suricata
output-json-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs alerts in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "packet.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "stream.h"
34 #include "threads.h"
35 #include "tm-threads.h"
36 #include "threadvars.h"
37 #include "util-debug.h"
38 
39 #include "util-logopenfile.h"
40 #include "util-misc.h"
41 #include "util-time.h"
42 #include "util-unittest.h"
43 #include "util-unittest-helper.h"
44 
45 #include "detect-parse.h"
46 #include "detect-engine.h"
47 #include "detect-engine-mpm.h"
48 #include "detect-reference.h"
49 #include "detect-metadata.h"
50 #include "app-layer-parser.h"
51 #include "app-layer-dnp3.h"
52 #include "app-layer-htp.h"
53 #include "app-layer-htp-xff.h"
54 #include "app-layer-ftp.h"
55 #include "app-layer-frames.h"
57 #include "util-syslog.h"
58 #include "log-pcap.h"
59 
60 #include "output.h"
61 #include "output-json.h"
62 #include "output-json-alert.h"
63 #include "output-json-dnp3.h"
64 #include "output-json-dns.h"
65 #include "output-json-http.h"
66 #include "output-json-tls.h"
67 #include "output-json-ssh.h"
68 #include "rust.h"
69 #include "output-json-smtp.h"
71 #include "output-json-nfs.h"
72 #include "output-json-smb.h"
73 #include "output-json-flow.h"
74 #include "output-json-sip.h"
75 #include "output-json-rfb.h"
76 #include "output-json-mqtt.h"
77 #include "output-json-ike.h"
78 #include "output-json-modbus.h"
79 #include "output-json-frame.h"
80 #include "output-json-quic.h"
81 
82 #include "util-byte.h"
83 #include "util-privs.h"
84 #include "util-print.h"
85 #include "util-proto-name.h"
86 #include "util-optimize.h"
87 #include "util-buffer.h"
88 #include "util-validate.h"
89 
90 #include "action-globals.h"
91 
92 #define MODULE_NAME "JsonAlertLog"
93 
94 #define LOG_JSON_PAYLOAD BIT_U16(0)
95 #define LOG_JSON_PACKET BIT_U16(1)
96 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
97 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
98 #define LOG_JSON_APP_LAYER BIT_U16(4)
99 #define LOG_JSON_FLOW BIT_U16(5)
100 #define LOG_JSON_HTTP_BODY BIT_U16(6)
101 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
102 #define LOG_JSON_RULE_METADATA BIT_U16(8)
103 #define LOG_JSON_RULE BIT_U16(9)
104 
105 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
106  LOG_JSON_APP_LAYER | \
107  LOG_JSON_RULE_METADATA)
108 
109 #define JSON_BODY_LOGGING (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64)
110 
111 #define JSON_STREAM_BUFFER_SIZE 4096
112 
113 typedef struct AlertJsonOutputCtx_ {
115  uint16_t flags;
121 
122 typedef struct JsonAlertLogThread_ {
127 
128 /* Callback function to pack payload contents from a stream into a buffer
129  * so we can report them in JSON output. */
130 static int AlertJsonDumpStreamSegmentCallback(
131  const Packet *p, TcpSegment *seg, void *data, const uint8_t *buf, uint32_t buflen)
132 {
133  MemBuffer *payload = (MemBuffer *)data;
134  MemBufferWriteRaw(payload, buf, buflen);
135 
136  return 1;
137 }
138 
139 static void AlertJsonTls(const Flow *f, JsonBuilder *js)
140 {
141  SSLState *ssl_state = (SSLState *)FlowGetAppState(f);
142  if (ssl_state) {
143  jb_open_object(js, "tls");
144 
145  JsonTlsLogJSONExtended(js, ssl_state);
146 
147  jb_close(js);
148  }
149 
150  return;
151 }
152 
153 static void AlertJsonSsh(const Flow *f, JsonBuilder *js)
154 {
155  void *ssh_state = FlowGetAppState(f);
156  if (ssh_state) {
157  JsonBuilderMark mark = { 0, 0, 0 };
158  void *tx_ptr = rs_ssh_state_get_tx(ssh_state, 0);
159  jb_get_mark(js, &mark);
160  jb_open_object(js, "ssh");
161  if (rs_ssh_log_json(tx_ptr, js)) {
162  jb_close(js);
163  } else {
164  jb_restore_mark(js, &mark);
165  }
166  }
167 
168  return;
169 }
170 
171 static void AlertJsonHttp2(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
172 {
173  void *h2_state = FlowGetAppState(f);
174  if (h2_state) {
175  void *tx_ptr = rs_http2_state_get_tx(h2_state, tx_id);
176  if (tx_ptr) {
177  JsonBuilderMark mark = { 0, 0, 0 };
178  jb_get_mark(js, &mark);
179  jb_open_object(js, "http");
180  if (rs_http2_log_json(tx_ptr, js)) {
181  jb_close(js);
182  } else {
183  jb_restore_mark(js, &mark);
184  }
185  }
186  }
187 
188  return;
189 }
190 
191 static void AlertJsonDnp3(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
192 {
193  DNP3State *dnp3_state = (DNP3State *)FlowGetAppState(f);
194  if (dnp3_state) {
196  dnp3_state, tx_id);
197  if (tx) {
198  JsonBuilderMark mark = { 0, 0, 0 };
199  jb_get_mark(js, &mark);
200  bool logged = false;
201  jb_open_object(js, "dnp3");
202  if (tx->is_request && tx->done) {
203  jb_open_object(js, "request");
204  JsonDNP3LogRequest(js, tx);
205  jb_close(js);
206  logged = true;
207  }
208  if (!tx->is_request && tx->done) {
209  jb_open_object(js, "response");
210  JsonDNP3LogResponse(js, tx);
211  jb_close(js);
212  logged = true;
213  }
214  if (logged) {
215  /* Close dnp3 object. */
216  jb_close(js);
217  } else {
218  jb_restore_mark(js, &mark);
219  }
220  }
221  }
222 }
223 
224 static void AlertJsonDns(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
225 {
226  void *dns_state = (void *)FlowGetAppState(f);
227  if (dns_state) {
228  void *txptr = AppLayerParserGetTx(f->proto, ALPROTO_DNS,
229  dns_state, tx_id);
230  if (txptr) {
231  jb_open_object(js, "dns");
232  JsonBuilder *qjs = JsonDNSLogQuery(txptr, tx_id);
233  if (qjs != NULL) {
234  jb_set_object(js, "query", qjs);
235  jb_free(qjs);
236  }
237  JsonBuilder *ajs = JsonDNSLogAnswer(txptr, tx_id);
238  if (ajs != NULL) {
239  jb_set_object(js, "answer", ajs);
240  jb_free(ajs);
241  }
242  jb_close(js);
243  }
244  }
245  return;
246 }
247 
248 static void AlertJsonSNMP(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
249 {
250  void *snmp_state = (void *)FlowGetAppState(f);
251  if (snmp_state != NULL) {
252  void *tx = AppLayerParserGetTx(f->proto, ALPROTO_SNMP, snmp_state,
253  tx_id);
254  if (tx != NULL) {
255  jb_open_object(js, "snmp");
256  rs_snmp_log_json_response(js, snmp_state, tx);
257  jb_close(js);
258  }
259  }
260 }
261 
262 static void AlertJsonRDP(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
263 {
264  void *rdp_state = (void *)FlowGetAppState(f);
265  if (rdp_state != NULL) {
266  void *tx = AppLayerParserGetTx(f->proto, ALPROTO_RDP, rdp_state,
267  tx_id);
268  if (tx != NULL) {
269  JsonBuilderMark mark = { 0, 0, 0 };
270  jb_get_mark(js, &mark);
271  if (!rs_rdp_to_json(tx, js)) {
272  jb_restore_mark(js, &mark);
273  }
274  }
275  }
276 }
277 
278 static void AlertJsonBitTorrentDHT(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
279 {
280  void *bittorrent_dht_state = (void *)FlowGetAppState(f);
281  if (bittorrent_dht_state != NULL) {
282  void *tx =
283  AppLayerParserGetTx(f->proto, ALPROTO_BITTORRENT_DHT, bittorrent_dht_state, tx_id);
284  if (tx != NULL) {
285  JsonBuilderMark mark = { 0, 0, 0 };
286  jb_get_mark(js, &mark);
287  jb_open_object(js, "bittorrent_dht");
288  if (rs_bittorrent_dht_logger_log(tx, js)) {
289  jb_close(js);
290  } else {
291  jb_restore_mark(js, &mark);
292  }
293  }
294  }
295 }
296 
297 static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
298  JsonBuilder *js, JsonAddrInfo *addr)
299 {
300  jb_open_object(js, "source");
301  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
302  jb_set_string(js, "ip", addr->src_ip);
303  switch (p->proto) {
304  case IPPROTO_ICMP:
305  case IPPROTO_ICMPV6:
306  break;
307  case IPPROTO_UDP:
308  case IPPROTO_TCP:
309  case IPPROTO_SCTP:
310  jb_set_uint(js, "port", addr->sp);
311  break;
312  }
313  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
314  jb_set_string(js, "ip", addr->dst_ip);
315  switch (p->proto) {
316  case IPPROTO_ICMP:
317  case IPPROTO_ICMPV6:
318  break;
319  case IPPROTO_UDP:
320  case IPPROTO_TCP:
321  case IPPROTO_SCTP:
322  jb_set_uint(js, "port", addr->dp);
323  break;
324  }
325  }
326  jb_close(js);
327 
328  jb_open_object(js, "target");
329  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
330  jb_set_string(js, "ip", addr->dst_ip);
331  switch (p->proto) {
332  case IPPROTO_ICMP:
333  case IPPROTO_ICMPV6:
334  break;
335  case IPPROTO_UDP:
336  case IPPROTO_TCP:
337  case IPPROTO_SCTP:
338  jb_set_uint(js, "port", addr->dp);
339  break;
340  }
341  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
342  jb_set_string(js, "ip", addr->src_ip);
343  switch (p->proto) {
344  case IPPROTO_ICMP:
345  case IPPROTO_ICMPV6:
346  break;
347  case IPPROTO_UDP:
348  case IPPROTO_TCP:
349  case IPPROTO_SCTP:
350  jb_set_uint(js, "port", addr->sp);
351  break;
352  }
353  }
354  jb_close(js);
355 }
356 
357 static void AlertJsonMetadata(AlertJsonOutputCtx *json_output_ctx,
358  const PacketAlert *pa, JsonBuilder *js)
359 {
360  if (pa->s->metadata && pa->s->metadata->json_str) {
361  jb_set_formatted(js, pa->s->metadata->json_str);
362  }
363 }
364 
365 void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js,
366  uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
367 {
368  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *)ctx;
369  const char *action = "allowed";
370  /* use packet action if rate_filter modified the action */
373  action = "blocked";
374  }
375  } else {
376  if (pa->action & ACTION_REJECT_ANY) {
377  action = "blocked";
378  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
379  action = "blocked";
380  }
381  }
382 
383  /* Add tx_id to root element for correlation with other events. */
384  /* json_object_del(js, "tx_id"); */
385  if (pa->flags & PACKET_ALERT_FLAG_TX) {
386  jb_set_uint(js, "tx_id", pa->tx_id);
387  }
388 
389  jb_open_object(js, "alert");
390 
391  jb_set_string(js, "action", action);
392  jb_set_uint(js, "gid", pa->s->gid);
393  jb_set_uint(js, "signature_id", pa->s->id);
394  jb_set_uint(js, "rev", pa->s->rev);
395  /* TODO: JsonBuilder should handle unprintable characters like
396  * SCJsonString. */
397  jb_set_string(js, "signature", pa->s->msg ? pa->s->msg: "");
398  jb_set_string(js, "category", pa->s->class_msg ? pa->s->class_msg: "");
399  jb_set_uint(js, "severity", pa->s->prio);
400 
401  if (p->tenant_id > 0) {
402  jb_set_uint(js, "tenant_id", p->tenant_id);
403  }
404 
405  if (addr && pa->s->flags & SIG_FLAG_HAS_TARGET) {
406  AlertJsonSourceTarget(p, pa, js, addr);
407  }
408 
409  if ((json_output_ctx != NULL) && (flags & LOG_JSON_RULE_METADATA)) {
410  AlertJsonMetadata(json_output_ctx, pa, js);
411  }
412 
413  if (flags & LOG_JSON_RULE) {
414  jb_set_string(js, "rule", pa->s->sig_str);
415  }
416  if (xff_buffer && xff_buffer[0]) {
417  jb_set_string(js, "xff", xff_buffer);
418  }
419 
420  jb_close(js);
421 }
422 
423 static void AlertJsonTunnel(const Packet *p, JsonBuilder *js)
424 {
425  if (p->root == NULL) {
426  return;
427  }
428 
429  jb_open_object(js, "tunnel");
430 
431  enum PktSrcEnum pkt_src;
432  uint64_t pcap_cnt;
434  JsonAddrInfoInit(p->root, 0, &addr);
435  pcap_cnt = p->root->pcap_cnt;
436  pkt_src = p->root->pkt_src;
437 
438  jb_set_string(js, "src_ip", addr.src_ip);
439  jb_set_uint(js, "src_port", addr.sp);
440  jb_set_string(js, "dest_ip", addr.dst_ip);
441  jb_set_uint(js, "dest_port", addr.dp);
442  jb_set_string(js, "proto", addr.proto);
443 
444  jb_set_uint(js, "depth", p->recursion_level);
445  if (pcap_cnt != 0) {
446  jb_set_uint(js, "pcap_cnt", pcap_cnt);
447  }
448  jb_set_string(js, "pkt_src", PktSrcToString(pkt_src));
449  jb_close(js);
450 }
451 
452 static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, JsonBuilder *js, const Packet *p)
453 {
454  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
455  jb_set_base64(js, "payload", p->payload, p->payload_len);
456  }
457 
458  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
459  uint8_t printable_buf[p->payload_len + 1];
460  uint32_t offset = 0;
461  PrintStringsToBuffer(printable_buf, &offset,
462  p->payload_len + 1,
463  p->payload, p->payload_len);
464  printable_buf[p->payload_len] = '\0';
465  jb_set_string(js, "payload_printable", (char *)printable_buf);
466  }
467 }
468 
469 static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
470  const uint64_t tx_id, const uint16_t option_flags)
471 {
472  const AppProto proto = FlowGetAppProtocol(p->flow);
473  JsonBuilderMark mark = { 0, 0, 0 };
474  switch (proto) {
475  case ALPROTO_HTTP1:
476  // TODO: Could result in an empty http object being logged.
477  jb_open_object(jb, "http");
478  if (EveHttpAddMetadata(p->flow, tx_id, jb)) {
479  if (option_flags & LOG_JSON_HTTP_BODY) {
480  EveHttpLogJSONBodyPrintable(jb, p->flow, tx_id);
481  }
482  if (option_flags & LOG_JSON_HTTP_BODY_BASE64) {
483  EveHttpLogJSONBodyBase64(jb, p->flow, tx_id);
484  }
485  }
486  jb_close(jb);
487  break;
488  case ALPROTO_TLS:
489  AlertJsonTls(p->flow, jb);
490  break;
491  case ALPROTO_SSH:
492  AlertJsonSsh(p->flow, jb);
493  break;
494  case ALPROTO_SMTP:
495  jb_get_mark(jb, &mark);
496  jb_open_object(jb, "smtp");
497  if (EveSMTPAddMetadata(p->flow, tx_id, jb)) {
498  jb_close(jb);
499  } else {
500  jb_restore_mark(jb, &mark);
501  }
502  jb_get_mark(jb, &mark);
503  jb_open_object(jb, "email");
504  if (EveEmailAddMetadata(p->flow, tx_id, jb)) {
505  jb_close(jb);
506  } else {
507  jb_restore_mark(jb, &mark);
508  }
509  break;
510  case ALPROTO_NFS:
511  /* rpc */
512  jb_get_mark(jb, &mark);
513  jb_open_object(jb, "rpc");
514  if (EveNFSAddMetadataRPC(p->flow, tx_id, jb)) {
515  jb_close(jb);
516  } else {
517  jb_restore_mark(jb, &mark);
518  }
519  /* nfs */
520  jb_get_mark(jb, &mark);
521  jb_open_object(jb, "nfs");
522  if (EveNFSAddMetadata(p->flow, tx_id, jb)) {
523  jb_close(jb);
524  } else {
525  jb_restore_mark(jb, &mark);
526  }
527  break;
528  case ALPROTO_SMB:
529  jb_get_mark(jb, &mark);
530  jb_open_object(jb, "smb");
531  if (EveSMBAddMetadata(p->flow, tx_id, jb)) {
532  jb_close(jb);
533  } else {
534  jb_restore_mark(jb, &mark);
535  }
536  break;
537  case ALPROTO_SIP:
538  JsonSIPAddMetadata(jb, p->flow, tx_id);
539  break;
540  case ALPROTO_RFB:
541  jb_get_mark(jb, &mark);
542  if (!JsonRFBAddMetadata(p->flow, tx_id, jb)) {
543  jb_restore_mark(jb, &mark);
544  }
545  break;
546  case ALPROTO_FTPDATA:
547  jb_get_mark(jb, &mark);
548  jb_open_object(jb, "ftp_data");
549  EveFTPDataAddMetadata(p->flow, jb);
550  jb_close(jb);
551  break;
552  case ALPROTO_DNP3:
553  AlertJsonDnp3(p->flow, tx_id, jb);
554  break;
555  case ALPROTO_HTTP2:
556  AlertJsonHttp2(p->flow, tx_id, jb);
557  break;
558  case ALPROTO_DNS:
559  AlertJsonDns(p->flow, tx_id, jb);
560  break;
561  case ALPROTO_IKE:
562  jb_get_mark(jb, &mark);
563  if (!EveIKEAddMetadata(p->flow, tx_id, jb)) {
564  jb_restore_mark(jb, &mark);
565  }
566  break;
567  case ALPROTO_MQTT:
568  jb_get_mark(jb, &mark);
569  if (!JsonMQTTAddMetadata(p->flow, tx_id, jb)) {
570  jb_restore_mark(jb, &mark);
571  }
572  break;
573  case ALPROTO_QUIC:
574  jb_get_mark(jb, &mark);
575  if (!JsonQuicAddMetadata(p->flow, tx_id, jb)) {
576  jb_restore_mark(jb, &mark);
577  }
578  break;
579  case ALPROTO_SNMP:
580  AlertJsonSNMP(p->flow, tx_id, jb);
581  break;
582  case ALPROTO_RDP:
583  AlertJsonRDP(p->flow, tx_id, jb);
584  break;
585  case ALPROTO_MODBUS:
586  jb_get_mark(jb, &mark);
587  if (!JsonModbusAddMetadata(p->flow, tx_id, jb)) {
588  jb_restore_mark(jb, &mark);
589  }
590  break;
592  AlertJsonBitTorrentDHT(p->flow, tx_id, jb);
593  break;
594  default:
595  break;
596  }
597 }
598 
599 static void AlertAddFiles(const Packet *p, JsonBuilder *jb, const uint64_t tx_id)
600 {
601  const uint8_t direction =
602  (p->flowflags & FLOW_PKT_TOSERVER) ? STREAM_TOSERVER : STREAM_TOCLIENT;
603  FileContainer *ffc = NULL;
604  if (p->flow->alstate != NULL) {
605  void *tx = AppLayerParserGetTx(p->flow->proto, p->flow->alproto, p->flow->alstate, tx_id);
606  if (tx) {
607  AppLayerGetFileState files =
608  AppLayerParserGetTxFiles(p->flow, p->flow->alstate, tx, direction);
609  ffc = files.fc;
610  }
611  }
612  if (ffc != NULL) {
613  File *file = ffc->head;
614  bool isopen = false;
615  while (file) {
616  if (!isopen) {
617  isopen = true;
618  jb_open_array(jb, "files");
619  }
620  jb_start_object(jb);
621  EveFileInfo(jb, file, tx_id, file->flags & FILE_STORED);
622  jb_close(jb);
623  file = file->next;
624  }
625  if (isopen) {
626  jb_close(jb);
627  }
628  }
629 }
630 
631 static void AlertAddFrame(const Packet *p, JsonBuilder *jb, const int64_t frame_id)
632 {
633  if (p->flow == NULL || (p->proto == IPPROTO_TCP && p->flow->protoctx == NULL))
634  return;
635 
636  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
637  if (frames_container == NULL)
638  return;
639 
640  Frames *frames = NULL;
641  TcpStream *stream = NULL;
642  if (p->proto == IPPROTO_TCP) {
643  TcpSession *ssn = p->flow->protoctx;
644  if (PKT_IS_TOSERVER(p)) {
645  stream = &ssn->client;
646  frames = &frames_container->toserver;
647  } else {
648  stream = &ssn->server;
649  frames = &frames_container->toclient;
650  }
651  Frame *frame = FrameGetById(frames, frame_id);
652  if (frame != NULL) {
653  FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb);
654  }
655  } else if (p->proto == IPPROTO_UDP) {
656  if (PKT_IS_TOSERVER(p)) {
657  frames = &frames_container->toserver;
658  } else {
659  frames = &frames_container->toclient;
660  }
661  Frame *frame = FrameGetById(frames, frame_id);
662  if (frame != NULL) {
663  FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb);
664  }
665  }
666 }
667 
668 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
669 {
670  MemBuffer *payload = aft->payload_buffer;
671  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
672 
673  if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
674  return TM_ECODE_OK;
675 
676  for (int i = 0; i < p->alerts.cnt; i++) {
677  const PacketAlert *pa = &p->alerts.alerts[i];
678  if (unlikely(pa->s == NULL)) {
679  continue;
680  }
681 
682  /* First initialize the address info (5-tuple). */
684  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
685 
686  /* Check for XFF, overwriting address info if needed. */
687  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ? json_output_ctx->xff_cfg
688  : json_output_ctx->parent_xff_cfg;
689  int have_xff_ip = 0;
690  char xff_buffer[XFF_MAXLEN];
691  xff_buffer[0] = 0;
692  if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
693  if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP1) {
694  if (pa->flags & PACKET_ALERT_FLAG_TX) {
695  have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg,
696  xff_buffer, XFF_MAXLEN);
697  } else {
698  have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, xff_buffer,
699  XFF_MAXLEN);
700  }
701  }
702 
703  if (have_xff_ip && xff_cfg->flags & XFF_OVERWRITE) {
704  if (p->flowflags & FLOW_PKT_TOCLIENT) {
705  strlcpy(addr.dst_ip, xff_buffer, JSON_ADDR_LEN);
706  } else {
707  strlcpy(addr.src_ip, xff_buffer, JSON_ADDR_LEN);
708  }
709  /* Clear have_xff_ip so the xff field does not get
710  * logged below. */
711  have_xff_ip = false;
712  }
713  if (have_xff_ip && !(xff_cfg->flags & XFF_EXTRADATA)) {
714  // reset xff_buffer so as not to log it
715  xff_buffer[0] = 0;
716  }
717  }
718 
719  JsonBuilder *jb =
720  CreateEveHeader(p, LOG_DIR_PACKET, "alert", &addr, json_output_ctx->eve_ctx);
721  if (unlikely(jb == NULL))
722  return TM_ECODE_OK;
723 
724 
725  /* alert */
726  AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, &addr, xff_buffer);
727 
728  if (IS_TUNNEL_PKT(p)) {
729  AlertJsonTunnel(p, jb);
730  }
731 
732  if (p->flow != NULL) {
733  if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {
734  AlertAddAppLayer(p, jb, pa->tx_id, json_output_ctx->flags);
735  }
736  /* including fileinfo data is configured by the metadata setting */
737  if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
738  AlertAddFiles(p, jb, pa->tx_id);
739  }
740 
741  EveAddAppProto(p->flow, jb);
742 
743  if (p->flowflags & FLOW_PKT_TOSERVER) {
744  jb_set_string(jb, "direction", "to_server");
745  } else {
746  jb_set_string(jb, "direction", "to_client");
747  }
748 
749  if (json_output_ctx->flags & LOG_JSON_FLOW) {
750  jb_open_object(jb, "flow");
751  EveAddFlow(p->flow, jb);
752  if (p->flowflags & FLOW_PKT_TOCLIENT) {
753  jb_set_string(jb, "src_ip", addr.dst_ip);
754  jb_set_string(jb, "dest_ip", addr.src_ip);
755  if (addr.sp > 0) {
756  jb_set_uint(jb, "src_port", addr.dp);
757  jb_set_uint(jb, "dest_port", addr.sp);
758  }
759  } else {
760  jb_set_string(jb, "src_ip", addr.src_ip);
761  jb_set_string(jb, "dest_ip", addr.dst_ip);
762  if (addr.sp > 0) {
763  jb_set_uint(jb, "src_port", addr.sp);
764  jb_set_uint(jb, "dest_port", addr.dp);
765  }
766  }
767  jb_close(jb);
768  }
769  }
770 
771  /* payload */
772  if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
773  int stream = (p->proto == IPPROTO_TCP) ?
775  1 : 0) : 0;
776 
777  /* Is this a stream? If so, pack part of it into the payload field */
778  if (stream) {
779  uint8_t flag;
780 
781  MemBufferReset(payload);
782 
783  if (p->flowflags & FLOW_PKT_TOSERVER) {
784  flag = STREAM_DUMP_TOCLIENT;
785  } else {
786  flag = STREAM_DUMP_TOSERVER;
787  }
788 
789  StreamSegmentForEach((const Packet *)p, flag,
790  AlertJsonDumpStreamSegmentCallback,
791  (void *)payload);
792  if (payload->offset) {
793  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
794  jb_set_base64(jb, "payload", payload->buffer, payload->offset);
795  }
796 
797  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
798  uint8_t printable_buf[payload->offset + 1];
799  uint32_t offset = 0;
800  PrintStringsToBuffer(printable_buf, &offset,
801  sizeof(printable_buf),
802  payload->buffer, payload->offset);
803  jb_set_string(jb, "payload_printable", (char *)printable_buf);
804  }
805  } else if (p->payload_len) {
806  /* Fallback on packet payload */
807  AlertAddPayload(json_output_ctx, jb, p);
808  }
809  } else {
810  /* This is a single packet and not a stream */
811  AlertAddPayload(json_output_ctx, jb, p);
812  }
813 
814  jb_set_uint(jb, "stream", stream);
815  }
816 
817  if (pa->flags & PACKET_ALERT_FLAG_FRAME) {
818  AlertAddFrame(p, jb, pa->frame_id);
819  }
820 
821  /* base64-encoded full packet */
822  if (json_output_ctx->flags & LOG_JSON_PACKET) {
823  EvePacket(p, jb, 0);
824  }
825 
827  if (pcap_filename != NULL) {
828  jb_set_string(jb, "capture_file", pcap_filename);
829  }
830 
831  OutputJsonBuilderBuffer(jb, aft->ctx);
832  jb_free(jb);
833  }
834 
835  if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
837  JsonBuilder *packetjs =
838  CreateEveHeader(p, LOG_DIR_PACKET, "packet", NULL, json_output_ctx->eve_ctx);
839  if (unlikely(packetjs != NULL)) {
840  EvePacket(p, packetjs, 0);
841  OutputJsonBuilderBuffer(packetjs, aft->ctx);
842  jb_free(packetjs);
843  }
844  }
845 
846  return TM_ECODE_OK;
847 }
848 
849 static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
850 {
851  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
852  char timebuf[64];
853 
854  if (p->alerts.cnt == 0)
855  return TM_ECODE_OK;
856 
857  CreateIsoTimeString(p->ts, timebuf, sizeof(timebuf));
858 
859  for (int i = 0; i < p->alerts.cnt; i++) {
860  const PacketAlert *pa = &p->alerts.alerts[i];
861  if (unlikely(pa->s == NULL)) {
862  continue;
863  }
864 
865  JsonBuilder *jb = jb_new_object();
866  if (unlikely(jb == NULL)) {
867  return TM_ECODE_OK;
868  }
869 
870  /* just the timestamp, no tuple */
871  jb_set_string(jb, "timestamp", timebuf);
872 
873  AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, NULL, NULL);
874 
875  OutputJsonBuilderBuffer(jb, aft->ctx);
876  jb_free(jb);
877  }
878 
879  return TM_ECODE_OK;
880 }
881 
882 static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)
883 {
884  JsonAlertLogThread *aft = thread_data;
885 
886  if (PKT_IS_IPV4(p) || PKT_IS_IPV6(p)) {
887  return AlertJson(tv, aft, p);
888  } else if (p->alerts.cnt > 0) {
889  return AlertJsonDecoderEvent(tv, aft, p);
890  }
891  return 0;
892 }
893 
894 static int JsonAlertLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
895 {
896  if (p->alerts.cnt || (p->flags & PKT_HAS_TAG)) {
897  return TRUE;
898  }
899  return FALSE;
900 }
901 
902 static TmEcode JsonAlertLogThreadInit(ThreadVars *t, const void *initdata, void **data)
903 {
905  if (unlikely(aft == NULL))
906  return TM_ECODE_FAILED;
907 
908  if (initdata == NULL)
909  {
910  SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL");
911  goto error_exit;
912  }
913 
914  /** Use the Output Context (file pointer and mutex) */
915  AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
916 
917  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
918  if (aft->payload_buffer == NULL) {
919  goto error_exit;
920  }
921  aft->ctx = CreateEveThreadCtx(t, json_output_ctx->eve_ctx);
922  if (!aft->ctx) {
923  goto error_exit;
924  }
925 
926  aft->json_output_ctx = json_output_ctx;
927 
928  *data = (void *)aft;
929  return TM_ECODE_OK;
930 
931 error_exit:
932  if (aft->payload_buffer != NULL) {
934  }
935  SCFree(aft);
936  return TM_ECODE_FAILED;
937 }
938 
939 static TmEcode JsonAlertLogThreadDeinit(ThreadVars *t, void *data)
940 {
941  JsonAlertLogThread *aft = (JsonAlertLogThread *)data;
942  if (aft == NULL) {
943  return TM_ECODE_OK;
944  }
945 
947  FreeEveThreadCtx(aft->ctx);
948 
949  /* clear memory */
950  memset(aft, 0, sizeof(JsonAlertLogThread));
951 
952  SCFree(aft);
953  return TM_ECODE_OK;
954 }
955 
956 static void JsonAlertLogDeInitCtxSub(OutputCtx *output_ctx)
957 {
958  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
959 
960  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
961 
962  if (json_output_ctx != NULL) {
963  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
964  if (xff_cfg != NULL) {
965  SCFree(xff_cfg);
966  }
967  SCFree(json_output_ctx);
968  }
969  SCFree(output_ctx);
970 }
971 
972 static void SetFlag(const ConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
973 {
974  DEBUG_VALIDATE_BUG_ON(conf == NULL);
975  const char *setting = ConfNodeLookupChildValue(conf, name);
976  if (setting != NULL) {
977  if (ConfValIsTrue(setting)) {
978  *out_flags |= flag;
979  } else {
980  *out_flags &= ~flag;
981  }
982  }
983 }
984 
985 #define DEFAULT_LOG_FILENAME "alert.json"
986 
987 static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
988  ConfNode *conf)
989 {
990  static bool warn_no_meta = false;
991  uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
992  uint16_t flags = METADATA_DEFAULTS;
993 
994  if (conf != NULL) {
995  /* Check for metadata to enable/disable. */
996  ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
997  if (metadata != NULL) {
998  if (metadata->val != NULL && ConfValIsFalse(metadata->val)) {
1000  } else if (ConfNodeHasChildren(metadata)) {
1001  ConfNode *rule_metadata = ConfNodeLookupChild(metadata, "rule");
1002  if (rule_metadata) {
1003  SetFlag(rule_metadata, "raw", LOG_JSON_RULE, &flags);
1004  SetFlag(rule_metadata, "metadata", LOG_JSON_RULE_METADATA,
1005  &flags);
1006  }
1007  SetFlag(metadata, "flow", LOG_JSON_FLOW, &flags);
1008  SetFlag(metadata, "app-layer", LOG_JSON_APP_LAYER, &flags);
1009  }
1010  }
1011 
1012  /* Non-metadata toggles. */
1013  SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
1014  SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
1015  SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
1016  SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
1017  SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
1018  SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
1019 
1020  /* Check for obsolete configuration flags to enable specific
1021  * protocols. These are now just aliases for enabling
1022  * app-layer logging. */
1023  SetFlag(conf, "http", LOG_JSON_APP_LAYER, &flags);
1024  SetFlag(conf, "tls", LOG_JSON_APP_LAYER, &flags);
1025  SetFlag(conf, "ssh", LOG_JSON_APP_LAYER, &flags);
1026  SetFlag(conf, "smtp", LOG_JSON_APP_LAYER, &flags);
1027  SetFlag(conf, "dnp3", LOG_JSON_APP_LAYER, &flags);
1028 
1029  /* And check for obsolete configuration flags for enabling
1030  * app-layer and flow as these have been moved under the
1031  * metadata key. */
1032  SetFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags);
1033  SetFlag(conf, "flow", LOG_JSON_FLOW, &flags);
1034 
1035  const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
1036 
1037  if (payload_buffer_value != NULL) {
1038  uint32_t value;
1039  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
1040  SCLogError("Error parsing "
1041  "payload-buffer-size - %s. Killing engine",
1042  payload_buffer_value);
1043  exit(EXIT_FAILURE);
1044  } else {
1045  payload_buffer_size = value;
1046  }
1047  }
1048 
1049  if (!warn_no_meta && flags & JSON_BODY_LOGGING) {
1050  if (((flags & LOG_JSON_APP_LAYER) == 0)) {
1051  SCLogWarning("HTTP body logging has been configured, however, "
1052  "metadata logging has not been enabled. HTTP body logging will be "
1053  "disabled.");
1055  warn_no_meta = true;
1056  }
1057  }
1058 
1059  json_output_ctx->payload_buffer_size = payload_buffer_size;
1060  }
1061 
1062  if (flags & LOG_JSON_RULE_METADATA) {
1064  }
1065 
1066  json_output_ctx->flags |= flags;
1067 }
1068 
1069 static HttpXFFCfg *JsonAlertLogGetXffCfg(ConfNode *conf)
1070 {
1071  HttpXFFCfg *xff_cfg = NULL;
1072  if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
1073  xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
1074  if (likely(xff_cfg != NULL)) {
1075  HttpXFFGetCfg(conf, xff_cfg);
1076  }
1077  }
1078  return xff_cfg;
1079 }
1080 
1081 /**
1082  * \brief Create a new LogFileCtx for "fast" output style.
1083  * \param conf The configuration node for this output.
1084  * \return A LogFileCtx pointer on success, NULL on failure.
1085  */
1086 static OutputInitResult JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
1087 {
1088  OutputInitResult result = { NULL, false };
1089  OutputJsonCtx *ajt = parent_ctx->data;
1090  AlertJsonOutputCtx *json_output_ctx = NULL;
1091 
1092  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
1093  if (unlikely(output_ctx == NULL))
1094  return result;
1095 
1096  json_output_ctx = SCMalloc(sizeof(AlertJsonOutputCtx));
1097  if (unlikely(json_output_ctx == NULL)) {
1098  goto error;
1099  }
1100  memset(json_output_ctx, 0, sizeof(AlertJsonOutputCtx));
1101 
1102  json_output_ctx->file_ctx = ajt->file_ctx;
1103  json_output_ctx->eve_ctx = ajt;
1104 
1105  JsonAlertLogSetupMetadata(json_output_ctx, conf);
1106  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
1107  if (json_output_ctx->xff_cfg == NULL) {
1108  json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
1109  }
1110 
1111  output_ctx->data = json_output_ctx;
1112  output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
1113 
1114  result.ctx = output_ctx;
1115  result.ok = true;
1116  return result;
1117 
1118 error:
1119  if (json_output_ctx != NULL) {
1120  SCFree(json_output_ctx);
1121  }
1122  if (output_ctx != NULL) {
1123  SCFree(output_ctx);
1124  }
1125 
1126  return result;
1127 }
1128 
1130 {
1132  "eve-log.alert", JsonAlertLogInitCtxSub, JsonAlertLogger,
1133  JsonAlertLogCondition, JsonAlertLogThreadInit, JsonAlertLogThreadDeinit,
1134  NULL);
1135 }
XFF_MAXLEN
#define XFF_MAXLEN
Definition: app-layer-htp-xff.h:39
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:48
util-byte.h
tm-threads.h
FrameJsonLogOneFrame
void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, const Flow *f, const TcpStream *stream, const Packet *p, JsonBuilder *jb)
log a single frame
Definition: output-json-frame.c:226
Packet_::proto
uint8_t proto
Definition: decode.h:450
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:288
TcpStream_
Definition: stream-tcp-private.h:106
FileContainer_
Definition: util-file.h:113
DetectMetadataHead::json_str
char * json_str
Definition: detect-metadata.h:40
detect-engine.h
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:277
EveSMTPAddMetadata
bool EveSMTPAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-smtp.c:96
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:267
EveHttpLogJSONBodyPrintable
void EveHttpLogJSONBodyPrintable(JsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:404
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:49
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:85
output-json-modbus.h
Signature_::sig_str
char * sig_str
Definition: detect.h:609
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
STREAM_DUMP_TOSERVER
#define STREAM_DUMP_TOSERVER
Definition: stream.h:33
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:279
XFF_EXTRADATA
#define XFF_EXTRADATA
Definition: app-layer-htp-xff.h:31
CreateIsoTimeString
void CreateIsoTimeString(const SCTime_t ts, char *str, size_t size)
Definition: util-time.c:209
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:246
ConfNode_::val
char * val
Definition: conf.h:34
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
output-json-mqtt.h
LOG_JSON_RULE
#define LOG_JSON_RULE
Definition: output-json-alert.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:594
AlertJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-alert.c:114
DNP3Transaction_::done
uint8_t done
Definition: app-layer-dnp3.h:222
AlertJsonOutputCtx_::parent_xff_cfg
HttpXFFCfg * parent_xff_cfg
Definition: output-json-alert.c:118
ALPROTO_MODBUS
@ ALPROTO_MODBUS
Definition: app-layer-protos.h:42
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
Flow_::proto
uint8_t proto
Definition: flow.h:379
StreamSegmentForEach
int StreamSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
Definition: stream.c:40
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
ALPROTO_QUIC
@ ALPROTO_QUIC
Definition: app-layer-protos.h:51
Packet_::payload
uint8_t * payload
Definition: decode.h:573
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:289
SIG_FLAG_DEST_IS_TARGET
#define SIG_FLAG_DEST_IS_TARGET
Definition: detect.h:243
action-globals.h
JsonModbusAddMetadata
bool JsonModbusAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-modbus.c:139
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:74
Packet_::flags
uint32_t flags
Definition: decode.h:463
threads.h
LOGGER_JSON_ALERT
@ LOGGER_JSON_ALERT
Definition: suricata-common.h:468
OutputJsonCtx_
Definition: output-json.h:81
Frame
Definition: app-layer-frames.h:45
Flow_
Flow data structure.
Definition: flow.h:357
util-syslog.h
logged
int logged
Definition: app-layer-htp.h:1
LogFileCtx_
Definition: util-logopenfile.h:73
JsonQuicAddMetadata
bool JsonQuicAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-quic.c:143
output-json-frame.h
EveNFSAddMetadata
bool EveNFSAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-nfs.c:62
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:934
PacketAlerts_::alerts
PacketAlert * alerts
Definition: decode.h:292
output-json-tls.h
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29
ALPROTO_SIP
@ ALPROTO_SIP
Definition: app-layer-protos.h:54
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:89
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:227
output-json-sip.h
rust.h
Frames
Definition: app-layer-frames.h:60
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:37
FramesContainer
Definition: app-layer-frames.h:73
util-privs.h
ACTION_DROP_REJECT
#define ACTION_DROP_REJECT
Definition: action-globals.h:39
proto
uint8_t proto
Definition: decode-template.h:0
AlertJsonOutputCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-alert.c:119
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:34
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:459
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:85
Flow_::protoctx
void * protoctx
Definition: flow.h:447
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:574
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:588
util-unittest.h
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:30
EveHttpAddMetadata
bool EveHttpAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-http.c:515
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:531
util-unittest-helper.h
HttpXFFGetIP
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:180
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:84
PcapLogGetFilename
char * PcapLogGetFilename(void)
Definition: log-pcap.c:1860
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:230
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:268
JsonDNSLogAnswer
JsonBuilder * JsonDNSLogAnswer(void *txptr, uint64_t tx_id)
Definition: output-json-dns.c:295
OutputCtx_
Definition: tm-modules.h:78
app-layer-htp-xff.h
PacketAlert_::action
uint8_t action
Definition: decode.h:265
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
JSON_BODY_LOGGING
#define JSON_BODY_LOGGING
Definition: output-json-alert.c:109
OutputJsonThreadCtx_
Definition: output-json.h:89
detect-reference.h
ALPROTO_SNMP
@ ALPROTO_SNMP
Definition: app-layer-protos.h:53
Signature_::gid
uint32_t gid
Definition: detect.h:575
output-json-dnp3.h
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:53
app-layer-htp.h
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:75
JsonAlertLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-alert.c:125
util-debug.h
output-json-flow.h
MODULE_NAME
#define MODULE_NAME
Definition: output-json-alert.c:92
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:251
JsonRFBAddMetadata
bool JsonRFBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-rfb.c:49
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
output-json-rfb.h
LOG_JSON_APP_LAYER
#define LOG_JSON_APP_LAYER
Definition: output-json-alert.c:98
Packet_::ts
SCTime_t ts
Definition: decode.h:471
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:44
app-layer-dnp3.h
output-json.h
FrameGetById
Frame * FrameGetById(Frames *frames, const int64_t id)
Definition: app-layer-frames.c:86
MemBufferWriteRaw
#define MemBufferWriteRaw(dst, raw_buffer, raw_buffer_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.h:133
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
EveIKEAddMetadata
bool EveIKEAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-ike.c:65
LOG_JSON_PAYLOAD
#define LOG_JSON_PAYLOAD
Definition: output-json-alert.c:94
PktSrcEnum
PktSrcEnum
Definition: decode.h:53
AlertJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-alert.c:115
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:796
util-print.h
detect-engine-mpm.h
FileContainer_::head
File * head
Definition: util-file.h:114
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
EveFileInfo
void EveFileInfo(JsonBuilder *jb, const File *ff, const uint64_t tx_id, const bool stored)
Definition: output-json.c:131
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:741
JsonAlertLogThread
struct JsonAlertLogThread_ JsonAlertLogThread
output-json-email-common.h
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:48
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
JsonDNP3LogResponse
void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *dnp3tx)
Definition: output-json-dnp3.c:174
EveHttpLogJSONBodyBase64
void EveHttpLogJSONBodyBase64(JsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:435
app-layer-parser.h
JsonAlertLogThread_
Definition: output-json-alert.c:122
TRUE
#define TRUE
Definition: suricata-common.h:33
FALSE
#define FALSE
Definition: suricata-common.h:34
Signature_::flags
uint32_t flags
Definition: detect.h:541
stream.h
JsonAddrInfo_
Definition: output-json.h:49
TcpSegment
Definition: stream-tcp-private.h:72
Packet_
Definition: decode.h:428
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:183
ALPROTO_RDP
@ ALPROTO_RDP
Definition: app-layer-protos.h:60
JSON_STREAM_BUFFER_SIZE
#define JSON_STREAM_BUFFER_SIZE
Definition: output-json-alert.c:111
LOG_JSON_PAYLOAD_BASE64
#define LOG_JSON_PAYLOAD_BASE64
Definition: output-json-alert.c:96
conf.h
SIG_FLAG_HAS_TARGET
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:245
XFF_OVERWRITE
#define XFF_OVERWRITE
Definition: app-layer-htp-xff.h:33
TmEcode
TmEcode
Definition: tm-threads-common.h:83
SIG_FLAG_SRC_IS_TARGET
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:241
EveNFSAddMetadataRPC
bool EveNFSAddMetadataRPC(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-nfs.c:50
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:797
AlertJsonHeader
void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js, uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
Definition: output-json-alert.c:365
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
AlertJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-alert.c:116
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:61
util-proto-name.h
ConfNodeHasChildren
bool ConfNodeHasChildren(const ConfNode *node)
Check if a node has any children.
Definition: conf.c:761
MemBuffer_
Definition: util-buffer.h:27
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:228
LOG_JSON_TAGGED_PACKETS
#define LOG_JSON_TAGGED_PACKETS
Definition: output-json-alert.c:97
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1143
EveEmailAddMetadata
bool EveEmailAddMetadata(const Flow *f, uint32_t tx_id, JsonBuilder *js)
Definition: output-json-email-common.c:379
AlertJsonOutputCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json-alert.c:117
log-pcap.h
PacketAlert_::frame_id
int64_t frame_id
Definition: decode.h:269
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:54
Signature_::class_msg
char * class_msg
Definition: detect.h:603
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:780
DNP3Transaction_::is_request
bool is_request
Definition: app-layer-dnp3.h:211
PacketAlert_::flags
uint8_t flags
Definition: decode.h:266
File_::flags
uint16_t flags
Definition: util-file.h:80
MemBufferReset
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
PACKET_ALERT_RATE_FILTER_MODIFIED
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:281
File_
Definition: util-file.h:79
OutputInitResult_
Definition: output.h:46
app-layer-frames.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:630
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:52
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:215
pcap_filename
char pcap_filename[PATH_MAX]
Definition: source-pcap-file-helper.c:116
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:45
AlertJsonOutputCtx_
Definition: output-json-alert.c:113
detect-metadata.h
JsonAlertLogThread_::json_output_ctx
AlertJsonOutputCtx * json_output_ctx
Definition: output-json-alert.c:124
output-json-nfs.h
packet.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:87
FILE_STORED
#define FILE_STORED
Definition: util-file.h:56
File_::next
struct File_ * next
Definition: util-file.h:92
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:47
EveAddAppProto
void EveAddAppProto(Flow *f, JsonBuilder *js)
Definition: output-json-flow.c:166
Signature_::rev
uint32_t rev
Definition: detect.h:576
util-classification-config.h
EvePacket
void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length)
Jsonify a packet.
Definition: output-json.c:436
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:285
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Signature_::prio
int prio
Definition: detect.h:577
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:181
output-json-alert.h
util-optimize.h
threadvars.h
util-validate.h
output-json-dns.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
Packet_::root
struct Packet_ * root
Definition: decode.h:618
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:284
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:50
HttpXFFCfg_::flags
uint8_t flags
Definition: app-layer-htp-xff.h:42
Signature_::metadata
DetectMetadataHead * metadata
Definition: detect.h:607
PACKET_ALERT_FLAG_FRAME
#define PACKET_ALERT_FLAG_FRAME
Definition: decode.h:283
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
AlertJsonOutputCtx
struct AlertJsonOutputCtx_ AlertJsonOutputCtx
JsonAlertLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-alert.c:123
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:579
ConfNode_
Definition: conf.h:32
util-logopenfile.h
Flow_::alstate
void * alstate
Definition: flow.h:482
Signature_::id
uint32_t id
Definition: detect.h:574
STREAM_DUMP_TOCLIENT
#define STREAM_DUMP_TOCLIENT
Definition: stream.h:32
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:453
LOG_JSON_HTTP_BODY_BASE64
#define LOG_JSON_HTTP_BODY_BASE64
Definition: output-json-alert.c:101
output-json-ike.h
detect-parse.h
util-buffer.h
LOG_JSON_PACKET
#define LOG_JSON_PACKET
Definition: output-json-alert.c:95
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:56
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:556
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:51
EveFTPDataAddMetadata
void EveFTPDataAddMetadata(const Flow *f, JsonBuilder *jb)
Definition: app-layer-ftp.c:1408
output-json-ssh.h
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:82
JsonDNSLogQuery
JsonBuilder * JsonDNSLogQuery(void *txptr, uint64_t tx_id)
Definition: output-json-dns.c:266
LOG_JSON_HTTP_BODY
#define LOG_JSON_HTTP_BODY
Definition: output-json-alert.c:100
METADATA_DEFAULTS
#define METADATA_DEFAULTS
Definition: output-json-alert.c:105
DNP3State_
Per flow DNP3 state.
Definition: app-layer-dnp3.h:234
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:211
LOG_JSON_FLOW
#define LOG_JSON_FLOW
Definition: output-json-alert.c:99
JsonDNP3LogRequest
void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *dnp3tx)
Definition: output-json-dnp3.c:143
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:55
PacketAlert_
Definition: decode.h:263
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:473
ALPROTO_BITTORRENT_DHT
@ ALPROTO_BITTORRENT_DHT
Definition: app-layer-protos.h:62
HttpXFFGetCfg
void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:205
output-json-smb.h
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:931
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *state, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:890
HttpXFFGetIPFromTx
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:116
output-json-smtp.h
MemBuffer_::buffer
uint8_t * buffer
Definition: util-buffer.h:28
TcpSession_
Definition: stream-tcp-private.h:272
output-json-http.h
util-misc.h
PKT_HAS_TAG
#define PKT_HAS_TAG
Definition: decode.h:996
Signature_::msg
char * msg
Definition: detect.h:600
flow.h
DetectEngineSetParseMetadata
void DetectEngineSetParseMetadata(void)
Definition: detect-engine.c:4603
EveSMBAddMetadata
bool EveSMBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-smb.c:34
JsonTlsLogJSONExtended
void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState *state)
Definition: output-json-tls.c:395
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:456
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LOG_JSON_RULE_METADATA
#define LOG_JSON_RULE_METADATA
Definition: output-json-alert.c:102
XFF_DISABLED
#define XFF_DISABLED
Definition: app-layer-htp-xff.h:29
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:245
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:275
output-json-quic.h
JsonSIPAddMetadata
void JsonSIPAddMetadata(JsonBuilder *js, const Flow *f, uint64_t tx_id)
Definition: output-json-sip.c:51
JsonMQTTAddMetadata
bool JsonMQTTAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-mqtt.c:62
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
output.h
JsonAlertLogRegister
void JsonAlertLogRegister(void)
Definition: output-json-alert.c:1129
DNP3Transaction_
DNP3 transaction.
Definition: app-layer-dnp3.h:207
EveAddFlow
void EveAddFlow(Flow *f, JsonBuilder *js)
Definition: output-json-flow.c:187
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:808