618  }
619  json_object_clear(js);
620  json_decref(js);
621 
622  if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
623  LOG_JSON_TAGGED_PACKETS)) {
624  MemBufferReset(aft->json_buffer);
625  json_t *packetjs = CreateJSONHeader(p, LOG_DIR_PACKET, "packet");
626  if (unlikely(packetjs != NULL)) {
627  AlertJsonPacket(p, packetjs);
628  OutputJSONBuffer(packetjs, aft->file_ctx, &aft->json_buffer);
629  json_decref(packetjs);
630  }
631  }
632 
633  return TM_ECODE_OK;
634 }
635 
636 static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
637 {
638  int i;
639  char timebuf[64];
640  json_t *js;
641 
642  if (p->alerts.cnt == 0)
643  return TM_ECODE_OK;
644 
645  CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf));
646 
647  for (i = 0; i < p->alerts.cnt; i++) {
648  MemBufferReset(aft->json_buffer);
649 
650  const PacketAlert *pa = &p->alerts.alerts[i];
651  if (unlikely(pa->s == NULL)) {
652  continue;
653  }
654 
655  const char *action = "allowed";
657  action = "blocked";
658  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
659  action = "blocked";
660  }
661 
662  char buf[(32 * 3) + 1];
663  PrintRawLineHexBuf(buf, sizeof(buf), GET_PKT_DATA(p), GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
664 
665  js = json_object();
666  if (js == NULL)
667  return TM_ECODE_OK;
668 
669  json_t *ajs = json_object();
670  if (ajs == NULL) {
671  json_decref(js);
672  return TM_ECODE_OK;
673  }
674 
675  /* time & tx */
676  json_object_set_new(js, "timestamp", json_string(timebuf));
677 
678  /* tuple */
679  //json_object_set_new(js, "srcip", json_string(srcip));
680  //json_object_set_new(js, "sp", json_integer(p->sp));
681  //json_object_set_new(js, "dstip", json_string(dstip));
682  //json_object_set_new(js, "dp", json_integer(p->dp));
683  //json_object_set_new(js, "proto", json_integer(proto));
684 
685  json_object_set_new(ajs, "action", json_string(action));
686  json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
687  json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
688  json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
689  json_object_set_new(ajs, "signature",
690  json_string((pa->s->msg) ? pa->s->msg : ""));
691  json_object_set_new(ajs, "category",
692  json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
693  json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
694 
695  if (p->tenant_id > 0)
696  json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));
697 
698  /* alert */
699  json_object_set_new(js, "alert", ajs);
700  OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer);
701  json_object_clear(js);
702  json_decref(js);
703  }
704 
705  return TM_ECODE_OK;
706 }
707 
708 static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)
709 {
710  JsonAlertLogThread *aft = thread_data;
711 
712  if (PKT_IS_IPV4(p) || PKT_IS_IPV6(p)) {
713  return AlertJson(tv, aft, p);
714  } else if (p->alerts.cnt > 0) {
715  return AlertJsonDecoderEvent(tv, aft, p);
716  }
717  return 0;
718 }
719 
720 static int JsonAlertLogCondition(ThreadVars *tv, const Packet *p)
721 {
722  if (p->alerts.cnt || (p->flags & PKT_HAS_TAG)) {
723  return TRUE;
724  }
725  return FALSE;
726 }
727 
728 #define OUTPUT_BUFFER_SIZE 65535
729 static TmEcode JsonAlertLogThreadInit(ThreadVars *t, const void *initdata, void **data)
730 {
731  JsonAlertLogThread *aft = SCMalloc(sizeof(JsonAlertLogThread));
732  if (unlikely(aft == NULL))
733  return TM_ECODE_FAILED;
734  memset(aft, 0, sizeof(JsonAlertLogThread));
735  if(initdata == NULL)
736  {
737  SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL");
738  SCFree(aft);
739  return TM_ECODE_FAILED;
740  }
741 
742  aft->json_buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
743  if (aft->json_buffer == NULL) {
744  SCFree(aft);
745  return TM_ECODE_FAILED;
746  }
747 
748  /** Use the Output Context (file pointer and mutex) */
749  AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
750  aft->file_ctx = json_output_ctx->file_ctx;
751  aft->json_output_ctx = json_output_ctx;
752 
753  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
754  if (aft->payload_buffer == NULL) {
755  MemBufferFree(aft->json_buffer);
756  SCFree(aft);
757  return TM_ECODE_FAILED;
758  }
759 
760  *data = (void *)aft;
761  return TM_ECODE_OK;
762 }
763 
764 static TmEcode JsonAlertLogThreadDeinit(ThreadVars *t, void *data)
765 {
766  JsonAlertLogThread *aft = (JsonAlertLogThread *)data;
767  if (aft == NULL) {
768  return TM_ECODE_OK;
769  }
770 
771  MemBufferFree(aft->json_buffer);
772  MemBufferFree(aft->payload_buffer);
773 
774  /* clear memory */
775  memset(aft, 0, sizeof(JsonAlertLogThread));
776 
777  SCFree(aft);
778  return TM_ECODE_OK;
779 }
780 
781 static void JsonAlertLogDeInitCtx(OutputCtx *output_ctx)
782 {
783  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
784  if (json_output_ctx != NULL) {
785  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
786  if (xff_cfg != NULL) {
787  SCFree(xff_cfg);
788  }
789  LogFileFreeCtx(json_output_ctx->file_ctx);
790  SCFree(json_output_ctx);
791  }
792  SCFree(output_ctx);
793 }
794 
795 static void JsonAlertLogDeInitCtxSub(OutputCtx *output_ctx)
796 {
797  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
798 
799  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
800 
801  if (json_output_ctx != NULL) {
802  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
803  if (xff_cfg != NULL) {
804  SCFree(xff_cfg);
805  }
806  SCFree(json_output_ctx);
807  }
808  SCFree(output_ctx);
809 }
810 
811 static void SetFlag(const ConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
812 {
813  DEBUG_VALIDATE_BUG_ON(conf == NULL);
814  const char *setting = ConfNodeLookupChildValue(conf, name);
815  if (setting != NULL) {
816  if (ConfValIsTrue(setting)) {
817  *out_flags |= flag;
818  } else {
819  *out_flags &= ~flag;
820  }
821  }
822 }
823 
824 #define DEFAULT_LOG_FILENAME "alert.json"
825 
826 static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
827  ConfNode *conf)
828 {
829  uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
830  uint16_t flags = METADATA_DEFAULTS;
831 
832  if (conf != NULL) {
833  /* Check for metadata to enable/disable. */
834  ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
835  if (metadata != NULL) {
836  if (metadata->val != NULL && ConfValIsFalse(metadata->val)) {
837  flags &= ~METADATA_DEFAULTS;
838  } else if (ConfNodeHasChildren(metadata)) {
839  ConfNode *rule_metadata = ConfNodeLookupChild(metadata, "rule");
840  if (rule_metadata) {
841  SetFlag(rule_metadata, "raw", LOG_JSON_RULE, &flags);
842  SetFlag(rule_metadata, "metadata", LOG_JSON_RULE_METADATA,
843  &flags);
844  }
845  SetFlag(metadata, "flow", LOG_JSON_FLOW, &flags);
846  SetFlag(metadata, "app-layer", LOG_JSON_APP_LAYER, &flags);
847  }
848  }
849 
850  /* Non-metadata toggles. */
851  SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
852  SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
853  SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
854  SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
855  SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
856  SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
857 
858  /* Check for obsolete configuration flags to enable specific
859  * protocols. These are now just aliases for enabling
860  * app-layer logging. */
861  SetFlag(conf, "http", LOG_JSON_APP_LAYER, &flags);
862  SetFlag(conf, "tls", LOG_JSON_APP_LAYER, &flags);
863  SetFlag(conf, "ssh", LOG_JSON_APP_LAYER, &flags);
864  SetFlag(conf, "smtp", LOG_JSON_APP_LAYER, &flags);
865  SetFlag(conf, "dnp3", LOG_JSON_APP_LAYER, &flags);
866 
867  /* And check for obsolete configuration flags for enabling
868  * app-layer and flow as these have been moved under the
869  * metadata key. */
870  SetFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags);
871  SetFlag(conf, "flow", LOG_JSON_FLOW, &flags);
872 
873  const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
874 
875  if (payload_buffer_value != NULL) {
876  uint32_t value;
877  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
878  SCLogError(SC_ERR_ALERT_PAYLOAD_BUFFER, "Error parsing "
879  "payload-buffer-size - %s. Killing engine",
880  payload_buffer_value);
881  exit(EXIT_FAILURE);
882  } else {
883  payload_buffer_size = value;
884  }
885  }
886 
887  json_output_ctx->payload_buffer_size = payload_buffer_size;
888  }
889 
890  if (flags & LOG_JSON_RULE_METADATA) {
892  }
893 
894  json_output_ctx->flags |= flags;
895 }
896 
897 static HttpXFFCfg *JsonAlertLogGetXffCfg(ConfNode *conf)
898 {
899  HttpXFFCfg *xff_cfg = NULL;
900  if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
901  xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
902  if (likely(xff_cfg != NULL)) {
903  HttpXFFGetCfg(conf, xff_cfg);
904  }
905  }
906  return xff_cfg;
907 }
908 
909 /**
910  * \brief Create a new LogFileCtx for "fast" output style.
911  * \param conf The configuration node for this output.
912  * \return A LogFileCtx pointer on success, NULL on failure.
913  */
914 static OutputInitResult JsonAlertLogInitCtx(ConfNode *conf)
915 {
916  OutputInitResult result = { NULL, false };
917  AlertJsonOutputCtx *json_output_ctx = NULL;
918  LogFileCtx *logfile_ctx = LogFileNewCtx();
919  if (logfile_ctx == NULL) {
920  SCLogDebug("AlertFastLogInitCtx2: Could not create new LogFileCtx");
921  return result;
922  }
923 
924  if (SCConfLogOpenGeneric(conf, logfile_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
925  LogFileFreeCtx(logfile_ctx);
926  return result;
927  }
928 
929  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
930  if (unlikely(output_ctx == NULL)) {
931  LogFileFreeCtx(logfile_ctx);
932  return result;
933  }
934 
935  json_output_ctx = SCMalloc(sizeof(AlertJsonOutputCtx));
936  if (unlikely(json_output_ctx == NULL)) {
937  LogFileFreeCtx(logfile_ctx);
938  SCFree(output_ctx);
939  return result;
940  }
941  memset(json_output_ctx, 0, sizeof(AlertJsonOutputCtx));
942 
943  json_output_ctx->file_ctx = logfile_ctx;
944 
945  JsonAlertLogSetupMetadata(json_output_ctx, conf);
946  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
947 
948  output_ctx->data = json_output_ctx;
949  output_ctx->DeInit = JsonAlertLogDeInitCtx;
950 
951  result.ctx = output_ctx;
952  result.ok = true;
953  return result;
954 }
955 
956 /**
957  * \brief Create a new LogFileCtx for "fast" output style.
958  * \param conf The configuration node for this output.
959  * \return A LogFileCtx pointer on success, NULL on failure.
960  */
961 static OutputInitResult JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
962 {
963  OutputInitResult result = { NULL, false };
964  OutputJsonCtx *ajt = parent_ctx->data;
965  AlertJsonOutputCtx *json_output_ctx = NULL;
966 
967  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
968  if (unlikely(output_ctx == NULL))
969  return result;
970 
971  json_output_ctx = SCMalloc(sizeof(AlertJsonOutputCtx));
972  if (unlikely(json_output_ctx == NULL)) {
973  goto error;
974  }
975  memset(json_output_ctx, 0, sizeof(AlertJsonOutputCtx));
976 
977  json_output_ctx->file_ctx = ajt->file_ctx;
978  json_output_ctx->cfg = ajt->cfg;
979 
980  JsonAlertLogSetupMetadata(json_output_ctx, conf);
981  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
982  if (json_output_ctx->xff_cfg == NULL) {
983  json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
984  }
985 
986  output_ctx->data = json_output_ctx;
987  output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
988 
989  result.ctx = output_ctx;
990  result.ok = true;
991  return result;
992 
993 error:
994  if (json_output_ctx != NULL) {
995  SCFree(json_output_ctx);
996  }
997  if (output_ctx != NULL) {
998  SCFree(output_ctx);
999  }
1000 
1001  return result;
1002 }
1003 
1004 void JsonAlertLogRegister (void)
1005 {
1007  JsonAlertLogInitCtx, JsonAlertLogger, JsonAlertLogCondition,
1008  JsonAlertLogThreadInit, JsonAlertLogThreadDeinit, NULL);
1010  "eve-log.alert", JsonAlertLogInitCtxSub, JsonAlertLogger,
1011  JsonAlertLogCondition, JsonAlertLogThreadInit, JsonAlertLogThreadDeinit,
1012  NULL);
1013 }
1014 
1015 #else
1016 
1018 {
1019 }
1020 
1021 #endif
1022 
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:283
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
int StreamSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
Run callback for all segments.
Definition: stream.c:39
uint16_t flags
void PrintRawLineHexBuf(char *retbuf, uint32_t retbuflen, uint8_t *buf, uint32_t buflen)
print a buffer as hex on a single line in to retbuf buffer
Definition: util-print.c:61
#define SCLogDebug(...)
Definition: util-debug.h:335
#define MemBufferWriteRaw(dst, raw_buffer, raw_buffer_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.h:133
DetectMetadata * metadata
Definition: detect.h:556
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
struct Flow_ * flow
Definition: decode.h:444
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:285
#define ACTION_REJECT_DST
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:870
uint32_t flags
Definition: detect.h:493
uint8_t proto
Definition: flow.h:346
char * msg
Definition: detect.h:549
Per flow DNS state container.
uint32_t id
Definition: detect.h:525
#define FALSE
void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
#define unlikely(expr)
Definition: util-optimize.h:35
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
int prio
Definition: detect.h:528
Per flow DNP3 state.
#define ACTION_REJECT
uint8_t action
Definition: decode.h:270
uint64_t offset
#define IS_TUNNEL_PKT(p)
Definition: decode.h:894
#define PKT_IS_IPV6(p)
Definition: decode.h:251
const char * value
const char * key
DNP3 transaction.
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
AppProto FlowGetAppProtocol(const Flow *f)
Definition: flow.c:992
char * val
Definition: conf.h:34
#define MODULE_NAME
int EngineModeIsIPS(void)
Definition: suricata.c:241
#define SIG_FLAG_DEST_IS_TARGET
Definition: detect.h:258
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:815
#define TRUE
#define PKT_IS_IPV4(p)
Definition: decode.h:250
Signature metadata list.
#define XFF_MAXLEN
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:256
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:293
const struct Signature_ * s
Definition: decode.h:272
SSLv[2.0|3.[0|1|2|3]] state structure.
#define SCCalloc(nm, a)
Definition: util-mem.h:205
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:160
#define SCMutexUnlock(mut)
void CreateIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:179
int datalink
Definition: decode.h:579
uint8_t proto
Definition: decode.h:429
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:201
#define ACTION_REJECT_BOTH
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
uint8_t recursion_level
Definition: decode.h:432
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow...
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
uint8_t flowflags
Definition: decode.h:438
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:591
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
uint8_t * buffer
Definition: util-buffer.h:28
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:224
uint32_t gid
Definition: detect.h:526
uint8_t proto
void JsonAlertLogRegister(void)
uint64_t tx_id
Definition: decode.h:273
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
char * class_msg
Definition: detect.h:552
Definition: conf.h:32
OutputCtx * ctx
Definition: output.h:42
#define DEFAULT_LOG_FILENAME
#define SCMalloc(a)
Definition: util-mem.h:174
SCMutex tunnel_mutex
Definition: decode.h:592
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:260
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
#define XFF_OVERWRITE
char * sig_str
Definition: detect.h:558
#define SCFree(a)
Definition: util-mem.h:236
#define OUTPUT_BUFFER_SIZE
Definition: log-dnslog.c:58
uint16_t tx_id
uint8_t flags
Definition: decode.h:271
#define SCMutex
void * data
Definition: tm-modules.h:81
#define SCMutexLock(mut)
#define PKT_HAS_TAG
Definition: decode.h:1097
SCMutex m
Definition: flow-hash.h:105
uint32_t rev
Definition: detect.h:527
PacketAlerts alerts
Definition: decode.h:560
void * FlowGetAppState(const Flow *f)
Definition: flow.c:997
#define GET_PKT_DATA(p)
Definition: decode.h:224
int Base64Encode(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen)
Definition: util-crypt.c:272
#define XFF_DISABLED
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:281
bool ConfNodeHasChildren(const ConfNode *node)
Check if a node has any children.
Definition: conf.c:796
struct DetectMetadata_ * next
uint16_t cnt
Definition: decode.h:292
void DetectEngineSetParseMetadata(void)
uint32_t tenant_id
Definition: decode.h:599
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
struct timeval ts
Definition: decode.h:450
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:186
#define FLOW_PKT_TOCLIENT
Definition: flow.h:194
AppProto alproto
application level protocol
Definition: flow.h:407
#define GET_PKT_LEN(p)
Definition: decode.h:223
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:287
#define ACTION_DROP
uint32_t flags
Definition: decode.h:442
uint16_t payload_len
Definition: decode.h:546
#define likely(expr)
Definition: util-optimize.h:32
uint32_t offset
Definition: util-buffer.h:30
Flow data structure.
Definition: flow.h:327
uint8_t * payload
Definition: decode.h:545
#define XFF_EXTRADATA
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
struct Packet_ * root
Definition: decode.h:582
#define DEBUG_VALIDATE_BUG_ON(exp)