suricata
output-json-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs alerts in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "threads.h"
34 #include "tm-threads.h"
35 #include "threadvars.h"
36 #include "util-debug.h"
37 
38 #include "util-logopenfile.h"
39 #include "util-misc.h"
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 
43 #include "detect-parse.h"
44 #include "detect-engine.h"
45 #include "detect-engine-mpm.h"
46 #include "detect-reference.h"
47 #include "detect-metadata.h"
48 #include "app-layer-parser.h"
49 #include "app-layer-dnp3.h"
50 #include "app-layer-htp.h"
51 #include "app-layer-htp-xff.h"
52 #include "app-layer-ftp.h"
54 #include "util-syslog.h"
55 #include "util-logopenfile.h"
56 
57 #include "output.h"
58 #include "output-json.h"
59 #include "output-json-alert.h"
60 #include "output-json-dnp3.h"
61 #include "output-json-dns.h"
62 #include "output-json-http.h"
63 #include "output-json-tls.h"
64 #include "output-json-ssh.h"
65 #include "rust.h"
66 #include "output-json-smtp.h"
68 #include "output-json-nfs.h"
69 #include "output-json-smb.h"
70 #include "output-json-flow.h"
71 #include "output-json-sip.h"
72 #include "output-json-rfb.h"
73 #include "output-json-mqtt.h"
74 
75 #include "util-byte.h"
76 #include "util-privs.h"
77 #include "util-print.h"
78 #include "util-proto-name.h"
79 #include "util-optimize.h"
80 #include "util-buffer.h"
81 #include "util-crypt.h"
82 #include "util-validate.h"
83 
84 #define MODULE_NAME "JsonAlertLog"
85 
86 #define LOG_JSON_PAYLOAD BIT_U16(0)
87 #define LOG_JSON_PACKET BIT_U16(1)
88 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
89 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
90 #define LOG_JSON_APP_LAYER BIT_U16(4)
91 #define LOG_JSON_FLOW BIT_U16(5)
92 #define LOG_JSON_HTTP_BODY BIT_U16(6)
93 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
94 #define LOG_JSON_RULE_METADATA BIT_U16(8)
95 #define LOG_JSON_RULE BIT_U16(9)
96 
97 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
98  LOG_JSON_APP_LAYER | \
99  LOG_JSON_RULE_METADATA)
100 
101 #define JSON_BODY_LOGGING (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64)
102 
103 #define JSON_STREAM_BUFFER_SIZE 4096
104 
105 typedef struct AlertJsonOutputCtx_ {
107  uint16_t flags;
113 
114 typedef struct JsonAlertLogThread_ {
115  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
121 
122 /* Callback function to pack payload contents from a stream into a buffer
123  * so we can report them in JSON output. */
124 static int AlertJsonDumpStreamSegmentCallback(const Packet *p, void *data, const uint8_t *buf, uint32_t buflen)
125 {
126  MemBuffer *payload = (MemBuffer *)data;
127  MemBufferWriteRaw(payload, buf, buflen);
128 
129  return 1;
130 }
131 
132 static void AlertJsonTls(const Flow *f, JsonBuilder *js)
133 {
134  SSLState *ssl_state = (SSLState *)FlowGetAppState(f);
135  if (ssl_state) {
136  jb_open_object(js, "tls");
137 
138  JsonTlsLogJSONBasic(js, ssl_state);
139  JsonTlsLogJSONExtended(js, ssl_state);
140 
141  jb_close(js);
142  }
143 
144  return;
145 }
146 
147 static void AlertJsonSsh(const Flow *f, JsonBuilder *js)
148 {
149  void *ssh_state = FlowGetAppState(f);
150  if (ssh_state) {
151  JsonBuilderMark mark = { 0, 0, 0 };
152  void *tx_ptr = rs_ssh_state_get_tx(ssh_state, 0);
153  jb_get_mark(js, &mark);
154  jb_open_object(js, "ssh");
155  if (rs_ssh_log_json(tx_ptr, js)) {
156  jb_close(js);
157  } else {
158  jb_restore_mark(js, &mark);
159  }
160  }
161 
162  return;
163 }
164 
165 static void AlertJsonHttp2(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
166 {
167  void *h2_state = FlowGetAppState(f);
168  if (h2_state) {
169  void *tx_ptr = rs_http2_state_get_tx(h2_state, tx_id);
170  JsonBuilderMark mark = { 0, 0, 0 };
171  jb_get_mark(js, &mark);
172  jb_open_object(js, "http");
173  if (rs_http2_log_json(tx_ptr, js)) {
174  jb_close(js);
175  } else {
176  jb_restore_mark(js, &mark);
177  }
178  }
179 
180  return;
181 }
182 
183 static void AlertJsonDnp3(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
184 {
185  DNP3State *dnp3_state = (DNP3State *)FlowGetAppState(f);
186  if (dnp3_state) {
188  dnp3_state, tx_id);
189  if (tx) {
190  JsonBuilderMark mark = { 0, 0, 0 };
191  jb_get_mark(js, &mark);
192  bool logged = false;
193  jb_open_object(js, "dnp3");
194  if (tx->has_request && tx->request_done) {
195  jb_open_object(js, "request");
196  JsonDNP3LogRequest(js, tx);
197  jb_close(js);
198  logged = true;
199  }
200  if (tx->has_response && tx->response_done) {
201  jb_open_object(js, "response");
202  JsonDNP3LogResponse(js, tx);
203  jb_close(js);
204  logged = true;
205  }
206  if (logged) {
207  /* Close dnp3 object. */
208  jb_close(js);
209  } else {
210  jb_restore_mark(js, &mark);
211  }
212  }
213  }
214 }
215 
216 static void AlertJsonDns(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
217 {
218  void *dns_state = (void *)FlowGetAppState(f);
219  if (dns_state) {
220  void *txptr = AppLayerParserGetTx(f->proto, ALPROTO_DNS,
221  dns_state, tx_id);
222  if (txptr) {
223  jb_open_object(js, "dns");
224  JsonBuilder *qjs = JsonDNSLogQuery(txptr, tx_id);
225  if (qjs != NULL) {
226  jb_set_object(js, "query", qjs);
227  jb_free(qjs);
228  }
229  JsonBuilder *ajs = JsonDNSLogAnswer(txptr, tx_id);
230  if (ajs != NULL) {
231  jb_set_object(js, "answer", ajs);
232  jb_free(ajs);
233  }
234  jb_close(js);
235  }
236  }
237  return;
238 }
239 
240 static void AlertJsonSNMP(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
241 {
242  void *snmp_state = (void *)FlowGetAppState(f);
243  if (snmp_state != NULL) {
244  void *tx = AppLayerParserGetTx(f->proto, ALPROTO_SNMP, snmp_state,
245  tx_id);
246  if (tx != NULL) {
247  jb_open_object(js, "snmp");
248  rs_snmp_log_json_response(js, snmp_state, tx);
249  jb_close(js);
250  }
251  }
252 }
253 
254 static void AlertJsonRDP(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
255 {
256  void *rdp_state = (void *)FlowGetAppState(f);
257  if (rdp_state != NULL) {
258  void *tx = AppLayerParserGetTx(f->proto, ALPROTO_RDP, rdp_state,
259  tx_id);
260  if (tx != NULL) {
261  JsonBuilderMark mark = { 0, 0, 0 };
262  jb_get_mark(js, &mark);
263  if (!rs_rdp_to_json(tx, js)) {
264  jb_restore_mark(js, &mark);
265  }
266  }
267  }
268 }
269 
270 static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
271  JsonBuilder *js, JsonAddrInfo *addr)
272 {
273  jb_open_object(js, "source");
274  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
275  jb_set_string(js, "ip", addr->src_ip);
276  switch (p->proto) {
277  case IPPROTO_ICMP:
278  case IPPROTO_ICMPV6:
279  break;
280  case IPPROTO_UDP:
281  case IPPROTO_TCP:
282  case IPPROTO_SCTP:
283  jb_set_uint(js, "port", addr->sp);
284  break;
285  }
286  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
287  jb_set_string(js, "ip", addr->dst_ip);
288  switch (p->proto) {
289  case IPPROTO_ICMP:
290  case IPPROTO_ICMPV6:
291  break;
292  case IPPROTO_UDP:
293  case IPPROTO_TCP:
294  case IPPROTO_SCTP:
295  jb_set_uint(js, "port", addr->dp);
296  break;
297  }
298  }
299  jb_close(js);
300 
301  jb_open_object(js, "target");
302  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
303  jb_set_string(js, "ip", addr->dst_ip);
304  switch (p->proto) {
305  case IPPROTO_ICMP:
306  case IPPROTO_ICMPV6:
307  break;
308  case IPPROTO_UDP:
309  case IPPROTO_TCP:
310  case IPPROTO_SCTP:
311  jb_set_uint(js, "port", addr->dp);
312  break;
313  }
314  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
315  jb_set_string(js, "ip", addr->src_ip);
316  switch (p->proto) {
317  case IPPROTO_ICMP:
318  case IPPROTO_ICMPV6:
319  break;
320  case IPPROTO_UDP:
321  case IPPROTO_TCP:
322  case IPPROTO_SCTP:
323  jb_set_uint(js, "port", addr->sp);
324  break;
325  }
326  }
327  jb_close(js);
328 }
329 
330 static void AlertJsonMetadata(AlertJsonOutputCtx *json_output_ctx,
331  const PacketAlert *pa, JsonBuilder *js)
332 {
333  if (pa->s->metadata && pa->s->metadata->json_str) {
334  jb_set_formatted(js, pa->s->metadata->json_str);
335  }
336 }
337 
338 void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa,
339  JsonBuilder *js, uint16_t flags, JsonAddrInfo *addr)
340 {
341  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *)ctx;
342  const char *action = "allowed";
343  /* use packet action if rate_filter modified the action */
347  action = "blocked";
348  }
349  } else {
351  action = "blocked";
352  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
353  action = "blocked";
354  }
355  }
356 
357  /* Add tx_id to root element for correlation with other events. */
358  /* json_object_del(js, "tx_id"); */
359  if (pa->flags & PACKET_ALERT_FLAG_TX) {
360  jb_set_uint(js, "tx_id", pa->tx_id);
361  }
362 
363  jb_open_object(js, "alert");
364 
365  jb_set_string(js, "action", action);
366  jb_set_uint(js, "gid", pa->s->gid);
367  jb_set_uint(js, "signature_id", pa->s->id);
368  jb_set_uint(js, "rev", pa->s->rev);
369  /* TODO: JsonBuilder should handle unprintable characters like
370  * SCJsonString. */
371  jb_set_string(js, "signature", pa->s->msg ? pa->s->msg: "");
372  jb_set_string(js, "category", pa->s->class_msg ? pa->s->class_msg: "");
373  jb_set_uint(js, "severity", pa->s->prio);
374 
375  if (p->tenant_id > 0) {
376  jb_set_uint(js, "tenant_id", p->tenant_id);
377  }
378 
379  if (addr && pa->s->flags & SIG_FLAG_HAS_TARGET) {
380  AlertJsonSourceTarget(p, pa, js, addr);
381  }
382 
383  if ((json_output_ctx != NULL) && (flags & LOG_JSON_RULE_METADATA)) {
384  AlertJsonMetadata(json_output_ctx, pa, js);
385  }
386 
387  if (flags & LOG_JSON_RULE) {
388  jb_set_string(js, "rule", pa->s->sig_str);
389  }
390 
391  jb_close(js);
392 }
393 
394 static void AlertJsonTunnel(const Packet *p, JsonBuilder *js)
395 {
396  if (p->root == NULL) {
397  return;
398  }
399 
400  jb_open_object(js, "tunnel");
401 
402  /* get a lock to access root packet fields */
403  SCMutex *m = &p->root->tunnel_mutex;
404 
406  SCMutexLock(m);
407  JsonAddrInfoInit(p->root, 0, &addr);
408  SCMutexUnlock(m);
409 
410  jb_set_string(js, "src_ip", addr.src_ip);
411  jb_set_uint(js, "src_port", addr.sp);
412  jb_set_string(js, "dest_ip", addr.dst_ip);
413  jb_set_uint(js, "dest_port", addr.dp);
414  jb_set_string(js, "proto", addr.proto);
415 
416  jb_set_uint(js, "depth", p->recursion_level);
417 
418  jb_close(js);
419 }
420 
421 static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, JsonBuilder *js, const Packet *p)
422 {
423  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
424  unsigned long len = p->payload_len * 2 + 1;
425  uint8_t encoded[len];
426  if (Base64Encode(p->payload, p->payload_len, encoded, &len) == SC_BASE64_OK) {
427  jb_set_string(js, "payload", (char *)encoded);
428  }
429  }
430 
431  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
432  uint8_t printable_buf[p->payload_len + 1];
433  uint32_t offset = 0;
434  PrintStringsToBuffer(printable_buf, &offset,
435  p->payload_len + 1,
436  p->payload, p->payload_len);
437  printable_buf[p->payload_len] = '\0';
438  jb_set_string(js, "payload_printable", (char *)printable_buf);
439  }
440 }
441 
442 static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
443  const uint64_t tx_id, const uint16_t option_flags)
444 {
446  JsonBuilderMark mark = { 0, 0, 0 };
447  switch (proto) {
448  case ALPROTO_HTTP:
449  // TODO: Could result in an empty http object being logged.
450  jb_open_object(jb, "http");
451  if (EveHttpAddMetadata(p->flow, tx_id, jb)) {
452  if (option_flags & LOG_JSON_HTTP_BODY) {
453  EveHttpLogJSONBodyPrintable(jb, p->flow, tx_id);
454  }
455  if (option_flags & LOG_JSON_HTTP_BODY_BASE64) {
456  EveHttpLogJSONBodyBase64(jb, p->flow, tx_id);
457  }
458  }
459  jb_close(jb);
460  break;
461  case ALPROTO_TLS:
462  AlertJsonTls(p->flow, jb);
463  break;
464  case ALPROTO_SSH:
465  AlertJsonSsh(p->flow, jb);
466  break;
467  case ALPROTO_SMTP:
468  jb_get_mark(jb, &mark);
469  jb_open_object(jb, "smtp");
470  if (EveSMTPAddMetadata(p->flow, tx_id, jb)) {
471  jb_close(jb);
472  } else {
473  jb_restore_mark(jb, &mark);
474  }
475  jb_get_mark(jb, &mark);
476  jb_open_object(jb, "email");
477  if (EveEmailAddMetadata(p->flow, tx_id, jb)) {
478  jb_close(jb);
479  } else {
480  jb_restore_mark(jb, &mark);
481  }
482  break;
483  case ALPROTO_NFS:
484  /* rpc */
485  jb_get_mark(jb, &mark);
486  jb_open_object(jb, "rpc");
487  if (EveNFSAddMetadataRPC(p->flow, tx_id, jb)) {
488  jb_close(jb);
489  } else {
490  jb_restore_mark(jb, &mark);
491  }
492  /* nfs */
493  jb_get_mark(jb, &mark);
494  jb_open_object(jb, "nfs");
495  if (EveNFSAddMetadata(p->flow, tx_id, jb)) {
496  jb_close(jb);
497  } else {
498  jb_restore_mark(jb, &mark);
499  }
500  break;
501  case ALPROTO_SMB:
502  jb_get_mark(jb, &mark);
503  jb_open_object(jb, "smb");
504  if (EveSMBAddMetadata(p->flow, tx_id, jb)) {
505  jb_close(jb);
506  } else {
507  jb_restore_mark(jb, &mark);
508  }
509  break;
510  case ALPROTO_SIP:
511  JsonSIPAddMetadata(jb, p->flow, tx_id);
512  break;
513  case ALPROTO_RFB:
514  jb_get_mark(jb, &mark);
515  if (!JsonRFBAddMetadata(p->flow, tx_id, jb)) {
516  jb_restore_mark(jb, &mark);
517  }
518  break;
519  case ALPROTO_FTPDATA:
520  EveFTPDataAddMetadata(p->flow, jb);
521  break;
522  case ALPROTO_DNP3:
523  AlertJsonDnp3(p->flow, tx_id, jb);
524  break;
525  case ALPROTO_HTTP2:
526  AlertJsonHttp2(p->flow, tx_id, jb);
527  break;
528  case ALPROTO_DNS:
529  AlertJsonDns(p->flow, tx_id, jb);
530  break;
531  case ALPROTO_MQTT:
532  jb_get_mark(jb, &mark);
533  if (!JsonMQTTAddMetadata(p->flow, tx_id, jb)) {
534  jb_restore_mark(jb, &mark);
535  }
536  break;
537  case ALPROTO_SNMP:
538  AlertJsonSNMP(p->flow, tx_id, jb);
539  break;
540  case ALPROTO_RDP:
541  AlertJsonRDP(p->flow, tx_id, jb);
542  break;
543  default:
544  break;
545  }
546 }
547 
548 static void AlertAddFiles(const Packet *p, JsonBuilder *jb, const uint64_t tx_id)
549 {
552  if (ffc != NULL) {
553  File *file = ffc->head;
554  bool isopen = false;
555  while (file) {
556  if (tx_id == file->txid) {
557  if (!isopen) {
558  isopen = true;
559  jb_open_array(jb, "files");
560  }
561  jb_start_object(jb);
562  EveFileInfo(jb, file, file->flags & FILE_STORED);
563  jb_close(jb);
564  }
565  file = file->next;
566  }
567  if (isopen) {
568  jb_close(jb);
569  }
570  }
571 }
572 
573 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
574 {
575  MemBuffer *payload = aft->payload_buffer;
576  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
577 
578  if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
579  return TM_ECODE_OK;
580 
581  for (int i = 0; i < p->alerts.cnt; i++) {
582  const PacketAlert *pa = &p->alerts.alerts[i];
583  if (unlikely(pa->s == NULL)) {
584  continue;
585  }
586 
587  /* First initialize the address info (5-tuple). */
589  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
590 
591  /* Check for XFF, overwriting address info if needed. */
592  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ?
593  json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;
594  int have_xff_ip = 0;
595  char xff_buffer[XFF_MAXLEN];
596  if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
597  if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
598  if (pa->flags & PACKET_ALERT_FLAG_TX) {
599  have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg,
600  xff_buffer, XFF_MAXLEN);
601  } else {
602  have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, xff_buffer,
603  XFF_MAXLEN);
604  }
605  }
606 
607  if (have_xff_ip && xff_cfg->flags & XFF_OVERWRITE) {
608  if (p->flowflags & FLOW_PKT_TOCLIENT) {
609  strlcpy(addr.dst_ip, xff_buffer, JSON_ADDR_LEN);
610  } else {
611  strlcpy(addr.src_ip, xff_buffer, JSON_ADDR_LEN);
612  }
613  /* Clear have_xff_ip so the xff field does not get
614  * logged below. */
615  have_xff_ip = false;
616  }
617  }
618 
619  JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "alert", &addr);
620  if (unlikely(jb == NULL))
621  return TM_ECODE_OK;
622  EveAddCommonOptions(&json_output_ctx->cfg, p, p->flow, jb);
623 
625 
626  /* alert */
627  AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags,
628  &addr);
629 
630  if (IS_TUNNEL_PKT(p)) {
631  AlertJsonTunnel(p, jb);
632  }
633 
634  if (p->flow != NULL) {
635  if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {
636  AlertAddAppLayer(p, jb, pa->tx_id, json_output_ctx->flags);
637  }
638  /* including fileinfo data is configured by the metadata setting */
639  if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
640  AlertAddFiles(p, jb, pa->tx_id);
641  }
642 
643  EveAddAppProto(p->flow, jb);
644  if (json_output_ctx->flags & LOG_JSON_FLOW) {
645  jb_open_object(jb, "flow");
646  EveAddFlow(p->flow, jb);
647  jb_close(jb);
648  }
649  }
650 
651  /* payload */
652  if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
653  int stream = (p->proto == IPPROTO_TCP) ?
655  1 : 0) : 0;
656 
657  /* Is this a stream? If so, pack part of it into the payload field */
658  if (stream) {
659  uint8_t flag;
660 
661  MemBufferReset(payload);
662 
663  if (p->flowflags & FLOW_PKT_TOSERVER) {
664  flag = FLOW_PKT_TOCLIENT;
665  } else {
666  flag = FLOW_PKT_TOSERVER;
667  }
668 
669  StreamSegmentForEach((const Packet *)p, flag,
670  AlertJsonDumpStreamSegmentCallback,
671  (void *)payload);
672  if (payload->offset) {
673  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
674  unsigned long len = json_output_ctx->payload_buffer_size * 2;
675  uint8_t encoded[len];
676  Base64Encode(payload->buffer, payload->offset, encoded, &len);
677  jb_set_string(jb, "payload", (char *)encoded);
678  }
679 
680  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
681  uint8_t printable_buf[payload->offset + 1];
682  uint32_t offset = 0;
683  PrintStringsToBuffer(printable_buf, &offset,
684  sizeof(printable_buf),
685  payload->buffer, payload->offset);
686  jb_set_string(jb, "payload_printable", (char *)printable_buf);
687  }
688  } else if (p->payload_len) {
689  /* Fallback on packet payload */
690  AlertAddPayload(json_output_ctx, jb, p);
691  }
692  } else {
693  /* This is a single packet and not a stream */
694  AlertAddPayload(json_output_ctx, jb, p);
695  }
696 
697  jb_set_uint(jb, "stream", stream);
698  }
699 
700  /* base64-encoded full packet */
701  if (json_output_ctx->flags & LOG_JSON_PACKET) {
702  EvePacket(p, jb, 0);
703  }
704 
705  if (have_xff_ip && xff_cfg->flags & XFF_EXTRADATA) {
706  jb_set_string(jb, "xff", xff_buffer);
707  }
708 
710  jb_free(jb);
711  }
712 
713  if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
716  JsonBuilder *packetjs = CreateEveHeader(p, LOG_DIR_PACKET, "packet", NULL);
717  if (unlikely(packetjs != NULL)) {
718  EvePacket(p, packetjs, 0);
719  OutputJsonBuilderBuffer(packetjs, aft->file_ctx, &aft->json_buffer);
720  jb_free(packetjs);
721  }
722  }
723 
724  return TM_ECODE_OK;
725 }
726 
727 static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
728 {
729  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
730  char timebuf[64];
731 
732  if (p->alerts.cnt == 0)
733  return TM_ECODE_OK;
734 
735  CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf));
736 
737  for (int i = 0; i < p->alerts.cnt; i++) {
739 
740  const PacketAlert *pa = &p->alerts.alerts[i];
741  if (unlikely(pa->s == NULL)) {
742  continue;
743  }
744 
745  JsonBuilder *jb = jb_new_object();
746  if (unlikely(jb == NULL)) {
747  return TM_ECODE_OK;
748  }
749 
750  /* just the timestamp, no tuple */
751  jb_set_string(jb, "timestamp", timebuf);
752 
753  AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, NULL);
754 
756  jb_free(jb);
757  }
758 
759  return TM_ECODE_OK;
760 }
761 
762 static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)
763 {
764  JsonAlertLogThread *aft = thread_data;
765 
766  if (PKT_IS_IPV4(p) || PKT_IS_IPV6(p)) {
767  return AlertJson(tv, aft, p);
768  } else if (p->alerts.cnt > 0) {
769  return AlertJsonDecoderEvent(tv, aft, p);
770  }
771  return 0;
772 }
773 
774 static int JsonAlertLogCondition(ThreadVars *tv, const Packet *p)
775 {
776  if (p->alerts.cnt || (p->flags & PKT_HAS_TAG)) {
777  return TRUE;
778  }
779  return FALSE;
780 }
781 
782 static TmEcode JsonAlertLogThreadInit(ThreadVars *t, const void *initdata, void **data)
783 {
785  if (unlikely(aft == NULL))
786  return TM_ECODE_FAILED;
787 
788  if (initdata == NULL)
789  {
790  SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL");
791  goto error_exit;
792  }
793 
795  if (aft->json_buffer == NULL) {
796  goto error_exit;
797  }
798 
799  /** Use the Output Context (file pointer and mutex) */
800  AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
801 
802  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
803  if (aft->payload_buffer == NULL) {
804  goto error_exit;
805  }
806  aft->file_ctx = LogFileEnsureExists(json_output_ctx->file_ctx, t->id);
807  if (!aft->file_ctx) {
808  goto error_exit;
809  }
810 
811  aft->json_output_ctx = json_output_ctx;
812 
813  *data = (void *)aft;
814  return TM_ECODE_OK;
815 
816 error_exit:
817  if (aft->json_buffer != NULL) {
819  }
820  if (aft->payload_buffer != NULL) {
822  }
823  SCFree(aft);
824  return TM_ECODE_FAILED;
825 }
826 
827 static TmEcode JsonAlertLogThreadDeinit(ThreadVars *t, void *data)
828 {
829  JsonAlertLogThread *aft = (JsonAlertLogThread *)data;
830  if (aft == NULL) {
831  return TM_ECODE_OK;
832  }
833 
836 
837  /* clear memory */
838  memset(aft, 0, sizeof(JsonAlertLogThread));
839 
840  SCFree(aft);
841  return TM_ECODE_OK;
842 }
843 
844 static void JsonAlertLogDeInitCtxSub(OutputCtx *output_ctx)
845 {
846  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
847 
848  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
849 
850  if (json_output_ctx != NULL) {
851  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
852  if (xff_cfg != NULL) {
853  SCFree(xff_cfg);
854  }
855  SCFree(json_output_ctx);
856  }
857  SCFree(output_ctx);
858 }
859 
860 static void SetFlag(const ConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
861 {
862  DEBUG_VALIDATE_BUG_ON(conf == NULL);
863  const char *setting = ConfNodeLookupChildValue(conf, name);
864  if (setting != NULL) {
865  if (ConfValIsTrue(setting)) {
866  *out_flags |= flag;
867  } else {
868  *out_flags &= ~flag;
869  }
870  }
871 }
872 
873 #define DEFAULT_LOG_FILENAME "alert.json"
874 
875 static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
876  ConfNode *conf)
877 {
878  static bool warn_no_meta = false;
879  uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
880  uint16_t flags = METADATA_DEFAULTS;
881 
882  if (conf != NULL) {
883  /* Check for metadata to enable/disable. */
884  ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
885  if (metadata != NULL) {
886  if (metadata->val != NULL && ConfValIsFalse(metadata->val)) {
888  } else if (ConfNodeHasChildren(metadata)) {
889  ConfNode *rule_metadata = ConfNodeLookupChild(metadata, "rule");
890  if (rule_metadata) {
891  SetFlag(rule_metadata, "raw", LOG_JSON_RULE, &flags);
892  SetFlag(rule_metadata, "metadata", LOG_JSON_RULE_METADATA,
893  &flags);
894  }
895  SetFlag(metadata, "flow", LOG_JSON_FLOW, &flags);
896  SetFlag(metadata, "app-layer", LOG_JSON_APP_LAYER, &flags);
897  }
898  }
899 
900  /* Non-metadata toggles. */
901  SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
902  SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
903  SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
904  SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
905  SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
906  SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
907 
908  /* Check for obsolete configuration flags to enable specific
909  * protocols. These are now just aliases for enabling
910  * app-layer logging. */
911  SetFlag(conf, "http", LOG_JSON_APP_LAYER, &flags);
912  SetFlag(conf, "tls", LOG_JSON_APP_LAYER, &flags);
913  SetFlag(conf, "ssh", LOG_JSON_APP_LAYER, &flags);
914  SetFlag(conf, "smtp", LOG_JSON_APP_LAYER, &flags);
915  SetFlag(conf, "dnp3", LOG_JSON_APP_LAYER, &flags);
916 
917  /* And check for obsolete configuration flags for enabling
918  * app-layer and flow as these have been moved under the
919  * metadata key. */
920  SetFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags);
921  SetFlag(conf, "flow", LOG_JSON_FLOW, &flags);
922 
923  const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
924 
925  if (payload_buffer_value != NULL) {
926  uint32_t value;
927  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
928  SCLogError(SC_ERR_ALERT_PAYLOAD_BUFFER, "Error parsing "
929  "payload-buffer-size - %s. Killing engine",
930  payload_buffer_value);
931  exit(EXIT_FAILURE);
932  } else {
933  payload_buffer_size = value;
934  }
935  }
936 
937  if (!warn_no_meta && flags & JSON_BODY_LOGGING) {
938  if (((flags & LOG_JSON_APP_LAYER) == 0)) {
939  SCLogWarning(SC_WARN_ALERT_CONFIG, "HTTP body logging has been configured, however, "
940  "metadata logging has not been enabled. HTTP body logging will be disabled.");
942  warn_no_meta = true;
943  }
944  }
945 
946  json_output_ctx->payload_buffer_size = payload_buffer_size;
947  }
948 
951  }
952 
953  json_output_ctx->flags |= flags;
954 }
955 
956 static HttpXFFCfg *JsonAlertLogGetXffCfg(ConfNode *conf)
957 {
958  HttpXFFCfg *xff_cfg = NULL;
959  if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
960  xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
961  if (likely(xff_cfg != NULL)) {
962  HttpXFFGetCfg(conf, xff_cfg);
963  }
964  }
965  return xff_cfg;
966 }
967 
968 /**
969  * \brief Create a new LogFileCtx for "fast" output style.
970  * \param conf The configuration node for this output.
971  * \return A LogFileCtx pointer on success, NULL on failure.
972  */
973 static OutputInitResult JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
974 {
975  OutputInitResult result = { NULL, false };
976  OutputJsonCtx *ajt = parent_ctx->data;
977  AlertJsonOutputCtx *json_output_ctx = NULL;
978 
979  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
980  if (unlikely(output_ctx == NULL))
981  return result;
982 
983  json_output_ctx = SCMalloc(sizeof(AlertJsonOutputCtx));
984  if (unlikely(json_output_ctx == NULL)) {
985  goto error;
986  }
987  memset(json_output_ctx, 0, sizeof(AlertJsonOutputCtx));
988 
989  json_output_ctx->file_ctx = ajt->file_ctx;
990  json_output_ctx->cfg = ajt->cfg;
991 
992  JsonAlertLogSetupMetadata(json_output_ctx, conf);
993  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
994  if (json_output_ctx->xff_cfg == NULL) {
995  json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
996  }
997 
998  output_ctx->data = json_output_ctx;
999  output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
1000 
1001  result.ctx = output_ctx;
1002  result.ok = true;
1003  return result;
1004 
1005 error:
1006  if (json_output_ctx != NULL) {
1007  SCFree(json_output_ctx);
1008  }
1009  if (output_ctx != NULL) {
1010  SCFree(output_ctx);
1011  }
1012 
1013  return result;
1014 }
1015 
1017 {
1019  "eve-log.alert", JsonAlertLogInitCtxSub, JsonAlertLogger,
1020  JsonAlertLogCondition, JsonAlertLogThreadInit, JsonAlertLogThreadDeinit,
1021  NULL);
1022 }
XFF_MAXLEN
#define XFF_MAXLEN
Definition: app-layer-htp-xff.h:39
util-byte.h
tm-threads.h
Packet_::proto
uint8_t proto
Definition: decode.h:436
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:233
FileContainer_
Definition: util-file.h:100
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectMetadataHead::json_str
char * json_str
Definition: detect-metadata.h:40
DNP3Transaction_::response_done
uint8_t response_done
Definition: app-layer-dnp3.h:232
detect-engine.h
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:290
EveSMTPAddMetadata
bool EveSMTPAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-smtp.c:101
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:279
EveHttpLogJSONBodyPrintable
void EveHttpLogJSONBodyPrintable(JsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:410
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:105
Signature_::sig_str
char * sig_str
Definition: detect.h:595
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:292
CreateIsoTimeString
void CreateIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:213
XFF_EXTRADATA
#define XFF_EXTRADATA
Definition: app-layer-htp-xff.h:31
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
JsonAlertLogThread_::json_buffer
MemBuffer * json_buffer
Definition: output-json-alert.c:117
JsonTlsLogJSONBasic
void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
Definition: output-json-tls.c:293
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:258
ConfNode_::val
char * val
Definition: conf.h:34
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:104
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
output-json-mqtt.h
LOG_JSON_RULE
#define LOG_JSON_RULE
Definition: output-json-alert.c:95
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DNP3Transaction_::request_done
uint8_t request_done
Definition: app-layer-dnp3.h:218
AlertJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-alert.c:106
PacketAlerts_::alerts
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:300
AlertJsonOutputCtx_::parent_xff_cfg
HttpXFFCfg * parent_xff_cfg
Definition: output-json-alert.c:110
Flow_::proto
uint8_t proto
Definition: flow.h:365
StreamSegmentForEach
int StreamSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
Run callback for all segments.
Definition: stream.c:39
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:73
Packet_::payload
uint8_t * payload
Definition: decode.h:549
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:299
DNP3Transaction_::has_request
uint8_t has_request
Definition: app-layer-dnp3.h:217
SIG_FLAG_DEST_IS_TARGET
#define SIG_FLAG_DEST_IS_TARGET
Definition: detect.h:251
Packet_::flags
uint32_t flags
Definition: decode.h:449
JSON_OUTPUT_BUFFER_SIZE
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:63
threads.h
LOGGER_JSON_ALERT
@ LOGGER_JSON_ALERT
Definition: suricata-common.h:478
OutputJsonCtx_
Definition: output-json.h:101
AlertJsonHeader
void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js, uint16_t flags, JsonAddrInfo *addr)
Definition: output-json-alert.c:338
Flow_
Flow data structure.
Definition: flow.h:347
OutputJsonCommonSettings_
Definition: output-json.h:91
util-syslog.h
logged
int logged
Definition: app-layer-htp.h:1
LogFileCtx_
Definition: util-logopenfile.h:60
EveNFSAddMetadata
bool EveNFSAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-nfs.c:63
output-json-tls.h
ALPROTO_SIP
@ ALPROTO_SIP
Definition: app-layer-protos.h:53
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:89
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:978
output-json-sip.h
rust.h
AppLayerParserGetFiles
FileContainer * AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
Definition: app-layer-parser.c:858
util-privs.h
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, JsonBuilder *js)
Definition: output-json.c:444
proto
uint8_t proto
Definition: decode-template.h:0
m
SCMutex m
Definition: flow-hash.h:6
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:34
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:445
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:550
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:564
SC_BASE64_OK
@ SC_BASE64_OK
Definition: util-crypt.h:37
util-unittest.h
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:30
EveHttpAddMetadata
bool EveHttpAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-http.c:528
DNP3Transaction_::has_response
uint8_t has_response
Definition: app-layer-dnp3.h:231
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:565
FlowGetAppState
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1102
util-unittest-helper.h
HttpXFFGetIP
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:177
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:228
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:280
JsonDNSLogAnswer
JsonBuilder * JsonDNSLogAnswer(void *txptr, uint64_t tx_id)
Definition: output-json-dns.c:295
OutputCtx_
Definition: tm-modules.h:78
app-layer-htp-xff.h
PacketAlert_::action
uint8_t action
Definition: decode.h:277
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
JSON_BODY_LOGGING
#define JSON_BODY_LOGGING
Definition: output-json-alert.c:101
detect-reference.h
ALPROTO_SNMP
@ ALPROTO_SNMP
Definition: app-layer-protos.h:52
Signature_::gid
uint32_t gid
Definition: detect.h:562
output-json-dnp3.h
ACTION_REJECT_DST
#define ACTION_REJECT_DST
Definition: action-globals.h:32
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:53
app-layer-htp.h
Base64Encode
int Base64Encode(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen)
Definition: util-crypt.c:272
util-debug.h
output-json-flow.h
MODULE_NAME
#define MODULE_NAME
Definition: output-json-alert.c:84
JsonRFBAddMetadata
bool JsonRFBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-rfb.c:60
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:44
output-json-rfb.h
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr)
Definition: output-json.c:846
LOG_JSON_APP_LAYER
#define LOG_JSON_APP_LAYER
Definition: output-json-alert.c:90
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:44
app-layer-dnp3.h
output-json.h
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
MemBufferWriteRaw
#define MemBufferWriteRaw(dst, raw_buffer, raw_buffer_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.h:133
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
LOG_JSON_PAYLOAD
#define LOG_JSON_PAYLOAD
Definition: output-json-alert.c:86
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
AlertJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-alert.c:107
SC_ERR_ALERT_PAYLOAD_BUFFER
@ SC_ERR_ALERT_PAYLOAD_BUFFER
Definition: util-error.h:310
util-print.h
detect-engine-mpm.h
util-crypt.h
FileContainer_::head
File * head
Definition: util-file.h:101
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
LogFileEnsureExists
LogFileCtx * LogFileEnsureExists(LogFileCtx *parent_ctx, int thread_id)
LogFileEnsureExists() Ensure a log file context for the thread exists.
Definition: util-logopenfile.c:659
EveFileInfo
void EveFileInfo(JsonBuilder *jb, const File *ff, const bool stored)
Definition: output-json.c:141
JsonAlertLogThread
struct JsonAlertLogThread_ JsonAlertLogThread
output-json-email-common.h
OutputInitResult_::ok
bool ok
Definition: output.h:45
JsonDNP3LogResponse
void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *dnp3tx)
Definition: output-json-dnp3.c:176
EveHttpLogJSONBodyBase64
void EveHttpLogJSONBodyBase64(JsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:445
app-layer-parser.h
JsonAlertLogThread_
Definition: output-json-alert.c:114
TRUE
#define TRUE
Definition: suricata-common.h:33
ThreadVars_::id
int id
Definition: threadvars.h:87
SC_WARN_ALERT_CONFIG
@ SC_WARN_ALERT_CONFIG
Definition: util-error.h:357
FALSE
#define FALSE
Definition: suricata-common.h:34
Signature_::flags
uint32_t flags
Definition: detect.h:529
JsonAddrInfo_
Definition: output-json.h:49
Packet_
Definition: decode.h:414
ALPROTO_RDP
@ ALPROTO_RDP
Definition: app-layer-protos.h:58
JSON_STREAM_BUFFER_SIZE
#define JSON_STREAM_BUFFER_SIZE
Definition: output-json-alert.c:103
LOG_JSON_PAYLOAD_BASE64
#define LOG_JSON_PAYLOAD_BASE64
Definition: output-json-alert.c:88
conf.h
SIG_FLAG_HAS_TARGET
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:253
XFF_OVERWRITE
#define XFF_OVERWRITE
Definition: app-layer-htp-xff.h:33
TmEcode
TmEcode
Definition: tm-threads-common.h:79
SIG_FLAG_SRC_IS_TARGET
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:249
EveNFSAddMetadataRPC
bool EveNFSAddMetadataRPC(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-nfs.c:51
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:894
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
AlertJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-alert.c:108
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:59
util-proto-name.h
ConfNodeHasChildren
bool ConfNodeHasChildren(const ConfNode *node)
Check if a node has any children.
Definition: conf.c:795
MemBuffer_
Definition: util-buffer.h:27
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:220
LOG_JSON_TAGGED_PACKETS
#define LOG_JSON_TAGGED_PACKETS
Definition: output-json-alert.c:89
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1057
EveEmailAddMetadata
bool EveEmailAddMetadata(const Flow *f, uint32_t tx_id, JsonBuilder *js)
Definition: output-json-email-common.c:388
AlertJsonOutputCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json-alert.c:109
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:54
Signature_::class_msg
char * class_msg
Definition: detect.h:589
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:814
PacketAlert_::flags
uint8_t flags
Definition: decode.h:278
ACTION_REJECT_BOTH
#define ACTION_REJECT_BOTH
Definition: action-globals.h:33
File_::flags
uint16_t flags
Definition: util-file.h:64
MemBufferReset
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
PACKET_ALERT_RATE_FILTER_MODIFIED
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:294
File_
Definition: util-file.h:63
OutputInitResult_
Definition: output.h:43
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:603
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
flags
uint8_t flags
Definition: decode-gre.h:0
Packet_::ts
struct timeval ts
Definition: decode.h:457
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:52
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:214
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:45
AlertJsonOutputCtx_
Definition: output-json-alert.c:105
detect-metadata.h
JsonAlertLogThread_::json_output_ctx
AlertJsonOutputCtx * json_output_ctx
Definition: output-json-alert.c:119
output-json-nfs.h
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
FILE_STORED
#define FILE_STORED
Definition: util-file.h:47
File_::next
struct File_ * next
Definition: util-file.h:77
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:47
EveAddAppProto
void EveAddAppProto(Flow *f, JsonBuilder *js)
Definition: output-json-flow.c:178
Signature_::rev
uint32_t rev
Definition: detect.h:563
util-classification-config.h
EvePacket
void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length)
Jsonify a packet.
Definition: output-json.c:467
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
Signature_::prio
int prio
Definition: detect.h:564
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:185
output-json-alert.h
util-optimize.h
threadvars.h
util-validate.h
output-json-dns.h
FlowGetAppProtocol
AppProto FlowGetAppProtocol(const Flow *f)
Definition: flow.c:1097
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
Packet_::root
struct Packet_ * root
Definition: decode.h:586
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:50
HttpXFFCfg_::flags
uint8_t flags
Definition: app-layer-htp-xff.h:42
Signature_::metadata
DetectMetadataHead * metadata
Definition: detect.h:593
AlertJsonOutputCtx
struct AlertJsonOutputCtx_ AlertJsonOutputCtx
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
JsonAlertLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-alert.c:118
SCFree
#define SCFree(p)
Definition: util-mem.h:61
JsonAlertLogThread_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-alert.c:116
ConfNode_
Definition: conf.h:32
util-logopenfile.h
Signature_::id
uint32_t id
Definition: detect.h:561
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:439
LOG_JSON_HTTP_BODY_BASE64
#define LOG_JSON_HTTP_BODY_BASE64
Definition: output-json-alert.c:93
detect-parse.h
util-buffer.h
LOG_JSON_PACKET
#define LOG_JSON_PACKET
Definition: output-json-alert.c:87
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:55
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:590
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:51
EveFTPDataAddMetadata
void EveFTPDataAddMetadata(const Flow *f, JsonBuilder *jb)
Definition: app-layer-ftp.c:1406
output-json-ssh.h
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:102
JsonDNSLogQuery
JsonBuilder * JsonDNSLogQuery(void *txptr, uint64_t tx_id)
Definition: output-json-dns.c:273
LOG_JSON_HTTP_BODY
#define LOG_JSON_HTTP_BODY
Definition: output-json-alert.c:92
METADATA_DEFAULTS
#define METADATA_DEFAULTS
Definition: output-json-alert.c:97
DNP3State_
Per flow DNP3 state.
Definition: app-layer-dnp3.h:258
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:244
LOG_JSON_FLOW
#define LOG_JSON_FLOW
Definition: output-json-alert.c:91
JsonDNP3LogRequest
void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *dnp3tx)
Definition: output-json-dnp3.c:147
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:54
PacketAlert_
Definition: decode.h:275
AlertJsonOutputCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json-alert.c:111
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:508
File_::txid
uint64_t txid
Definition: util-file.h:68
HttpXFFGetCfg
void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:202
output-json-smb.h
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
likely
#define likely(expr)
Definition: util-optimize.h:32
HttpXFFGetIPFromTx
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:113
output-json-smtp.h
MemBuffer_::buffer
uint8_t * buffer
Definition: util-buffer.h:28
output-json-http.h
util-misc.h
PKT_HAS_TAG
#define PKT_HAS_TAG
Definition: decode.h:1105
Signature_::msg
char * msg
Definition: detect.h:586
flow.h
DetectEngineSetParseMetadata
void DetectEngineSetParseMetadata(void)
Definition: detect-engine.c:4222
EveSMBAddMetadata
bool EveSMBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-smb.c:50
JsonTlsLogJSONExtended
void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState *state)
Definition: output-json-tls.c:361
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LOG_JSON_RULE_METADATA
#define LOG_JSON_RULE_METADATA
Definition: output-json-alert.c:94
XFF_DISABLED
#define XFF_DISABLED
Definition: app-layer-htp-xff.h:29
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:257
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:288
JsonSIPAddMetadata
void JsonSIPAddMetadata(JsonBuilder *js, const Flow *f, uint64_t tx_id)
Definition: output-json-sip.c:63
JsonMQTTAddMetadata
bool JsonMQTTAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-mqtt.c:63
SCMutex
#define SCMutex
Definition: threads-debug.h:114
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
debug.h
output.h
Packet_::tunnel_mutex
SCMutex tunnel_mutex
Definition: decode.h:596
JsonAlertLogRegister
void JsonAlertLogRegister(void)
Definition: output-json-alert.c:1016
DNP3Transaction_
DNP3 transaction.
Definition: app-layer-dnp3.h:210
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:870
EveAddFlow
void EveAddFlow(Flow *f, JsonBuilder *js)
Definition: output-json-flow.c:199
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:842