Go to the documentation of this file.
92 #define MODULE_NAME "JsonAlertLog"
94 #define LOG_JSON_PAYLOAD BIT_U16(0)
95 #define LOG_JSON_PACKET BIT_U16(1)
96 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
97 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
98 #define LOG_JSON_APP_LAYER BIT_U16(4)
99 #define LOG_JSON_FLOW BIT_U16(5)
100 #define LOG_JSON_HTTP_BODY BIT_U16(6)
101 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
102 #define LOG_JSON_RULE_METADATA BIT_U16(8)
103 #define LOG_JSON_RULE BIT_U16(9)
105 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
106 LOG_JSON_APP_LAYER | \
107 LOG_JSON_RULE_METADATA)
109 #define JSON_BODY_LOGGING (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64)
111 #define JSON_STREAM_BUFFER_SIZE 4096
130 static int AlertJsonDumpStreamSegmentCallback(
131 const Packet *p,
TcpSegment *seg,
void *data,
const uint8_t *buf, uint32_t buflen)
139 static void AlertJsonTls(
const Flow *f, JsonBuilder *js)
143 jb_open_object(js,
"tls");
153 static void AlertJsonSsh(
const Flow *f, JsonBuilder *js)
155 void *ssh_state = FlowGetAppState(f);
157 JsonBuilderMark mark = { 0, 0, 0 };
158 void *tx_ptr = rs_ssh_state_get_tx(ssh_state, 0);
159 jb_get_mark(js, &mark);
160 jb_open_object(js,
"ssh");
161 if (rs_ssh_log_json(tx_ptr, js)) {
164 jb_restore_mark(js, &mark);
171 static void AlertJsonHttp2(
const Flow *f,
const uint64_t tx_id, JsonBuilder *js)
173 void *h2_state = FlowGetAppState(f);
175 void *tx_ptr = rs_http2_state_get_tx(h2_state, tx_id);
177 JsonBuilderMark mark = { 0, 0, 0 };
178 jb_get_mark(js, &mark);
179 jb_open_object(js,
"http");
180 if (rs_http2_log_json(tx_ptr, js)) {
183 jb_restore_mark(js, &mark);
191 static void AlertJsonDnp3(
const Flow *f,
const uint64_t tx_id, JsonBuilder *js)
198 JsonBuilderMark mark = { 0, 0, 0 };
199 jb_get_mark(js, &mark);
201 jb_open_object(js,
"dnp3");
203 jb_open_object(js,
"request");
209 jb_open_object(js,
"response");
218 jb_restore_mark(js, &mark);
224 static void AlertJsonDns(
const Flow *f,
const uint64_t tx_id, JsonBuilder *js)
226 void *dns_state = (
void *)FlowGetAppState(f);
231 jb_open_object(js,
"dns");
234 jb_set_object(js,
"query", qjs);
239 jb_set_object(js,
"answer", ajs);
248 static void AlertJsonSNMP(
const Flow *f,
const uint64_t tx_id, JsonBuilder *js)
250 void *snmp_state = (
void *)FlowGetAppState(f);
251 if (snmp_state != NULL) {
255 jb_open_object(js,
"snmp");
256 rs_snmp_log_json_response(js, snmp_state, tx);
262 static void AlertJsonRDP(
const Flow *f,
const uint64_t tx_id, JsonBuilder *js)
264 void *rdp_state = (
void *)FlowGetAppState(f);
265 if (rdp_state != NULL) {
269 JsonBuilderMark mark = { 0, 0, 0 };
270 jb_get_mark(js, &mark);
271 if (!rs_rdp_to_json(tx, js)) {
272 jb_restore_mark(js, &mark);
278 static void AlertJsonBitTorrentDHT(
const Flow *f,
const uint64_t tx_id, JsonBuilder *js)
280 void *bittorrent_dht_state = (
void *)FlowGetAppState(f);
281 if (bittorrent_dht_state != NULL) {
285 JsonBuilderMark mark = { 0, 0, 0 };
286 jb_get_mark(js, &mark);
287 jb_open_object(js,
"bittorrent_dht");
288 if (rs_bittorrent_dht_logger_log(tx, js)) {
291 jb_restore_mark(js, &mark);
300 jb_open_object(js,
"source");
302 jb_set_string(js,
"ip", addr->
src_ip);
310 jb_set_uint(js,
"port", addr->
sp);
314 jb_set_string(js,
"ip", addr->
dst_ip);
322 jb_set_uint(js,
"port", addr->
dp);
328 jb_open_object(js,
"target");
330 jb_set_string(js,
"ip", addr->
dst_ip);
338 jb_set_uint(js,
"port", addr->
dp);
342 jb_set_string(js,
"ip", addr->
src_ip);
350 jb_set_uint(js,
"port", addr->
sp);
369 const char *action =
"allowed";
386 jb_set_uint(js,
"tx_id", pa->
tx_id);
389 jb_open_object(js,
"alert");
391 jb_set_string(js,
"action", action);
392 jb_set_uint(js,
"gid", pa->
s->
gid);
393 jb_set_uint(js,
"signature_id", pa->
s->
id);
394 jb_set_uint(js,
"rev", pa->
s->
rev);
397 jb_set_string(js,
"signature", pa->
s->
msg ? pa->
s->
msg:
"");
399 jb_set_uint(js,
"severity", pa->
s->
prio);
402 jb_set_uint(js,
"tenant_id", p->
tenant_id);
406 AlertJsonSourceTarget(p, pa, js, addr);
410 AlertJsonMetadata(json_output_ctx, pa, js);
414 jb_set_string(js,
"rule", pa->
s->
sig_str);
416 if (xff_buffer && xff_buffer[0]) {
417 jb_set_string(js,
"xff", xff_buffer);
423 static void AlertJsonTunnel(
const Packet *p, JsonBuilder *js)
425 if (p->
root == NULL) {
429 jb_open_object(js,
"tunnel");
438 jb_set_string(js,
"src_ip", addr.
src_ip);
439 jb_set_uint(js,
"src_port", addr.
sp);
440 jb_set_string(js,
"dest_ip", addr.
dst_ip);
441 jb_set_uint(js,
"dest_port", addr.
dp);
442 jb_set_string(js,
"proto", addr.
proto);
446 jb_set_uint(js,
"pcap_cnt", pcap_cnt);
465 jb_set_string(js,
"payload_printable", (
char *)printable_buf);
469 static void AlertAddAppLayer(
const Packet *p, JsonBuilder *jb,
470 const uint64_t tx_id,
const uint16_t option_flags)
473 JsonBuilderMark mark = { 0, 0, 0 };
477 jb_open_object(jb,
"http");
489 AlertJsonTls(p->
flow, jb);
492 AlertJsonSsh(p->
flow, jb);
495 jb_get_mark(jb, &mark);
496 jb_open_object(jb,
"smtp");
500 jb_restore_mark(jb, &mark);
502 jb_get_mark(jb, &mark);
503 jb_open_object(jb,
"email");
507 jb_restore_mark(jb, &mark);
512 jb_get_mark(jb, &mark);
513 jb_open_object(jb,
"rpc");
517 jb_restore_mark(jb, &mark);
520 jb_get_mark(jb, &mark);
521 jb_open_object(jb,
"nfs");
525 jb_restore_mark(jb, &mark);
529 jb_get_mark(jb, &mark);
530 jb_open_object(jb,
"smb");
534 jb_restore_mark(jb, &mark);
541 jb_get_mark(jb, &mark);
543 jb_restore_mark(jb, &mark);
547 jb_get_mark(jb, &mark);
548 jb_open_object(jb,
"ftp_data");
553 AlertJsonDnp3(p->
flow, tx_id, jb);
556 AlertJsonHttp2(p->
flow, tx_id, jb);
559 AlertJsonDns(p->
flow, tx_id, jb);
562 jb_get_mark(jb, &mark);
564 jb_restore_mark(jb, &mark);
568 jb_get_mark(jb, &mark);
570 jb_restore_mark(jb, &mark);
574 jb_get_mark(jb, &mark);
576 jb_restore_mark(jb, &mark);
580 AlertJsonSNMP(p->
flow, tx_id, jb);
583 AlertJsonRDP(p->
flow, tx_id, jb);
586 jb_get_mark(jb, &mark);
588 jb_restore_mark(jb, &mark);
592 AlertJsonBitTorrentDHT(p->
flow, tx_id, jb);
599 static void AlertAddFiles(
const Packet *p, JsonBuilder *jb,
const uint64_t tx_id)
601 const uint8_t direction =
607 AppLayerGetFileState files =
618 jb_open_array(jb,
"files");
631 static void AlertAddFrame(
const Packet *p, JsonBuilder *jb,
const int64_t frame_id)
637 if (frames_container == NULL)
642 if (p->
proto == IPPROTO_TCP) {
646 frames = &frames_container->
toserver;
649 frames = &frames_container->
toclient;
655 }
else if (p->
proto == IPPROTO_UDP) {
657 frames = &frames_container->
toserver;
659 frames = &frames_container->
toclient;
676 for (
int i = 0; i < p->
alerts.
cnt; i++) {
729 AlertJsonTunnel(p, jb);
732 if (p->
flow != NULL) {
734 AlertAddAppLayer(p, jb, pa->
tx_id, json_output_ctx->
flags);
738 AlertAddFiles(p, jb, pa->
tx_id);
744 jb_set_string(jb,
"direction",
"to_server");
746 jb_set_string(jb,
"direction",
"to_client");
750 jb_open_object(jb,
"flow");
753 jb_set_string(jb,
"src_ip", addr.
dst_ip);
754 jb_set_string(jb,
"dest_ip", addr.
src_ip);
756 jb_set_uint(jb,
"src_port", addr.
dp);
757 jb_set_uint(jb,
"dest_port", addr.
sp);
760 jb_set_string(jb,
"src_ip", addr.
src_ip);
761 jb_set_string(jb,
"dest_ip", addr.
dst_ip);
763 jb_set_uint(jb,
"src_port", addr.
sp);
764 jb_set_uint(jb,
"dest_port", addr.
dp);
773 int stream = (p->
proto == IPPROTO_TCP) ?
790 AlertJsonDumpStreamSegmentCallback,
794 jb_set_base64(jb,
"payload", payload->
buffer, payload->
offset);
798 uint8_t printable_buf[payload->
offset + 1];
801 sizeof(printable_buf),
803 jb_set_string(jb,
"payload_printable", (
char *)printable_buf);
807 AlertAddPayload(json_output_ctx, jb, p);
811 AlertAddPayload(json_output_ctx, jb, p);
814 jb_set_uint(jb,
"stream", stream);
837 JsonBuilder *packetjs =
859 for (
int i = 0; i < p->
alerts.
cnt; i++) {
865 JsonBuilder *jb = jb_new_object();
871 jb_set_string(jb,
"timestamp", timebuf);
887 return AlertJson(
tv, aft, p);
889 return AlertJsonDecoderEvent(
tv, aft, p);
902 static TmEcode JsonAlertLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
908 if (initdata == NULL)
910 SCLogDebug(
"Error getting context for EveLogAlert. \"initdata\" argument NULL");
956 static void JsonAlertLogDeInitCtxSub(
OutputCtx *output_ctx)
958 SCLogDebug(
"cleaning up sub output_ctx %p", output_ctx);
962 if (json_output_ctx != NULL) {
964 if (xff_cfg != NULL) {
972 static void SetFlag(
const ConfNode *conf,
const char *name, uint16_t flag, uint16_t *out_flags)
976 if (setting != NULL) {
985 #define DEFAULT_LOG_FILENAME "alert.json"
990 static bool warn_no_meta =
false;
997 if (metadata != NULL) {
1002 if (rule_metadata) {
1037 if (payload_buffer_value != NULL) {
1041 "payload-buffer-size - %s. Killing engine",
1042 payload_buffer_value);
1045 payload_buffer_size = value;
1051 SCLogWarning(
"HTTP body logging has been configured, however, "
1052 "metadata logging has not been enabled. HTTP body logging will be "
1055 warn_no_meta =
true;
1074 if (
likely(xff_cfg != NULL)) {
1097 if (
unlikely(json_output_ctx == NULL)) {
1103 json_output_ctx->
eve_ctx = ajt;
1105 JsonAlertLogSetupMetadata(json_output_ctx, conf);
1106 json_output_ctx->
xff_cfg = JsonAlertLogGetXffCfg(conf);
1107 if (json_output_ctx->
xff_cfg == NULL) {
1111 output_ctx->
data = json_output_ctx;
1112 output_ctx->
DeInit = JsonAlertLogDeInitCtxSub;
1114 result.
ctx = output_ctx;
1119 if (json_output_ctx != NULL) {
1122 if (output_ctx != NULL) {
1132 "eve-log.alert", JsonAlertLogInitCtxSub, JsonAlertLogger,
1133 JsonAlertLogCondition, JsonAlertLogThreadInit, JsonAlertLogThreadDeinit,
bool PacketCheckAction(const Packet *p, const uint8_t a)
void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, const Flow *f, const TcpStream *stream, const Packet *p, JsonBuilder *jb)
log a single frame
SSLv[2.0|3.[0|1|2|3]] state structure.
#define PACKET_ALERT_FLAG_STREAM_MATCH
bool EveSMTPAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
const struct Signature_ * s
void EveHttpLogJSONBodyPrintable(JsonBuilder *js, Flow *f, uint64_t tx_id)
#define STREAM_DUMP_TOSERVER
#define PACKET_ALERT_FLAG_TX
void CreateIsoTimeString(const SCTime_t ts, char *str, size_t size)
HttpXFFCfg * parent_xff_cfg
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
int StreamSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
#define SIG_FLAG_DEST_IS_TARGET
bool JsonModbusAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
bool JsonQuicAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
bool EveNFSAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
const JsonAddrInfo json_addr_info_zero
#define FLOW_PKT_TOSERVER
#define ACTION_REJECT_ANY
#define ACTION_DROP_REJECT
bool EveHttpAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
int ConfValIsTrue(const char *val)
Check if a value is true.
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
char * PcapLogGetFilename(void)
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
JsonBuilder * JsonDNSLogAnswer(void *txptr, uint64_t tx_id)
size_t strlcpy(char *dst, const char *src, size_t siz)
#define JSON_BODY_LOGGING
OutputJsonThreadCtx * ctx
#define PKT_IS_TOSERVER(p)
bool JsonRFBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
#define LOG_JSON_APP_LAYER
Frame * FrameGetById(Frames *frames, const int64_t id)
#define MemBufferWriteRaw(dst, raw_buffer, raw_buffer_len)
Write a raw buffer to the MemBuffer dst.
bool EveIKEAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Per thread variable structure.
void EveFileInfo(JsonBuilder *jb, const File *ff, const uint64_t tx_id, const bool stored)
const char * PktSrcToString(enum PktSrcEnum pkt_src)
struct JsonAlertLogThread_ JsonAlertLogThread
#define SCLogWarning(...)
Macro used to log WARNING messages.
void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *dnp3tx)
void EveHttpLogJSONBodyBase64(JsonBuilder *js, Flow *f, uint64_t tx_id)
FramesContainer * AppLayerFramesGetContainer(Flow *f)
#define JSON_STREAM_BUFFER_SIZE
#define LOG_JSON_PAYLOAD_BASE64
#define SIG_FLAG_HAS_TARGET
#define SIG_FLAG_SRC_IS_TARGET
bool EveNFSAddMetadataRPC(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js, uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
uint32_t payload_buffer_size
bool ConfNodeHasChildren(const ConfNode *node)
Check if a node has any children.
#define FLOW_PKT_TOCLIENT
#define LOG_JSON_TAGGED_PACKETS
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
bool EveEmailAddMetadata(const Flow *f, uint32_t tx_id, JsonBuilder *js)
char proto[JSON_PROTO_LEN]
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
#define PACKET_ALERT_RATE_FILTER_MODIFIED
void(* DeInit)(struct OutputCtx_ *)
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
char pcap_filename[PATH_MAX]
AlertJsonOutputCtx * json_output_ctx
void MemBufferFree(MemBuffer *buffer)
void EveAddAppProto(Flow *f, JsonBuilder *js)
void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length)
Jsonify a packet.
int ParseSizeStringU32(const char *size, uint32_t *res)
char src_ip[JSON_ADDR_LEN]
DetectMetadataHead * metadata
#define PACKET_ALERT_FLAG_FRAME
#define SCLogError(...)
Macro used to log ERROR messages.
struct AlertJsonOutputCtx_ AlertJsonOutputCtx
MemBuffer * payload_buffer
#define STREAM_DUMP_TOCLIENT
#define LOG_JSON_HTTP_BODY_BASE64
int ConfValIsFalse(const char *val)
Check if a value is false.
char dst_ip[JSON_ADDR_LEN]
void EveFTPDataAddMetadata(const Flow *f, JsonBuilder *jb)
JsonBuilder * JsonDNSLogQuery(void *txptr, uint64_t tx_id)
#define LOG_JSON_HTTP_BODY
#define METADATA_DEFAULTS
int EngineModeIsIPS(void)
void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *dnp3tx)
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *state, void *tx, const uint8_t direction)
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
void DetectEngineSetParseMetadata(void)
bool EveSMBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState *state)
AppProto alproto
application level protocol
#define LOG_JSON_RULE_METADATA
#define PACKET_ALERT_FLAG_STATE_MATCH
void JsonSIPAddMetadata(JsonBuilder *js, const Flow *f, uint64_t tx_id)
bool JsonMQTTAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
#define DEBUG_VALIDATE_BUG_ON(exp)
MemBuffer * MemBufferCreateNew(uint32_t size)
void JsonAlertLogRegister(void)
void EveAddFlow(Flow *f, JsonBuilder *js)
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.