suricata
output-json-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs alerts in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "threads.h"
34 #include "tm-threads.h"
35 #include "threadvars.h"
36 #include "util-debug.h"
37 
38 #include "util-logopenfile.h"
39 #include "util-misc.h"
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 
43 #include "detect-parse.h"
44 #include "detect-engine.h"
45 #include "detect-engine-mpm.h"
46 #include "detect-reference.h"
47 #include "detect-metadata.h"
48 #include "app-layer-parser.h"
49 #include "app-layer-dnp3.h"
50 #include "app-layer-htp.h"
51 #include "app-layer-htp-xff.h"
52 #include "app-layer-ftp.h"
54 #include "util-syslog.h"
55 #include "util-logopenfile.h"
56 
57 #include "output.h"
58 #include "output-json.h"
59 #include "output-json-alert.h"
60 #include "output-json-dnp3.h"
61 #include "output-json-dns.h"
62 #include "output-json-http.h"
63 #include "output-json-tls.h"
64 #include "output-json-ssh.h"
65 #include "rust.h"
66 #include "output-json-smtp.h"
68 #include "output-json-nfs.h"
69 #include "output-json-smb.h"
70 #include "output-json-flow.h"
71 #include "output-json-sip.h"
72 #include "output-json-rfb.h"
73 #include "output-json-mqtt.h"
74 #include "output-json-ike.h"
75 #include "output-json-modbus.h"
76 
77 #include "util-byte.h"
78 #include "util-privs.h"
79 #include "util-print.h"
80 #include "util-proto-name.h"
81 #include "util-optimize.h"
82 #include "util-buffer.h"
83 #include "util-crypt.h"
84 #include "util-validate.h"
85 
86 #define MODULE_NAME "JsonAlertLog"
87 
88 #define LOG_JSON_PAYLOAD BIT_U16(0)
89 #define LOG_JSON_PACKET BIT_U16(1)
90 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
91 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
92 #define LOG_JSON_APP_LAYER BIT_U16(4)
93 #define LOG_JSON_FLOW BIT_U16(5)
94 #define LOG_JSON_HTTP_BODY BIT_U16(6)
95 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
96 #define LOG_JSON_RULE_METADATA BIT_U16(8)
97 #define LOG_JSON_RULE BIT_U16(9)
98 
99 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
100  LOG_JSON_APP_LAYER | \
101  LOG_JSON_RULE_METADATA)
102 
103 #define JSON_BODY_LOGGING (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64)
104 
105 #define JSON_STREAM_BUFFER_SIZE 4096
106 
107 typedef struct AlertJsonOutputCtx_ {
109  uint16_t flags;
115 
116 typedef struct JsonAlertLogThread_ {
121 
122 /* Callback function to pack payload contents from a stream into a buffer
123  * so we can report them in JSON output. */
124 static int AlertJsonDumpStreamSegmentCallback(const Packet *p, void *data, const uint8_t *buf, uint32_t buflen)
125 {
126  MemBuffer *payload = (MemBuffer *)data;
127  MemBufferWriteRaw(payload, buf, buflen);
128 
129  return 1;
130 }
131 
132 static void AlertJsonTls(const Flow *f, JsonBuilder *js)
133 {
134  SSLState *ssl_state = (SSLState *)FlowGetAppState(f);
135  if (ssl_state) {
136  jb_open_object(js, "tls");
137 
138  JsonTlsLogJSONBasic(js, ssl_state);
139  JsonTlsLogJSONExtended(js, ssl_state);
140 
141  jb_close(js);
142  }
143 
144  return;
145 }
146 
147 static void AlertJsonSsh(const Flow *f, JsonBuilder *js)
148 {
149  void *ssh_state = FlowGetAppState(f);
150  if (ssh_state) {
151  JsonBuilderMark mark = { 0, 0, 0 };
152  void *tx_ptr = rs_ssh_state_get_tx(ssh_state, 0);
153  jb_get_mark(js, &mark);
154  jb_open_object(js, "ssh");
155  if (rs_ssh_log_json(tx_ptr, js)) {
156  jb_close(js);
157  } else {
158  jb_restore_mark(js, &mark);
159  }
160  }
161 
162  return;
163 }
164 
165 static void AlertJsonHttp2(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
166 {
167  void *h2_state = FlowGetAppState(f);
168  if (h2_state) {
169  void *tx_ptr = rs_http2_state_get_tx(h2_state, tx_id);
170  if (tx_ptr) {
171  JsonBuilderMark mark = { 0, 0, 0 };
172  jb_get_mark(js, &mark);
173  jb_open_object(js, "http");
174  if (rs_http2_log_json(tx_ptr, js)) {
175  jb_close(js);
176  } else {
177  jb_restore_mark(js, &mark);
178  }
179  }
180  }
181 
182  return;
183 }
184 
185 static void AlertJsonDnp3(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
186 {
187  DNP3State *dnp3_state = (DNP3State *)FlowGetAppState(f);
188  if (dnp3_state) {
190  dnp3_state, tx_id);
191  if (tx) {
192  JsonBuilderMark mark = { 0, 0, 0 };
193  jb_get_mark(js, &mark);
194  bool logged = false;
195  jb_open_object(js, "dnp3");
196  if (tx->has_request && tx->request_done) {
197  jb_open_object(js, "request");
198  JsonDNP3LogRequest(js, tx);
199  jb_close(js);
200  logged = true;
201  }
202  if (tx->has_response && tx->response_done) {
203  jb_open_object(js, "response");
204  JsonDNP3LogResponse(js, tx);
205  jb_close(js);
206  logged = true;
207  }
208  if (logged) {
209  /* Close dnp3 object. */
210  jb_close(js);
211  } else {
212  jb_restore_mark(js, &mark);
213  }
214  }
215  }
216 }
217 
218 static void AlertJsonDns(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
219 {
220  void *dns_state = (void *)FlowGetAppState(f);
221  if (dns_state) {
222  void *txptr = AppLayerParserGetTx(f->proto, ALPROTO_DNS,
223  dns_state, tx_id);
224  if (txptr) {
225  jb_open_object(js, "dns");
226  JsonBuilder *qjs = JsonDNSLogQuery(txptr, tx_id);
227  if (qjs != NULL) {
228  jb_set_object(js, "query", qjs);
229  jb_free(qjs);
230  }
231  JsonBuilder *ajs = JsonDNSLogAnswer(txptr, tx_id);
232  if (ajs != NULL) {
233  jb_set_object(js, "answer", ajs);
234  jb_free(ajs);
235  }
236  jb_close(js);
237  }
238  }
239  return;
240 }
241 
242 static void AlertJsonSNMP(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
243 {
244  void *snmp_state = (void *)FlowGetAppState(f);
245  if (snmp_state != NULL) {
246  void *tx = AppLayerParserGetTx(f->proto, ALPROTO_SNMP, snmp_state,
247  tx_id);
248  if (tx != NULL) {
249  jb_open_object(js, "snmp");
250  rs_snmp_log_json_response(js, snmp_state, tx);
251  jb_close(js);
252  }
253  }
254 }
255 
256 static void AlertJsonRDP(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
257 {
258  void *rdp_state = (void *)FlowGetAppState(f);
259  if (rdp_state != NULL) {
260  void *tx = AppLayerParserGetTx(f->proto, ALPROTO_RDP, rdp_state,
261  tx_id);
262  if (tx != NULL) {
263  JsonBuilderMark mark = { 0, 0, 0 };
264  jb_get_mark(js, &mark);
265  if (!rs_rdp_to_json(tx, js)) {
266  jb_restore_mark(js, &mark);
267  }
268  }
269  }
270 }
271 
272 static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
273  JsonBuilder *js, JsonAddrInfo *addr)
274 {
275  jb_open_object(js, "source");
276  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
277  jb_set_string(js, "ip", addr->src_ip);
278  switch (p->proto) {
279  case IPPROTO_ICMP:
280  case IPPROTO_ICMPV6:
281  break;
282  case IPPROTO_UDP:
283  case IPPROTO_TCP:
284  case IPPROTO_SCTP:
285  jb_set_uint(js, "port", addr->sp);
286  break;
287  }
288  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
289  jb_set_string(js, "ip", addr->dst_ip);
290  switch (p->proto) {
291  case IPPROTO_ICMP:
292  case IPPROTO_ICMPV6:
293  break;
294  case IPPROTO_UDP:
295  case IPPROTO_TCP:
296  case IPPROTO_SCTP:
297  jb_set_uint(js, "port", addr->dp);
298  break;
299  }
300  }
301  jb_close(js);
302 
303  jb_open_object(js, "target");
304  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
305  jb_set_string(js, "ip", addr->dst_ip);
306  switch (p->proto) {
307  case IPPROTO_ICMP:
308  case IPPROTO_ICMPV6:
309  break;
310  case IPPROTO_UDP:
311  case IPPROTO_TCP:
312  case IPPROTO_SCTP:
313  jb_set_uint(js, "port", addr->dp);
314  break;
315  }
316  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
317  jb_set_string(js, "ip", addr->src_ip);
318  switch (p->proto) {
319  case IPPROTO_ICMP:
320  case IPPROTO_ICMPV6:
321  break;
322  case IPPROTO_UDP:
323  case IPPROTO_TCP:
324  case IPPROTO_SCTP:
325  jb_set_uint(js, "port", addr->sp);
326  break;
327  }
328  }
329  jb_close(js);
330 }
331 
332 static void AlertJsonMetadata(AlertJsonOutputCtx *json_output_ctx,
333  const PacketAlert *pa, JsonBuilder *js)
334 {
335  if (pa->s->metadata && pa->s->metadata->json_str) {
336  jb_set_formatted(js, pa->s->metadata->json_str);
337  }
338 }
339 
340 void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa,
341  JsonBuilder *js, uint16_t flags, JsonAddrInfo *addr)
342 {
343  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *)ctx;
344  const char *action = "allowed";
345  /* use packet action if rate_filter modified the action */
349  action = "blocked";
350  }
351  } else {
353  action = "blocked";
354  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
355  action = "blocked";
356  }
357  }
358 
359  /* Add tx_id to root element for correlation with other events. */
360  /* json_object_del(js, "tx_id"); */
361  if (pa->flags & PACKET_ALERT_FLAG_TX) {
362  jb_set_uint(js, "tx_id", pa->tx_id);
363  }
364 
365  jb_open_object(js, "alert");
366 
367  jb_set_string(js, "action", action);
368  jb_set_uint(js, "gid", pa->s->gid);
369  jb_set_uint(js, "signature_id", pa->s->id);
370  jb_set_uint(js, "rev", pa->s->rev);
371  /* TODO: JsonBuilder should handle unprintable characters like
372  * SCJsonString. */
373  jb_set_string(js, "signature", pa->s->msg ? pa->s->msg: "");
374  jb_set_string(js, "category", pa->s->class_msg ? pa->s->class_msg: "");
375  jb_set_uint(js, "severity", pa->s->prio);
376 
377  if (p->tenant_id > 0) {
378  jb_set_uint(js, "tenant_id", p->tenant_id);
379  }
380 
381  if (addr && pa->s->flags & SIG_FLAG_HAS_TARGET) {
382  AlertJsonSourceTarget(p, pa, js, addr);
383  }
384 
385  if ((json_output_ctx != NULL) && (flags & LOG_JSON_RULE_METADATA)) {
386  AlertJsonMetadata(json_output_ctx, pa, js);
387  }
388 
389  if (flags & LOG_JSON_RULE) {
390  jb_set_string(js, "rule", pa->s->sig_str);
391  }
392 
393  jb_close(js);
394 }
395 
396 static void AlertJsonTunnel(const Packet *p, JsonBuilder *js)
397 {
398  if (p->root == NULL) {
399  return;
400  }
401 
402  jb_open_object(js, "tunnel");
403 
404  /* get a lock to access root packet fields */
405  SCMutex *m = &p->root->tunnel_mutex;
406 
408  SCMutexLock(m);
409  JsonAddrInfoInit(p->root, 0, &addr);
410  SCMutexUnlock(m);
411 
412  jb_set_string(js, "src_ip", addr.src_ip);
413  jb_set_uint(js, "src_port", addr.sp);
414  jb_set_string(js, "dest_ip", addr.dst_ip);
415  jb_set_uint(js, "dest_port", addr.dp);
416  jb_set_string(js, "proto", addr.proto);
417 
418  jb_set_uint(js, "depth", p->recursion_level);
419 
420  jb_close(js);
421 }
422 
423 static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, JsonBuilder *js, const Packet *p)
424 {
425  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
426  unsigned long len = BASE64_BUFFER_SIZE(p->payload_len);
427  uint8_t encoded[len];
428  if (Base64Encode(p->payload, p->payload_len, encoded, &len) == SC_BASE64_OK) {
429  jb_set_string(js, "payload", (char *)encoded);
430  }
431  }
432 
433  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
434  uint8_t printable_buf[p->payload_len + 1];
435  uint32_t offset = 0;
436  PrintStringsToBuffer(printable_buf, &offset,
437  p->payload_len + 1,
438  p->payload, p->payload_len);
439  printable_buf[p->payload_len] = '\0';
440  jb_set_string(js, "payload_printable", (char *)printable_buf);
441  }
442 }
443 
444 static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
445  const uint64_t tx_id, const uint16_t option_flags)
446 {
448  JsonBuilderMark mark = { 0, 0, 0 };
449  switch (proto) {
450  case ALPROTO_HTTP1:
451  // TODO: Could result in an empty http object being logged.
452  jb_open_object(jb, "http");
453  if (EveHttpAddMetadata(p->flow, tx_id, jb)) {
454  if (option_flags & LOG_JSON_HTTP_BODY) {
455  EveHttpLogJSONBodyPrintable(jb, p->flow, tx_id);
456  }
457  if (option_flags & LOG_JSON_HTTP_BODY_BASE64) {
458  EveHttpLogJSONBodyBase64(jb, p->flow, tx_id);
459  }
460  }
461  jb_close(jb);
462  break;
463  case ALPROTO_TLS:
464  AlertJsonTls(p->flow, jb);
465  break;
466  case ALPROTO_SSH:
467  AlertJsonSsh(p->flow, jb);
468  break;
469  case ALPROTO_SMTP:
470  jb_get_mark(jb, &mark);
471  jb_open_object(jb, "smtp");
472  if (EveSMTPAddMetadata(p->flow, tx_id, jb)) {
473  jb_close(jb);
474  } else {
475  jb_restore_mark(jb, &mark);
476  }
477  jb_get_mark(jb, &mark);
478  jb_open_object(jb, "email");
479  if (EveEmailAddMetadata(p->flow, tx_id, jb)) {
480  jb_close(jb);
481  } else {
482  jb_restore_mark(jb, &mark);
483  }
484  break;
485  case ALPROTO_NFS:
486  /* rpc */
487  jb_get_mark(jb, &mark);
488  jb_open_object(jb, "rpc");
489  if (EveNFSAddMetadataRPC(p->flow, tx_id, jb)) {
490  jb_close(jb);
491  } else {
492  jb_restore_mark(jb, &mark);
493  }
494  /* nfs */
495  jb_get_mark(jb, &mark);
496  jb_open_object(jb, "nfs");
497  if (EveNFSAddMetadata(p->flow, tx_id, jb)) {
498  jb_close(jb);
499  } else {
500  jb_restore_mark(jb, &mark);
501  }
502  break;
503  case ALPROTO_SMB:
504  jb_get_mark(jb, &mark);
505  jb_open_object(jb, "smb");
506  if (EveSMBAddMetadata(p->flow, tx_id, jb)) {
507  jb_close(jb);
508  } else {
509  jb_restore_mark(jb, &mark);
510  }
511  break;
512  case ALPROTO_SIP:
513  JsonSIPAddMetadata(jb, p->flow, tx_id);
514  break;
515  case ALPROTO_RFB:
516  jb_get_mark(jb, &mark);
517  if (!JsonRFBAddMetadata(p->flow, tx_id, jb)) {
518  jb_restore_mark(jb, &mark);
519  }
520  break;
521  case ALPROTO_FTPDATA:
522  EveFTPDataAddMetadata(p->flow, jb);
523  break;
524  case ALPROTO_DNP3:
525  AlertJsonDnp3(p->flow, tx_id, jb);
526  break;
527  case ALPROTO_HTTP2:
528  AlertJsonHttp2(p->flow, tx_id, jb);
529  break;
530  case ALPROTO_DNS:
531  AlertJsonDns(p->flow, tx_id, jb);
532  break;
533  case ALPROTO_IKE:
534  jb_get_mark(jb, &mark);
535  if (!EveIKEAddMetadata(p->flow, tx_id, jb)) {
536  jb_restore_mark(jb, &mark);
537  }
538  break;
539  case ALPROTO_MQTT:
540  jb_get_mark(jb, &mark);
541  if (!JsonMQTTAddMetadata(p->flow, tx_id, jb)) {
542  jb_restore_mark(jb, &mark);
543  }
544  break;
545  case ALPROTO_SNMP:
546  AlertJsonSNMP(p->flow, tx_id, jb);
547  break;
548  case ALPROTO_RDP:
549  AlertJsonRDP(p->flow, tx_id, jb);
550  break;
551  case ALPROTO_MODBUS:
552  jb_get_mark(jb, &mark);
553  if (!JsonModbusAddMetadata(p->flow, tx_id, jb)) {
554  jb_restore_mark(jb, &mark);
555  }
556  break;
557  default:
558  break;
559  }
560 }
561 
562 static void AlertAddFiles(const Packet *p, JsonBuilder *jb, const uint64_t tx_id)
563 {
566  if (ffc != NULL) {
567  File *file = ffc->head;
568  bool isopen = false;
569  while (file) {
570  if (tx_id == file->txid) {
571  if (!isopen) {
572  isopen = true;
573  jb_open_array(jb, "files");
574  }
575  jb_start_object(jb);
576  EveFileInfo(jb, file, file->flags & FILE_STORED);
577  jb_close(jb);
578  }
579  file = file->next;
580  }
581  if (isopen) {
582  jb_close(jb);
583  }
584  }
585 }
586 
587 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
588 {
589  MemBuffer *payload = aft->payload_buffer;
590  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
591 
592  if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
593  return TM_ECODE_OK;
594 
595  for (int i = 0; i < p->alerts.cnt; i++) {
596  const PacketAlert *pa = &p->alerts.alerts[i];
597  if (unlikely(pa->s == NULL)) {
598  continue;
599  }
600 
601  /* First initialize the address info (5-tuple). */
603  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
604 
605  /* Check for XFF, overwriting address info if needed. */
606  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ?
607  json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;
608  int have_xff_ip = 0;
609  char xff_buffer[XFF_MAXLEN];
610  if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
612  if (pa->flags & PACKET_ALERT_FLAG_TX) {
613  have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg,
614  xff_buffer, XFF_MAXLEN);
615  } else {
616  have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, xff_buffer,
617  XFF_MAXLEN);
618  }
619  }
620 
621  if (have_xff_ip && xff_cfg->flags & XFF_OVERWRITE) {
622  if (p->flowflags & FLOW_PKT_TOCLIENT) {
623  strlcpy(addr.dst_ip, xff_buffer, JSON_ADDR_LEN);
624  } else {
625  strlcpy(addr.src_ip, xff_buffer, JSON_ADDR_LEN);
626  }
627  /* Clear have_xff_ip so the xff field does not get
628  * logged below. */
629  have_xff_ip = false;
630  }
631  }
632 
633  JsonBuilder *jb =
634  CreateEveHeader(p, LOG_DIR_PACKET, "alert", &addr, json_output_ctx->eve_ctx);
635  if (unlikely(jb == NULL))
636  return TM_ECODE_OK;
637 
638 
639  /* alert */
640  AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags,
641  &addr);
642 
643  if (IS_TUNNEL_PKT(p)) {
644  AlertJsonTunnel(p, jb);
645  }
646 
647  if (p->flow != NULL) {
648  if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {
649  AlertAddAppLayer(p, jb, pa->tx_id, json_output_ctx->flags);
650  }
651  /* including fileinfo data is configured by the metadata setting */
652  if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
653  AlertAddFiles(p, jb, pa->tx_id);
654  }
655 
656  EveAddAppProto(p->flow, jb);
657  if (json_output_ctx->flags & LOG_JSON_FLOW) {
658  jb_open_object(jb, "flow");
659  EveAddFlow(p->flow, jb);
660  jb_close(jb);
661  }
662  }
663 
664  /* payload */
665  if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
666  int stream = (p->proto == IPPROTO_TCP) ?
668  1 : 0) : 0;
669 
670  /* Is this a stream? If so, pack part of it into the payload field */
671  if (stream) {
672  uint8_t flag;
673 
674  MemBufferReset(payload);
675 
676  if (p->flowflags & FLOW_PKT_TOSERVER) {
677  flag = FLOW_PKT_TOCLIENT;
678  } else {
679  flag = FLOW_PKT_TOSERVER;
680  }
681 
682  StreamSegmentForEach((const Packet *)p, flag,
683  AlertJsonDumpStreamSegmentCallback,
684  (void *)payload);
685  if (payload->offset) {
686  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
687  unsigned long len = BASE64_BUFFER_SIZE(json_output_ctx->payload_buffer_size);
688  uint8_t encoded[len];
689  Base64Encode(payload->buffer, payload->offset, encoded, &len);
690  jb_set_string(jb, "payload", (char *)encoded);
691  }
692 
693  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
694  uint8_t printable_buf[payload->offset + 1];
695  uint32_t offset = 0;
696  PrintStringsToBuffer(printable_buf, &offset,
697  sizeof(printable_buf),
698  payload->buffer, payload->offset);
699  jb_set_string(jb, "payload_printable", (char *)printable_buf);
700  }
701  } else if (p->payload_len) {
702  /* Fallback on packet payload */
703  AlertAddPayload(json_output_ctx, jb, p);
704  }
705  } else {
706  /* This is a single packet and not a stream */
707  AlertAddPayload(json_output_ctx, jb, p);
708  }
709 
710  jb_set_uint(jb, "stream", stream);
711  }
712 
713  /* base64-encoded full packet */
714  if (json_output_ctx->flags & LOG_JSON_PACKET) {
715  EvePacket(p, jb, 0);
716  }
717 
718  if (have_xff_ip && xff_cfg->flags & XFF_EXTRADATA) {
719  jb_set_string(jb, "xff", xff_buffer);
720  }
721 
722  OutputJsonBuilderBuffer(jb, aft->ctx);
723  jb_free(jb);
724  }
725 
726  if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
728  JsonBuilder *packetjs =
729  CreateEveHeader(p, LOG_DIR_PACKET, "packet", NULL, json_output_ctx->eve_ctx);
730  if (unlikely(packetjs != NULL)) {
731  EvePacket(p, packetjs, 0);
732  OutputJsonBuilderBuffer(packetjs, aft->ctx);
733  jb_free(packetjs);
734  }
735  }
736 
737  return TM_ECODE_OK;
738 }
739 
740 static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
741 {
742  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
743  char timebuf[64];
744 
745  if (p->alerts.cnt == 0)
746  return TM_ECODE_OK;
747 
748  CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf));
749 
750  for (int i = 0; i < p->alerts.cnt; i++) {
751  const PacketAlert *pa = &p->alerts.alerts[i];
752  if (unlikely(pa->s == NULL)) {
753  continue;
754  }
755 
756  JsonBuilder *jb = jb_new_object();
757  if (unlikely(jb == NULL)) {
758  return TM_ECODE_OK;
759  }
760 
761  /* just the timestamp, no tuple */
762  jb_set_string(jb, "timestamp", timebuf);
763 
764  AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, NULL);
765 
766  OutputJsonBuilderBuffer(jb, aft->ctx);
767  jb_free(jb);
768  }
769 
770  return TM_ECODE_OK;
771 }
772 
773 static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)
774 {
775  JsonAlertLogThread *aft = thread_data;
776 
777  if (PKT_IS_IPV4(p) || PKT_IS_IPV6(p)) {
778  return AlertJson(tv, aft, p);
779  } else if (p->alerts.cnt > 0) {
780  return AlertJsonDecoderEvent(tv, aft, p);
781  }
782  return 0;
783 }
784 
785 static int JsonAlertLogCondition(ThreadVars *tv, const Packet *p)
786 {
787  if (p->alerts.cnt || (p->flags & PKT_HAS_TAG)) {
788  return TRUE;
789  }
790  return FALSE;
791 }
792 
793 static TmEcode JsonAlertLogThreadInit(ThreadVars *t, const void *initdata, void **data)
794 {
796  if (unlikely(aft == NULL))
797  return TM_ECODE_FAILED;
798 
799  if (initdata == NULL)
800  {
801  SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL");
802  goto error_exit;
803  }
804 
805  /** Use the Output Context (file pointer and mutex) */
806  AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
807 
808  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
809  if (aft->payload_buffer == NULL) {
810  goto error_exit;
811  }
812  aft->ctx = CreateEveThreadCtx(t, json_output_ctx->eve_ctx);
813  if (!aft->ctx) {
814  goto error_exit;
815  }
816 
817  aft->json_output_ctx = json_output_ctx;
818 
819  *data = (void *)aft;
820  return TM_ECODE_OK;
821 
822 error_exit:
823  if (aft->payload_buffer != NULL) {
825  }
826  SCFree(aft);
827  return TM_ECODE_FAILED;
828 }
829 
830 static TmEcode JsonAlertLogThreadDeinit(ThreadVars *t, void *data)
831 {
832  JsonAlertLogThread *aft = (JsonAlertLogThread *)data;
833  if (aft == NULL) {
834  return TM_ECODE_OK;
835  }
836 
838  FreeEveThreadCtx(aft->ctx);
839 
840  /* clear memory */
841  memset(aft, 0, sizeof(JsonAlertLogThread));
842 
843  SCFree(aft);
844  return TM_ECODE_OK;
845 }
846 
847 static void JsonAlertLogDeInitCtxSub(OutputCtx *output_ctx)
848 {
849  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
850 
851  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
852 
853  if (json_output_ctx != NULL) {
854  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
855  if (xff_cfg != NULL) {
856  SCFree(xff_cfg);
857  }
858  SCFree(json_output_ctx);
859  }
860  SCFree(output_ctx);
861 }
862 
863 static void SetFlag(const ConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
864 {
865  DEBUG_VALIDATE_BUG_ON(conf == NULL);
866  const char *setting = ConfNodeLookupChildValue(conf, name);
867  if (setting != NULL) {
868  if (ConfValIsTrue(setting)) {
869  *out_flags |= flag;
870  } else {
871  *out_flags &= ~flag;
872  }
873  }
874 }
875 
876 #define DEFAULT_LOG_FILENAME "alert.json"
877 
878 static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
879  ConfNode *conf)
880 {
881  static bool warn_no_meta = false;
882  uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
883  uint16_t flags = METADATA_DEFAULTS;
884 
885  if (conf != NULL) {
886  /* Check for metadata to enable/disable. */
887  ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
888  if (metadata != NULL) {
889  if (metadata->val != NULL && ConfValIsFalse(metadata->val)) {
891  } else if (ConfNodeHasChildren(metadata)) {
892  ConfNode *rule_metadata = ConfNodeLookupChild(metadata, "rule");
893  if (rule_metadata) {
894  SetFlag(rule_metadata, "raw", LOG_JSON_RULE, &flags);
895  SetFlag(rule_metadata, "metadata", LOG_JSON_RULE_METADATA,
896  &flags);
897  }
898  SetFlag(metadata, "flow", LOG_JSON_FLOW, &flags);
899  SetFlag(metadata, "app-layer", LOG_JSON_APP_LAYER, &flags);
900  }
901  }
902 
903  /* Non-metadata toggles. */
904  SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
905  SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
906  SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
907  SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
908  SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
909  SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
910 
911  /* Check for obsolete configuration flags to enable specific
912  * protocols. These are now just aliases for enabling
913  * app-layer logging. */
914  SetFlag(conf, "http", LOG_JSON_APP_LAYER, &flags);
915  SetFlag(conf, "tls", LOG_JSON_APP_LAYER, &flags);
916  SetFlag(conf, "ssh", LOG_JSON_APP_LAYER, &flags);
917  SetFlag(conf, "smtp", LOG_JSON_APP_LAYER, &flags);
918  SetFlag(conf, "dnp3", LOG_JSON_APP_LAYER, &flags);
919 
920  /* And check for obsolete configuration flags for enabling
921  * app-layer and flow as these have been moved under the
922  * metadata key. */
923  SetFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags);
924  SetFlag(conf, "flow", LOG_JSON_FLOW, &flags);
925 
926  const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
927 
928  if (payload_buffer_value != NULL) {
929  uint32_t value;
930  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
931  SCLogError(SC_ERR_ALERT_PAYLOAD_BUFFER, "Error parsing "
932  "payload-buffer-size - %s. Killing engine",
933  payload_buffer_value);
934  exit(EXIT_FAILURE);
935  } else {
936  payload_buffer_size = value;
937  }
938  }
939 
940  if (!warn_no_meta && flags & JSON_BODY_LOGGING) {
941  if (((flags & LOG_JSON_APP_LAYER) == 0)) {
942  SCLogWarning(SC_WARN_ALERT_CONFIG, "HTTP body logging has been configured, however, "
943  "metadata logging has not been enabled. HTTP body logging will be disabled.");
945  warn_no_meta = true;
946  }
947  }
948 
949  json_output_ctx->payload_buffer_size = payload_buffer_size;
950  }
951 
954  }
955 
956  json_output_ctx->flags |= flags;
957 }
958 
959 static HttpXFFCfg *JsonAlertLogGetXffCfg(ConfNode *conf)
960 {
961  HttpXFFCfg *xff_cfg = NULL;
962  if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
963  xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
964  if (likely(xff_cfg != NULL)) {
965  HttpXFFGetCfg(conf, xff_cfg);
966  }
967  }
968  return xff_cfg;
969 }
970 
971 /**
972  * \brief Create a new LogFileCtx for "fast" output style.
973  * \param conf The configuration node for this output.
974  * \return A LogFileCtx pointer on success, NULL on failure.
975  */
976 static OutputInitResult JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
977 {
978  OutputInitResult result = { NULL, false };
979  OutputJsonCtx *ajt = parent_ctx->data;
980  AlertJsonOutputCtx *json_output_ctx = NULL;
981 
982  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
983  if (unlikely(output_ctx == NULL))
984  return result;
985 
986  json_output_ctx = SCMalloc(sizeof(AlertJsonOutputCtx));
987  if (unlikely(json_output_ctx == NULL)) {
988  goto error;
989  }
990  memset(json_output_ctx, 0, sizeof(AlertJsonOutputCtx));
991 
992  json_output_ctx->file_ctx = ajt->file_ctx;
993  json_output_ctx->eve_ctx = ajt;
994 
995  JsonAlertLogSetupMetadata(json_output_ctx, conf);
996  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
997  if (json_output_ctx->xff_cfg == NULL) {
998  json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
999  }
1000 
1001  output_ctx->data = json_output_ctx;
1002  output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
1003 
1004  result.ctx = output_ctx;
1005  result.ok = true;
1006  return result;
1007 
1008 error:
1009  if (json_output_ctx != NULL) {
1010  SCFree(json_output_ctx);
1011  }
1012  if (output_ctx != NULL) {
1013  SCFree(output_ctx);
1014  }
1015 
1016  return result;
1017 }
1018 
1020 {
1022  "eve-log.alert", JsonAlertLogInitCtxSub, JsonAlertLogger,
1023  JsonAlertLogCondition, JsonAlertLogThreadInit, JsonAlertLogThreadDeinit,
1024  NULL);
1025 }
XFF_MAXLEN
#define XFF_MAXLEN
Definition: app-layer-htp-xff.h:39
util-byte.h
tm-threads.h
Packet_::proto
uint8_t proto
Definition: decode.h:438
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:233
FileContainer_
Definition: util-file.h:107
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectMetadataHead::json_str
char * json_str
Definition: detect-metadata.h:40
DNP3Transaction_::response_done
uint8_t response_done
Definition: app-layer-dnp3.h:232
detect-engine.h
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:292
EveSMTPAddMetadata
bool EveSMTPAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-smtp.c:98
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:281
EveHttpLogJSONBodyPrintable
void EveHttpLogJSONBodyPrintable(JsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:406
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:49
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:85
output-json-modbus.h
Signature_::sig_str
char * sig_str
Definition: detect.h:584
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:294
CreateIsoTimeString
void CreateIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:213
XFF_EXTRADATA
#define XFF_EXTRADATA
Definition: app-layer-htp-xff.h:31
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
JsonTlsLogJSONBasic
void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state)
Definition: output-json-tls.c:299
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:260
ConfNode_::val
char * val
Definition: conf.h:34
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
output-json-mqtt.h
LOG_JSON_RULE
#define LOG_JSON_RULE
Definition: output-json-alert.c:97
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DNP3Transaction_::request_done
uint8_t request_done
Definition: app-layer-dnp3.h:218
AlertJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-alert.c:108
PacketAlerts_::alerts
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:302
AlertJsonOutputCtx_::parent_xff_cfg
HttpXFFCfg * parent_xff_cfg
Definition: output-json-alert.c:112
ALPROTO_MODBUS
@ ALPROTO_MODBUS
Definition: app-layer-protos.h:42
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:73
Flow_::proto
uint8_t proto
Definition: flow.h:372
StreamSegmentForEach
int StreamSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
Run callback for all segments.
Definition: stream.c:39
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:77
Packet_::payload
uint8_t * payload
Definition: decode.h:553
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:301
DNP3Transaction_::has_request
uint8_t has_request
Definition: app-layer-dnp3.h:217
SIG_FLAG_DEST_IS_TARGET
#define SIG_FLAG_DEST_IS_TARGET
Definition: detect.h:251
JsonModbusAddMetadata
bool JsonModbusAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-modbus.c:139
Packet_::flags
uint32_t flags
Definition: decode.h:451
threads.h
LOGGER_JSON_ALERT
@ LOGGER_JSON_ALERT
Definition: suricata-common.h:476
OutputJsonCtx_
Definition: output-json.h:81
AlertJsonHeader
void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js, uint16_t flags, JsonAddrInfo *addr)
Definition: output-json-alert.c:340
Flow_
Flow data structure.
Definition: flow.h:350
util-syslog.h
logged
int logged
Definition: app-layer-htp.h:1
LogFileCtx_
Definition: util-logopenfile.h:62
EveNFSAddMetadata
bool EveNFSAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-nfs.c:63
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:974
output-json-tls.h
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:44
ALPROTO_SIP
@ ALPROTO_SIP
Definition: app-layer-protos.h:53
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:89
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:222
output-json-sip.h
rust.h
AppLayerParserGetFiles
FileContainer * AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
Definition: app-layer-parser.c:861
util-privs.h
proto
uint8_t proto
Definition: decode-template.h:0
m
SCMutex m
Definition: flow-hash.h:6
AlertJsonOutputCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-alert.c:113
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:34
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:447
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:554
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:568
SC_BASE64_OK
@ SC_BASE64_OK
Definition: util-crypt.h:39
util-unittest.h
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:30
EveHttpAddMetadata
bool EveHttpAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-http.c:521
DNP3Transaction_::has_response
uint8_t has_response
Definition: app-layer-dnp3.h:231
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:565
FlowGetAppState
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1102
util-unittest-helper.h
HttpXFFGetIP
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:177
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:228
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:282
JsonDNSLogAnswer
JsonBuilder * JsonDNSLogAnswer(void *txptr, uint64_t tx_id)
Definition: output-json-dns.c:294
OutputCtx_
Definition: tm-modules.h:78
app-layer-htp-xff.h
PacketAlert_::action
uint8_t action
Definition: decode.h:279
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
JSON_BODY_LOGGING
#define JSON_BODY_LOGGING
Definition: output-json-alert.c:103
OutputJsonThreadCtx_
Definition: output-json.h:89
detect-reference.h
ALPROTO_SNMP
@ ALPROTO_SNMP
Definition: app-layer-protos.h:52
Signature_::gid
uint32_t gid
Definition: detect.h:551
output-json-dnp3.h
ACTION_REJECT_DST
#define ACTION_REJECT_DST
Definition: action-globals.h:32
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:53
app-layer-htp.h
JsonAlertLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-alert.c:119
Base64Encode
int Base64Encode(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen)
Definition: util-crypt.c:35
util-debug.h
output-json-flow.h
MODULE_NAME
#define MODULE_NAME
Definition: output-json-alert.c:86
JsonRFBAddMetadata
bool JsonRFBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-rfb.c:49
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:44
output-json-rfb.h
LOG_JSON_APP_LAYER
#define LOG_JSON_APP_LAYER
Definition: output-json-alert.c:92
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:44
app-layer-dnp3.h
output-json.h
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
MemBufferWriteRaw
#define MemBufferWriteRaw(dst, raw_buffer, raw_buffer_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.h:133
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
EveIKEAddMetadata
bool EveIKEAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-ike.c:66
LOG_JSON_PAYLOAD
#define LOG_JSON_PAYLOAD
Definition: output-json-alert.c:88
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
AlertJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-alert.c:109
SC_ERR_ALERT_PAYLOAD_BUFFER
@ SC_ERR_ALERT_PAYLOAD_BUFFER
Definition: util-error.h:310
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:838
util-print.h
detect-engine-mpm.h
util-crypt.h
FileContainer_::head
File * head
Definition: util-file.h:108
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
EveFileInfo
void EveFileInfo(JsonBuilder *jb, const File *ff, const bool stored)
Definition: output-json.c:127
JsonAlertLogThread
struct JsonAlertLogThread_ JsonAlertLogThread
output-json-email-common.h
OutputInitResult_::ok
bool ok
Definition: output.h:45
JsonDNP3LogResponse
void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *dnp3tx)
Definition: output-json-dnp3.c:174
EveHttpLogJSONBodyBase64
void EveHttpLogJSONBodyBase64(JsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:441
app-layer-parser.h
JsonAlertLogThread_
Definition: output-json-alert.c:116
TRUE
#define TRUE
Definition: suricata-common.h:33
SC_WARN_ALERT_CONFIG
@ SC_WARN_ALERT_CONFIG
Definition: util-error.h:357
FALSE
#define FALSE
Definition: suricata-common.h:34
Signature_::flags
uint32_t flags
Definition: detect.h:518
JsonAddrInfo_
Definition: output-json.h:49
Packet_
Definition: decode.h:416
ALPROTO_RDP
@ ALPROTO_RDP
Definition: app-layer-protos.h:58
JSON_STREAM_BUFFER_SIZE
#define JSON_STREAM_BUFFER_SIZE
Definition: output-json-alert.c:105
LOG_JSON_PAYLOAD_BASE64
#define LOG_JSON_PAYLOAD_BASE64
Definition: output-json-alert.c:90
conf.h
SIG_FLAG_HAS_TARGET
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:253
XFF_OVERWRITE
#define XFF_OVERWRITE
Definition: app-layer-htp-xff.h:33
TmEcode
TmEcode
Definition: tm-threads-common.h:79
SIG_FLAG_SRC_IS_TARGET
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:249
EveNFSAddMetadataRPC
bool EveNFSAddMetadataRPC(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-nfs.c:51
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:911
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
AlertJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-alert.c:110
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:59
util-proto-name.h
ConfNodeHasChildren
bool ConfNodeHasChildren(const ConfNode *node)
Check if a node has any children.
Definition: conf.c:795
MemBuffer_
Definition: util-buffer.h:27
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:223
LOG_JSON_TAGGED_PACKETS
#define LOG_JSON_TAGGED_PACKETS
Definition: output-json-alert.c:91
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1074
EveEmailAddMetadata
bool EveEmailAddMetadata(const Flow *f, uint32_t tx_id, JsonBuilder *js)
Definition: output-json-email-common.c:374
AlertJsonOutputCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json-alert.c:111
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:54
Signature_::class_msg
char * class_msg
Definition: detect.h:578
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:814
PacketAlert_::flags
uint8_t flags
Definition: decode.h:280
ACTION_REJECT_BOTH
#define ACTION_REJECT_BOTH
Definition: action-globals.h:33
File_::flags
uint16_t flags
Definition: util-file.h:73
MemBufferReset
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
PACKET_ALERT_RATE_FILTER_MODIFIED
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:296
File_
Definition: util-file.h:72
OutputInitResult_
Definition: output.h:43
Packet_::flow
struct Flow_ * flow
Definition: decode.h:453
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:607
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
flags
uint8_t flags
Definition: decode-gre.h:0
Packet_::ts
struct timeval ts
Definition: decode.h:459
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:52
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:215
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:45
AlertJsonOutputCtx_
Definition: output-json-alert.c:107
detect-metadata.h
JsonAlertLogThread_::json_output_ctx
AlertJsonOutputCtx * json_output_ctx
Definition: output-json-alert.c:118
output-json-nfs.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
FILE_STORED
#define FILE_STORED
Definition: util-file.h:56
File_::next
struct File_ * next
Definition: util-file.h:86
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:47
EveAddAppProto
void EveAddAppProto(Flow *f, JsonBuilder *js)
Definition: output-json-flow.c:168
Signature_::rev
uint32_t rev
Definition: detect.h:552
util-classification-config.h
EvePacket
void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length)
Jsonify a packet.
Definition: output-json.c:450
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
Signature_::prio
int prio
Definition: detect.h:553
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:185
output-json-alert.h
util-optimize.h
threadvars.h
util-validate.h
output-json-dns.h
FlowGetAppProtocol
AppProto FlowGetAppProtocol(const Flow *f)
Definition: flow.c:1097
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
Packet_::root
struct Packet_ * root
Definition: decode.h:590
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:50
HttpXFFCfg_::flags
uint8_t flags
Definition: app-layer-htp-xff.h:42
Signature_::metadata
DetectMetadataHead * metadata
Definition: detect.h:582
AlertJsonOutputCtx
struct AlertJsonOutputCtx_ AlertJsonOutputCtx
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
JsonAlertLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-alert.c:117
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
util-logopenfile.h
Signature_::id
uint32_t id
Definition: detect.h:550
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:441
LOG_JSON_HTTP_BODY_BASE64
#define LOG_JSON_HTTP_BODY_BASE64
Definition: output-json-alert.c:95
output-json-ike.h
detect-parse.h
util-buffer.h
LOG_JSON_PACKET
#define LOG_JSON_PACKET
Definition: output-json-alert.c:89
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:55
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:590
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:51
EveFTPDataAddMetadata
void EveFTPDataAddMetadata(const Flow *f, JsonBuilder *jb)
Definition: app-layer-ftp.c:1400
output-json-ssh.h
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:82
JsonDNSLogQuery
JsonBuilder * JsonDNSLogQuery(void *txptr, uint64_t tx_id)
Definition: output-json-dns.c:272
LOG_JSON_HTTP_BODY
#define LOG_JSON_HTTP_BODY
Definition: output-json-alert.c:94
METADATA_DEFAULTS
#define METADATA_DEFAULTS
Definition: output-json-alert.c:99
DNP3State_
Per flow DNP3 state.
Definition: app-layer-dnp3.h:258
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:244
BASE64_BUFFER_SIZE
#define BASE64_BUFFER_SIZE(x)
Definition: util-crypt.h:36
LOG_JSON_FLOW
#define LOG_JSON_FLOW
Definition: output-json-alert.c:93
JsonDNP3LogRequest
void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *dnp3tx)
Definition: output-json-dnp3.c:145
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:54
PacketAlert_
Definition: decode.h:277
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:491
File_::txid
uint64_t txid
Definition: util-file.h:77
HttpXFFGetCfg
void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:202
output-json-smb.h
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
likely
#define likely(expr)
Definition: util-optimize.h:32
HttpXFFGetIPFromTx
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:113
output-json-smtp.h
MemBuffer_::buffer
uint8_t * buffer
Definition: util-buffer.h:28
output-json-http.h
util-misc.h
PKT_HAS_TAG
#define PKT_HAS_TAG
Definition: decode.h:1125
Signature_::msg
char * msg
Definition: detect.h:575
flow.h
DetectEngineSetParseMetadata
void DetectEngineSetParseMetadata(void)
Definition: detect-engine.c:4199
EveSMBAddMetadata
bool EveSMBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-smb.c:50
JsonTlsLogJSONExtended
void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState *state)
Definition: output-json-tls.c:367
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LOG_JSON_RULE_METADATA
#define LOG_JSON_RULE_METADATA
Definition: output-json-alert.c:96
XFF_DISABLED
#define XFF_DISABLED
Definition: app-layer-htp-xff.h:29
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:259
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:290
JsonSIPAddMetadata
void JsonSIPAddMetadata(JsonBuilder *js, const Flow *f, uint64_t tx_id)
Definition: output-json-sip.c:52
JsonMQTTAddMetadata
bool JsonMQTTAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-mqtt.c:63
SCMutex
#define SCMutex
Definition: threads-debug.h:114
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
debug.h
output.h
Packet_::tunnel_mutex
SCMutex tunnel_mutex
Definition: decode.h:600
JsonAlertLogRegister
void JsonAlertLogRegister(void)
Definition: output-json-alert.c:1019
DNP3Transaction_
DNP3 transaction.
Definition: app-layer-dnp3.h:210
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:887
EveAddFlow
void EveAddFlow(Flow *f, JsonBuilder *js)
Definition: output-json-flow.c:189
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:842