suricata
output-json-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs alerts in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "threads.h"
34 #include "tm-threads.h"
35 #include "threadvars.h"
36 #include "util-debug.h"
37 
38 #include "util-misc.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 
42 #include "detect-parse.h"
43 #include "detect-engine.h"
44 #include "detect-engine-mpm.h"
45 #include "detect-reference.h"
46 #include "detect-metadata.h"
47 #include "app-layer-parser.h"
48 #include "app-layer-dnp3.h"
49 #include "app-layer-htp.h"
50 #include "app-layer-htp-xff.h"
51 #include "app-layer-ftp.h"
53 #include "util-syslog.h"
54 #include "util-logopenfile.h"
55 
56 #include "output.h"
57 #include "output-json.h"
58 #include "output-json-alert.h"
59 #include "output-json-dnp3.h"
60 #include "output-json-dns.h"
61 #include "output-json-http.h"
62 #include "output-json-tls.h"
63 #include "output-json-ssh.h"
64 #include "output-json-smtp.h"
66 #include "output-json-nfs.h"
67 #include "output-json-smb.h"
68 #include "output-json-flow.h"
69 #include "output-json-sip.h"
70 #include "output-json-rfb.h"
71 
72 #include "util-byte.h"
73 #include "util-privs.h"
74 #include "util-print.h"
75 #include "util-proto-name.h"
76 #include "util-optimize.h"
77 #include "util-buffer.h"
78 #include "util-crypt.h"
79 #include "util-validate.h"
80 
81 #define MODULE_NAME "JsonAlertLog"
82 
83 #define LOG_JSON_PAYLOAD BIT_U16(0)
84 #define LOG_JSON_PACKET BIT_U16(1)
85 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
86 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
87 #define LOG_JSON_APP_LAYER BIT_U16(4)
88 #define LOG_JSON_FLOW BIT_U16(5)
89 #define LOG_JSON_HTTP_BODY BIT_U16(6)
90 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
91 #define LOG_JSON_RULE_METADATA BIT_U16(8)
92 #define LOG_JSON_RULE BIT_U16(9)
93 
94 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
95  LOG_JSON_APP_LAYER | \
96  LOG_JSON_RULE_METADATA)
97 
98 #define JSON_BODY_LOGGING (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64)
99 
100 #define JSON_STREAM_BUFFER_SIZE 4096
101 
102 typedef struct AlertJsonOutputCtx_ {
104  uint16_t flags;
110 
111 typedef struct JsonAlertLogThread_ {
112  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
118 
119 /* Callback function to pack payload contents from a stream into a buffer
120  * so we can report them in JSON output. */
121 static int AlertJsonDumpStreamSegmentCallback(const Packet *p, void *data, const uint8_t *buf, uint32_t buflen)
122 {
123  MemBuffer *payload = (MemBuffer *)data;
124  MemBufferWriteRaw(payload, buf, buflen);
125 
126  return 1;
127 }
128 
129 static void AlertJsonTls(const Flow *f, json_t *js)
130 {
131  SSLState *ssl_state = (SSLState *)FlowGetAppState(f);
132  if (ssl_state) {
133  json_t *tjs = json_object();
134  if (unlikely(tjs == NULL))
135  return;
136 
137  JsonTlsLogJSONBasic(tjs, ssl_state);
138  JsonTlsLogJSONExtended(tjs, ssl_state);
139 
140  json_object_set_new(js, "tls", tjs);
141  }
142 
143  return;
144 }
145 
146 static void AlertJsonSsh(const Flow *f, json_t *js)
147 {
148  SshState *ssh_state = (SshState *)FlowGetAppState(f);
149  if (ssh_state) {
150  json_t *tjs = json_object();
151  if (unlikely(tjs == NULL))
152  return;
153 
154  JsonSshLogJSON(tjs, ssh_state);
155 
156  json_object_set_new(js, "ssh", tjs);
157  }
158 
159  return;
160 }
161 
162 static void AlertJsonDnp3(const Flow *f, const uint64_t tx_id, json_t *js)
163 {
164  DNP3State *dnp3_state = (DNP3State *)FlowGetAppState(f);
165  if (dnp3_state) {
167  dnp3_state, tx_id);
168  if (tx) {
169  json_t *dnp3js = json_object();
170  if (likely(dnp3js != NULL)) {
171  if (tx->has_request && tx->request_done) {
172  json_t *request = JsonDNP3LogRequest(tx);
173  if (request != NULL) {
174  json_object_set_new(dnp3js, "request", request);
175  }
176  }
177  if (tx->has_response && tx->response_done) {
178  json_t *response = JsonDNP3LogResponse(tx);
179  if (response != NULL) {
180  json_object_set_new(dnp3js, "response", response);
181  }
182  }
183  json_object_set_new(js, "dnp3", dnp3js);
184  }
185  }
186  }
187 
188  return;
189 }
190 
191 static void AlertJsonDns(const Flow *f, const uint64_t tx_id, json_t *js)
192 {
193  void *dns_state = (void *)FlowGetAppState(f);
194  if (dns_state) {
195  void *txptr = AppLayerParserGetTx(f->proto, ALPROTO_DNS,
196  dns_state, tx_id);
197  if (txptr) {
198  json_t *dnsjs = json_object();
199  if (unlikely(dnsjs == NULL)) {
200  return;
201  }
202  json_t *qjs = JsonDNSLogQuery(txptr, tx_id);
203  if (qjs != NULL) {
204  json_object_set_new(dnsjs, "query", qjs);
205  }
206  json_t *ajs = JsonDNSLogAnswer(txptr, tx_id);
207  if (ajs != NULL) {
208  json_object_set_new(dnsjs, "answer", ajs);
209  }
210  json_object_set_new(js, "dns", dnsjs);
211  }
212  }
213  return;
214 }
215 
216 static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
217  json_t *js, json_t* ajs)
218 {
219  json_t *sjs = json_object();
220  if (sjs == NULL) {
221  return;
222  }
223 
224  json_t *tjs = json_object();
225  if (tjs == NULL) {
226  json_decref(sjs);
227  return;
228  }
229 
230  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
231  json_object_set(sjs, "ip", json_object_get(js, "src_ip"));
232  json_object_set(tjs, "ip", json_object_get(js, "dest_ip"));
233  switch (p->proto) {
234  case IPPROTO_ICMP:
235  case IPPROTO_ICMPV6:
236  break;
237  case IPPROTO_UDP:
238  case IPPROTO_TCP:
239  case IPPROTO_SCTP:
240  json_object_set(sjs, "port", json_object_get(js, "src_port"));
241  json_object_set(tjs, "port", json_object_get(js, "dest_port"));
242  break;
243  }
244  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
245  json_object_set(sjs, "ip", json_object_get(js, "dest_ip"));
246  json_object_set(tjs, "ip", json_object_get(js, "src_ip"));
247  switch (p->proto) {
248  case IPPROTO_ICMP:
249  case IPPROTO_ICMPV6:
250  break;
251  case IPPROTO_UDP:
252  case IPPROTO_TCP:
253  case IPPROTO_SCTP:
254  json_object_set(sjs, "port", json_object_get(js, "dest_port"));
255  json_object_set(tjs, "port", json_object_get(js, "src_port"));
256  break;
257  }
258  }
259  json_object_set_new(ajs, "source", sjs);
260  json_object_set_new(ajs, "target", tjs);
261 }
262 
263 static void AlertJsonMetadata(AlertJsonOutputCtx *json_output_ctx, const PacketAlert *pa, json_t *ajs)
264 {
265  if (pa->s->metadata) {
266  const DetectMetadata* kv = pa->s->metadata;
267  json_t *mjs = json_object();
268  if (unlikely(mjs == NULL)) {
269  return;
270  }
271  while (kv) {
272  json_t *jkey = json_object_get(mjs, kv->key);
273  if (jkey == NULL) {
274  jkey = json_array();
275  if (unlikely(jkey == NULL))
276  break;
277  json_array_append_new(jkey, json_string(kv->value));
278  json_object_set_new(mjs, kv->key, jkey);
279  } else {
280  json_array_append_new(jkey, json_string(kv->value));
281  }
282 
283  kv = kv->next;
284  }
285 
286  if (json_object_size(mjs) == 0) {
287  json_decref(mjs);
288  } else {
289  json_object_set_new(ajs, "metadata", mjs);
290  }
291  }
292 }
293 
294 
295 void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, json_t *js,
296  uint16_t flags)
297 {
298  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *)ctx;
299  const char *action = "allowed";
300  /* use packet action if rate_filter modified the action */
304  action = "blocked";
305  }
306  } else {
308  action = "blocked";
309  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
310  action = "blocked";
311  }
312  }
313 
314  /* Add tx_id to root element for correlation with other events. */
315  json_object_del(js, "tx_id");
316  if (pa->flags & PACKET_ALERT_FLAG_TX)
317  json_object_set_new(js, "tx_id", json_integer(pa->tx_id));
318 
319  json_t *ajs = json_object();
320  if (ajs == NULL) {
321  return;
322  }
323 
324  json_object_set_new(ajs, "action", json_string(action));
325  json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
326  json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
327  json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
328  json_object_set_new(ajs, "signature",
329  SCJsonString((pa->s->msg) ? pa->s->msg : ""));
330  json_object_set_new(ajs, "category",
331  SCJsonString((pa->s->class_msg) ? pa->s->class_msg : ""));
332  json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
333 
334  if (p->tenant_id > 0)
335  json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));
336 
337  if (pa->s->flags & SIG_FLAG_HAS_TARGET) {
338  AlertJsonSourceTarget(p, pa, js, ajs);
339  }
340 
341  if ((json_output_ctx != NULL) && (flags & LOG_JSON_RULE_METADATA)) {
342  AlertJsonMetadata(json_output_ctx, pa, ajs);
343  }
344 
345  /* alert */
346  json_object_set_new(js, "alert", ajs);
347 }
348 
349 static void AlertJsonTunnel(const Packet *p, json_t *js)
350 {
351  json_t *tunnel = json_object();
352  if (tunnel == NULL)
353  return;
354 
355  if (p->root == NULL) {
356  json_decref(tunnel);
357  return;
358  }
359 
360  /* get a lock to access root packet fields */
361  SCMutex *m = &p->root->tunnel_mutex;
362 
363  SCMutexLock(m);
364  JsonFiveTuple((const Packet *)p->root, 0, tunnel);
365  SCMutexUnlock(m);
366 
367  json_object_set_new(tunnel, "depth", json_integer(p->recursion_level));
368 
369  json_object_set_new(js, "tunnel", tunnel);
370 }
371 
372 static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, json_t *js, const Packet *p)
373 {
374  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
375  unsigned long len = p->payload_len * 2 + 1;
376  uint8_t encoded[len];
377  if (Base64Encode(p->payload, p->payload_len, encoded, &len) == SC_BASE64_OK) {
378  json_object_set_new(js, "payload", json_string((char *)encoded));
379  }
380  }
381 
382  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
383  uint8_t printable_buf[p->payload_len + 1];
384  uint32_t offset = 0;
385  PrintStringsToBuffer(printable_buf, &offset,
386  p->payload_len + 1,
387  p->payload, p->payload_len);
388  printable_buf[p->payload_len] = '\0';
389  json_object_set_new(js, "payload_printable", json_string((char *)printable_buf));
390  }
391 }
392 
393 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
394 {
395  MemBuffer *payload = aft->payload_buffer;
396  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
397  json_t *hjs = NULL;
398 
399  int i;
400 
401  if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
402  return TM_ECODE_OK;
403 
404  json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "alert");
405  if (unlikely(js == NULL))
406  return TM_ECODE_OK;
407 
408  JsonAddCommonOptions(&json_output_ctx->cfg, p, p->flow, js);
409 
410  for (i = 0; i < p->alerts.cnt; i++) {
411  const PacketAlert *pa = &p->alerts.alerts[i];
412  if (unlikely(pa->s == NULL)) {
413  continue;
414  }
415 
417 
418  /* alert */
419  AlertJsonHeader(json_output_ctx, p, pa, js, json_output_ctx->flags);
420 
421  if (IS_TUNNEL_PKT(p)) {
422  AlertJsonTunnel(p, js);
423  }
424 
425  if (json_output_ctx->flags & LOG_JSON_APP_LAYER && p->flow != NULL) {
427  switch (proto) {
428  case ALPROTO_HTTP:
429  hjs = JsonHttpAddMetadata(p->flow, pa->tx_id);
430  if (hjs) {
431  if (json_output_ctx->flags & LOG_JSON_HTTP_BODY) {
433  }
434  if (json_output_ctx->flags & LOG_JSON_HTTP_BODY_BASE64) {
435  JsonHttpLogJSONBodyBase64(hjs, p->flow, pa->tx_id);
436  }
437  json_object_set_new(js, "http", hjs);
438  }
439  break;
440  case ALPROTO_TLS:
441  AlertJsonTls(p->flow, js);
442  break;
443  case ALPROTO_SSH:
444  AlertJsonSsh(p->flow, js);
445  break;
446  case ALPROTO_SMTP:
447  hjs = JsonSMTPAddMetadata(p->flow, pa->tx_id);
448  if (hjs) {
449  json_object_set_new(js, "smtp", hjs);
450  }
451 
452  hjs = JsonEmailAddMetadata(p->flow, pa->tx_id);
453  if (hjs) {
454  json_object_set_new(js, "email", hjs);
455  }
456  break;
457  case ALPROTO_NFS:
458  hjs = JsonNFSAddMetadataRPC(p->flow, pa->tx_id);
459  if (hjs)
460  json_object_set_new(js, "rpc", hjs);
461  hjs = JsonNFSAddMetadata(p->flow, pa->tx_id);
462  if (hjs)
463  json_object_set_new(js, "nfs", hjs);
464  break;
465  case ALPROTO_SMB:
466  hjs = JsonSMBAddMetadata(p->flow, pa->tx_id);
467  if (hjs)
468  json_object_set_new(js, "smb", hjs);
469  break;
470  case ALPROTO_SIP:
471  hjs = JsonSIPAddMetadata(p->flow, pa->tx_id);
472  if (hjs)
473  json_object_set_new(js, "sip", hjs);
474  break;
475  case ALPROTO_RFB:
476  hjs = JsonRFBAddMetadata(p->flow, pa->tx_id);
477  if (hjs)
478  json_object_set_new(js, "rfb", hjs);
479  break;
480  case ALPROTO_FTPDATA:
481  hjs = JsonFTPDataAddMetadata(p->flow);
482  if (hjs)
483  json_object_set_new(js, "ftp-data", hjs);
484  break;
485  case ALPROTO_DNP3:
486  AlertJsonDnp3(p->flow, pa->tx_id, js);
487  break;
488  case ALPROTO_DNS:
489  AlertJsonDns(p->flow, pa->tx_id, js);
490  break;
491  default:
492  break;
493  }
494  }
495 
496  if (p->flow) {
497  if (json_output_ctx->flags & LOG_JSON_FLOW) {
498  hjs = json_object();
499  if (hjs != NULL) {
500  JsonAddFlow(p->flow, js, hjs);
501  json_object_set_new(js, "flow", hjs);
502  }
503  } else {
504  json_object_set_new(js, "app_proto",
505  json_string(AppProtoToString(p->flow->alproto)));
506  }
507  }
508 
509  /* payload */
510  if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
511  int stream = (p->proto == IPPROTO_TCP) ?
513  1 : 0) : 0;
514 
515  /* Is this a stream? If so, pack part of it into the payload field */
516  if (stream) {
517  uint8_t flag;
518 
519  MemBufferReset(payload);
520 
521  if (p->flowflags & FLOW_PKT_TOSERVER) {
522  flag = FLOW_PKT_TOCLIENT;
523  } else {
524  flag = FLOW_PKT_TOSERVER;
525  }
526 
527  StreamSegmentForEach((const Packet *)p, flag,
528  AlertJsonDumpStreamSegmentCallback,
529  (void *)payload);
530  if (payload->offset) {
531  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
532  unsigned long len = json_output_ctx->payload_buffer_size * 2;
533  uint8_t encoded[len];
534  Base64Encode(payload->buffer, payload->offset, encoded, &len);
535  json_object_set_new(js, "payload", json_string((char *)encoded));
536  }
537 
538  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
539  uint8_t printable_buf[payload->offset + 1];
540  uint32_t offset = 0;
541  PrintStringsToBuffer(printable_buf, &offset,
542  sizeof(printable_buf),
543  payload->buffer, payload->offset);
544  json_object_set_new(js, "payload_printable",
545  json_string((char *)printable_buf));
546  }
547  } else if (p->payload_len) {
548  /* Fallback on packet payload */
549  AlertAddPayload(json_output_ctx, js, p);
550  }
551  } else {
552  /* This is a single packet and not a stream */
553  AlertAddPayload(json_output_ctx, js, p);
554  }
555 
556  json_object_set_new(js, "stream", json_integer(stream));
557  }
558 
559  /* base64-encoded full packet */
560  if (json_output_ctx->flags & LOG_JSON_PACKET) {
561  JsonPacket(p, js, 0);
562  }
563 
564  /* signature text */
565  if (json_output_ctx->flags & LOG_JSON_RULE) {
566  hjs = json_object_get(js, "alert");
567  if (json_is_object(hjs))
568  json_object_set_new(hjs, "rule", json_string(pa->s->sig_str));
569  }
570 
571  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ?
572  json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;
573 
574  /* xff header */
575  if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
576  int have_xff_ip = 0;
577  char buffer[XFF_MAXLEN];
578 
579  if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
580  if (pa->flags & PACKET_ALERT_FLAG_TX) {
581  have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN);
582  } else {
583  have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, buffer, XFF_MAXLEN);
584  }
585  }
586 
587  if (have_xff_ip) {
588  if (xff_cfg->flags & XFF_EXTRADATA) {
589  json_object_set_new(js, "xff", json_string(buffer));
590  }
591  else if (xff_cfg->flags & XFF_OVERWRITE) {
592  if (p->flowflags & FLOW_PKT_TOCLIENT) {
593  json_object_set(js, "dest_ip", json_string(buffer));
594  } else {
595  json_object_set(js, "src_ip", json_string(buffer));
596  }
597  }
598  }
599  }
600 
601  OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer);
602  json_object_del(js, "alert");
603  }
604  json_object_clear(js);
605  json_decref(js);
606 
607  if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
610  json_t *packetjs = CreateJSONHeader(p, LOG_DIR_PACKET, "packet");
611  if (unlikely(packetjs != NULL)) {
612  JsonPacket(p, packetjs, 0);
613  OutputJSONBuffer(packetjs, aft->file_ctx, &aft->json_buffer);
614  json_decref(packetjs);
615  }
616  }
617 
618  return TM_ECODE_OK;
619 }
620 
621 static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
622 {
623  int i;
624  char timebuf[64];
625  json_t *js;
626 
627  if (p->alerts.cnt == 0)
628  return TM_ECODE_OK;
629 
630  CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf));
631 
632  for (i = 0; i < p->alerts.cnt; i++) {
634 
635  const PacketAlert *pa = &p->alerts.alerts[i];
636  if (unlikely(pa->s == NULL)) {
637  continue;
638  }
639 
640  const char *action = "allowed";
642  action = "blocked";
643  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
644  action = "blocked";
645  }
646 
647  js = json_object();
648  if (js == NULL)
649  return TM_ECODE_OK;
650 
651  json_t *ajs = json_object();
652  if (ajs == NULL) {
653  json_decref(js);
654  return TM_ECODE_OK;
655  }
656 
657  /* time & tx */
658  json_object_set_new(js, "timestamp", json_string(timebuf));
659 
660  /* tuple */
661  //json_object_set_new(js, "srcip", json_string(srcip));
662  //json_object_set_new(js, "sp", json_integer(p->sp));
663  //json_object_set_new(js, "dstip", json_string(dstip));
664  //json_object_set_new(js, "dp", json_integer(p->dp));
665  //json_object_set_new(js, "proto", json_integer(proto));
666 
667  json_object_set_new(ajs, "action", json_string(action));
668  json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
669  json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
670  json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
671  json_object_set_new(ajs, "signature",
672  json_string((pa->s->msg) ? pa->s->msg : ""));
673  json_object_set_new(ajs, "category",
674  json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
675  json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
676 
677  if (p->tenant_id > 0)
678  json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));
679 
680  /* alert */
681  json_object_set_new(js, "alert", ajs);
682  OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer);
683  json_object_clear(js);
684  json_decref(js);
685  }
686 
687  return TM_ECODE_OK;
688 }
689 
690 static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)
691 {
692  JsonAlertLogThread *aft = thread_data;
693 
694  if (PKT_IS_IPV4(p) || PKT_IS_IPV6(p)) {
695  return AlertJson(tv, aft, p);
696  } else if (p->alerts.cnt > 0) {
697  return AlertJsonDecoderEvent(tv, aft, p);
698  }
699  return 0;
700 }
701 
702 static int JsonAlertLogCondition(ThreadVars *tv, const Packet *p)
703 {
704  if (p->alerts.cnt || (p->flags & PKT_HAS_TAG)) {
705  return TRUE;
706  }
707  return FALSE;
708 }
709 
710 static TmEcode JsonAlertLogThreadInit(ThreadVars *t, const void *initdata, void **data)
711 {
713  if (unlikely(aft == NULL))
714  return TM_ECODE_FAILED;
715  memset(aft, 0, sizeof(JsonAlertLogThread));
716  if(initdata == NULL)
717  {
718  SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL");
719  SCFree(aft);
720  return TM_ECODE_FAILED;
721  }
722 
724  if (aft->json_buffer == NULL) {
725  SCFree(aft);
726  return TM_ECODE_FAILED;
727  }
728 
729  /** Use the Output Context (file pointer and mutex) */
730  AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
731  aft->file_ctx = json_output_ctx->file_ctx;
732  aft->json_output_ctx = json_output_ctx;
733 
734  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
735  if (aft->payload_buffer == NULL) {
737  SCFree(aft);
738  return TM_ECODE_FAILED;
739  }
740 
741  *data = (void *)aft;
742  return TM_ECODE_OK;
743 }
744 
745 static TmEcode JsonAlertLogThreadDeinit(ThreadVars *t, void *data)
746 {
747  JsonAlertLogThread *aft = (JsonAlertLogThread *)data;
748  if (aft == NULL) {
749  return TM_ECODE_OK;
750  }
751 
754 
755  /* clear memory */
756  memset(aft, 0, sizeof(JsonAlertLogThread));
757 
758  SCFree(aft);
759  return TM_ECODE_OK;
760 }
761 
762 static void JsonAlertLogDeInitCtx(OutputCtx *output_ctx)
763 {
764  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
765  if (json_output_ctx != NULL) {
766  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
767  if (xff_cfg != NULL) {
768  SCFree(xff_cfg);
769  }
770  LogFileFreeCtx(json_output_ctx->file_ctx);
771  SCFree(json_output_ctx);
772  }
773  SCFree(output_ctx);
774 }
775 
776 static void JsonAlertLogDeInitCtxSub(OutputCtx *output_ctx)
777 {
778  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
779 
780  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
781 
782  if (json_output_ctx != NULL) {
783  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
784  if (xff_cfg != NULL) {
785  SCFree(xff_cfg);
786  }
787  SCFree(json_output_ctx);
788  }
789  SCFree(output_ctx);
790 }
791 
792 static void SetFlag(const ConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
793 {
794  DEBUG_VALIDATE_BUG_ON(conf == NULL);
795  const char *setting = ConfNodeLookupChildValue(conf, name);
796  if (setting != NULL) {
797  if (ConfValIsTrue(setting)) {
798  *out_flags |= flag;
799  } else {
800  *out_flags &= ~flag;
801  }
802  }
803 }
804 
805 #define DEFAULT_LOG_FILENAME "alert.json"
806 
807 static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
808  ConfNode *conf)
809 {
810  static bool warn_no_meta = false;
811  uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
812  uint16_t flags = METADATA_DEFAULTS;
813 
814  if (conf != NULL) {
815  /* Check for metadata to enable/disable. */
816  ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
817  if (metadata != NULL) {
818  if (metadata->val != NULL && ConfValIsFalse(metadata->val)) {
820  } else if (ConfNodeHasChildren(metadata)) {
821  ConfNode *rule_metadata = ConfNodeLookupChild(metadata, "rule");
822  if (rule_metadata) {
823  SetFlag(rule_metadata, "raw", LOG_JSON_RULE, &flags);
824  SetFlag(rule_metadata, "metadata", LOG_JSON_RULE_METADATA,
825  &flags);
826  }
827  SetFlag(metadata, "flow", LOG_JSON_FLOW, &flags);
828  SetFlag(metadata, "app-layer", LOG_JSON_APP_LAYER, &flags);
829  }
830  }
831 
832  /* Non-metadata toggles. */
833  SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
834  SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
835  SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
836  SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
837  SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
838  SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
839 
840  /* Check for obsolete configuration flags to enable specific
841  * protocols. These are now just aliases for enabling
842  * app-layer logging. */
843  SetFlag(conf, "http", LOG_JSON_APP_LAYER, &flags);
844  SetFlag(conf, "tls", LOG_JSON_APP_LAYER, &flags);
845  SetFlag(conf, "ssh", LOG_JSON_APP_LAYER, &flags);
846  SetFlag(conf, "smtp", LOG_JSON_APP_LAYER, &flags);
847  SetFlag(conf, "dnp3", LOG_JSON_APP_LAYER, &flags);
848 
849  /* And check for obsolete configuration flags for enabling
850  * app-layer and flow as these have been moved under the
851  * metadata key. */
852  SetFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags);
853  SetFlag(conf, "flow", LOG_JSON_FLOW, &flags);
854 
855  const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
856 
857  if (payload_buffer_value != NULL) {
858  uint32_t value;
859  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
860  SCLogError(SC_ERR_ALERT_PAYLOAD_BUFFER, "Error parsing "
861  "payload-buffer-size - %s. Killing engine",
862  payload_buffer_value);
863  exit(EXIT_FAILURE);
864  } else {
865  payload_buffer_size = value;
866  }
867  }
868 
869  if (!warn_no_meta && flags & JSON_BODY_LOGGING) {
870  if (((flags & LOG_JSON_APP_LAYER) == 0)) {
871  SCLogWarning(SC_WARN_ALERT_CONFIG, "HTTP body logging has been configured, however, "
872  "metadata logging has not been enabled. HTTP body logging will be disabled.");
874  warn_no_meta = true;
875  }
876  }
877 
878  json_output_ctx->payload_buffer_size = payload_buffer_size;
879  }
880 
883  }
884 
885  json_output_ctx->flags |= flags;
886 }
887 
888 static HttpXFFCfg *JsonAlertLogGetXffCfg(ConfNode *conf)
889 {
890  HttpXFFCfg *xff_cfg = NULL;
891  if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
892  xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
893  if (likely(xff_cfg != NULL)) {
894  HttpXFFGetCfg(conf, xff_cfg);
895  }
896  }
897  return xff_cfg;
898 }
899 
900 /**
901  * \brief Create a new LogFileCtx for "fast" output style.
902  * \param conf The configuration node for this output.
903  * \return A LogFileCtx pointer on success, NULL on failure.
904  */
905 static OutputInitResult JsonAlertLogInitCtx(ConfNode *conf)
906 {
907  OutputInitResult result = { NULL, false };
908  AlertJsonOutputCtx *json_output_ctx = NULL;
909  LogFileCtx *logfile_ctx = LogFileNewCtx();
910  if (logfile_ctx == NULL) {
911  SCLogDebug("AlertFastLogInitCtx2: Could not create new LogFileCtx");
912  return result;
913  }
914 
915  if (SCConfLogOpenGeneric(conf, logfile_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
916  LogFileFreeCtx(logfile_ctx);
917  return result;
918  }
919 
920  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
921  if (unlikely(output_ctx == NULL)) {
922  LogFileFreeCtx(logfile_ctx);
923  return result;
924  }
925 
926  json_output_ctx = SCMalloc(sizeof(AlertJsonOutputCtx));
927  if (unlikely(json_output_ctx == NULL)) {
928  LogFileFreeCtx(logfile_ctx);
929  SCFree(output_ctx);
930  return result;
931  }
932  memset(json_output_ctx, 0, sizeof(AlertJsonOutputCtx));
933 
934  json_output_ctx->file_ctx = logfile_ctx;
935 
936  JsonAlertLogSetupMetadata(json_output_ctx, conf);
937  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
938 
939  output_ctx->data = json_output_ctx;
940  output_ctx->DeInit = JsonAlertLogDeInitCtx;
941 
942  result.ctx = output_ctx;
943  result.ok = true;
944  return result;
945 }
946 
947 /**
948  * \brief Create a new LogFileCtx for "fast" output style.
949  * \param conf The configuration node for this output.
950  * \return A LogFileCtx pointer on success, NULL on failure.
951  */
952 static OutputInitResult JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
953 {
954  OutputInitResult result = { NULL, false };
955  OutputJsonCtx *ajt = parent_ctx->data;
956  AlertJsonOutputCtx *json_output_ctx = NULL;
957 
958  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
959  if (unlikely(output_ctx == NULL))
960  return result;
961 
962  json_output_ctx = SCMalloc(sizeof(AlertJsonOutputCtx));
963  if (unlikely(json_output_ctx == NULL)) {
964  goto error;
965  }
966  memset(json_output_ctx, 0, sizeof(AlertJsonOutputCtx));
967 
968  json_output_ctx->file_ctx = ajt->file_ctx;
969  json_output_ctx->cfg = ajt->cfg;
970 
971  JsonAlertLogSetupMetadata(json_output_ctx, conf);
972  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
973  if (json_output_ctx->xff_cfg == NULL) {
974  json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
975  }
976 
977  output_ctx->data = json_output_ctx;
978  output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
979 
980  result.ctx = output_ctx;
981  result.ok = true;
982  return result;
983 
984 error:
985  if (json_output_ctx != NULL) {
986  SCFree(json_output_ctx);
987  }
988  if (output_ctx != NULL) {
989  SCFree(output_ctx);
990  }
991 
992  return result;
993 }
994 
996 {
998  JsonAlertLogInitCtx, JsonAlertLogger, JsonAlertLogCondition,
999  JsonAlertLogThreadInit, JsonAlertLogThreadDeinit, NULL);
1001  "eve-log.alert", JsonAlertLogInitCtxSub, JsonAlertLogger,
1002  JsonAlertLogCondition, JsonAlertLogThreadInit, JsonAlertLogThreadDeinit,
1003  NULL);
1004 }
XFF_MAXLEN
#define XFF_MAXLEN
Definition: app-layer-htp-xff.h:39
util-byte.h
tm-threads.h
JsonSIPAddMetadata
json_t * JsonSIPAddMetadata(const Flow *f, uint64_t tx_id)
Definition: output-json-sip.c:62
Packet_::proto
uint8_t proto
Definition: decode.h:431
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:233
len
uint8_t len
Definition: app-layer-dnp3.h:4
DNP3Transaction_::response_done
uint8_t response_done
Definition: app-layer-dnp3.h:234
detect-engine.h
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:285
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:274
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:82
Signature_::sig_str
char * sig_str
Definition: detect.h:589
offset
uint64_t offset
Definition: util-streaming-buffer.h:2
DetectMetadata_::value
const char * value
Definition: detect-metadata.h:34
DetectMetadata_::key
const char * key
Definition: detect-metadata.h:32
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:287
CreateIsoTimeString
void CreateIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:194
XFF_EXTRADATA
#define XFF_EXTRADATA
Definition: app-layer-htp-xff.h:31
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
JsonAlertLogThread_::json_buffer
MemBuffer * json_buffer
Definition: output-json-alert.c:114
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:253
ConfNode_::val
char * val
Definition: conf.h:34
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:81
SCFree
#define SCFree(a)
Definition: util-mem.h:322
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:517
LOG_JSON_RULE
#define LOG_JSON_RULE
Definition: output-json-alert.c:92
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
DNP3Transaction_::request_done
uint8_t request_done
Definition: app-layer-dnp3.h:220
AlertJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-alert.c:103
PacketAlerts_::alerts
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:295
AlertJsonOutputCtx_::parent_xff_cfg
HttpXFFCfg * parent_xff_cfg
Definition: output-json-alert.c:107
Flow_::proto
uint8_t proto
Definition: flow.h:361
StreamSegmentForEach
int StreamSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
Run callback for all segments.
Definition: stream.c:39
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:71
Packet_::payload
uint8_t * payload
Definition: decode.h:541
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:294
DNP3Transaction_::has_request
uint8_t has_request
Definition: app-layer-dnp3.h:219
SIG_FLAG_DEST_IS_TARGET
#define SIG_FLAG_DEST_IS_TARGET
Definition: detect.h:251
Signature_::metadata
DetectMetadata * metadata
Definition: detect.h:587
Packet_::flags
uint32_t flags
Definition: decode.h:444
JSON_OUTPUT_BUFFER_SIZE
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:44
threads.h
LOGGER_JSON_ALERT
@ LOGGER_JSON_ALERT
Definition: suricata-common.h:452
OutputJsonCtx_
Definition: output-json.h:78
Flow_
Flow data structure.
Definition: flow.h:342
OutputJsonCommonSettings_
Definition: output-json.h:69
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
util-syslog.h
LogFileCtx_
Definition: util-logopenfile.h:52
JsonSMTPAddMetadata
json_t * JsonSMTPAddMetadata(const Flow *f, uint64_t tx_id)
Definition: output-json-smtp.c:118
AlertJsonHeader
void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, json_t *js, uint16_t flags)
Definition: output-json-alert.c:295
output-json-tls.h
ALPROTO_SIP
@ ALPROTO_SIP
Definition: app-layer-protos.h:53
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
output-json-sip.h
util-privs.h
proto
uint8_t proto
Definition: decode-template.h:2
m
SCMutex m
Definition: flow-hash.h:5
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:34
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:440
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:79
JsonNFSAddMetadataRPC
json_t * JsonNFSAddMetadataRPC(const Flow *f, uint64_t tx_id)
Definition: output-json-nfs.c:51
JsonTlsLogJSONBasic
void JsonTlsLogJSONBasic(json_t *js, SSLState *ssl_state)
Definition: output-json-tls.c:298
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:542
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:556
SC_BASE64_OK
@ SC_BASE64_OK
Definition: util-crypt.h:37
util-unittest.h
SCJsonString
json_t * SCJsonString(const char *val)
Definition: output-json.c:107
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:30
DNP3Transaction_::has_response
uint8_t has_response
Definition: app-layer-dnp3.h:233
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
FlowGetAppState
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1087
util-unittest-helper.h
HttpXFFGetIP
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:177
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:78
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:224
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:275
OutputCtx_
Definition: tm-modules.h:78
app-layer-htp-xff.h
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:305
PacketAlert_::action
uint8_t action
Definition: decode.h:272
JSON_BODY_LOGGING
#define JSON_BODY_LOGGING
Definition: output-json-alert.c:98
detect-reference.h
Signature_::gid
uint32_t gid
Definition: detect.h:556
JsonHttpAddMetadata
json_t * JsonHttpAddMetadata(const Flow *f, uint64_t tx_id)
Definition: output-json-http.c:565
output-json-dnp3.h
ACTION_REJECT_DST
#define ACTION_REJECT_DST
Definition: action-globals.h:32
app-layer-htp.h
JsonPacket
void JsonPacket(const Packet *p, json_t *js, unsigned long max_length)
Jsonify a packet.
Definition: output-json.c:408
JsonRFBAddMetadata
json_t * JsonRFBAddMetadata(const Flow *f, uint64_t tx_id)
Definition: output-json-rfb.c:60
Base64Encode
int Base64Encode(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen)
Definition: util-crypt.c:272
JsonSshLogJSON
void JsonSshLogJSON(json_t *tjs, SshState *ssh_state)
Definition: output-json-ssh.c:67
util-debug.h
output-json-flow.h
SshState_
Definition: app-layer-ssh.h:72
MODULE_NAME
#define MODULE_NAME
Definition: output-json-alert.c:81
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:42
output-json-rfb.h
LOG_JSON_APP_LAYER
#define LOG_JSON_APP_LAYER
Definition: output-json-alert.c:87
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:44
app-layer-dnp3.h
output-json.h
JsonDNP3LogResponse
json_t * JsonDNP3LogResponse(DNP3Transaction *dnp3tx)
Definition: output-json-dnp3.c:244
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
MemBufferWriteRaw
#define MemBufferWriteRaw(dst, raw_buffer, raw_buffer_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.h:133
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
LOG_JSON_PAYLOAD
#define LOG_JSON_PAYLOAD
Definition: output-json-alert.c:83
AlertJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-alert.c:104
SC_ERR_ALERT_PAYLOAD_BUFFER
@ SC_ERR_ALERT_PAYLOAD_BUFFER
Definition: util-error.h:310
util-print.h
detect-engine-mpm.h
util-crypt.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
JsonTlsLogJSONExtended
void JsonTlsLogJSONExtended(json_t *tjs, SSLState *state)
Definition: output-json-tls.c:366
JsonAlertLogThread
struct JsonAlertLogThread_ JsonAlertLogThread
output-json-email-common.h
OutputInitResult_::ok
bool ok
Definition: output.h:43
app-layer-parser.h
JsonAlertLogThread_
Definition: output-json-alert.c:111
TRUE
#define TRUE
Definition: suricata-common.h:33
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
SC_WARN_ALERT_CONFIG
@ SC_WARN_ALERT_CONFIG
Definition: util-error.h:357
FALSE
#define FALSE
Definition: suricata-common.h:34
Signature_::flags
uint32_t flags
Definition: detect.h:523
Packet_
Definition: decode.h:408
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:253
JSON_STREAM_BUFFER_SIZE
#define JSON_STREAM_BUFFER_SIZE
Definition: output-json-alert.c:100
LOG_JSON_PAYLOAD_BASE64
#define LOG_JSON_PAYLOAD_BASE64
Definition: output-json-alert.c:85
conf.h
JsonDNP3LogRequest
json_t * JsonDNP3LogRequest(DNP3Transaction *dnp3tx)
Definition: output-json-dnp3.c:199
SIG_FLAG_HAS_TARGET
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:253
XFF_OVERWRITE
#define XFF_OVERWRITE
Definition: app-layer-htp-xff.h:33
TmEcode
TmEcode
Definition: tm-threads-common.h:77
SIG_FLAG_SRC_IS_TARGET
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:249
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:871
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
AlertJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-alert.c:105
util-proto-name.h
ConfNodeHasChildren
bool ConfNodeHasChildren(const ConfNode *node)
Check if a node has any children.
Definition: conf.c:796
MemBuffer_
Definition: util-buffer.h:27
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
LOG_JSON_TAGGED_PACKETS
#define LOG_JSON_TAGGED_PACKETS
Definition: output-json-alert.c:86
DetectMetadata_
Signature metadata list.
Definition: detect-metadata.h:30
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1047
AlertJsonOutputCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json-alert.c:106
Signature_::class_msg
char * class_msg
Definition: detect.h:583
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:815
PacketAlert_::flags
uint8_t flags
Definition: decode.h:273
ACTION_REJECT_BOTH
#define ACTION_REJECT_BOTH
Definition: action-globals.h:33
MemBufferReset
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
PACKET_ALERT_RATE_FILTER_MODIFIED
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:289
OutputInitResult_
Definition: output.h:41
Packet_::flow
struct Flow_ * flow
Definition: decode.h:446
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:595
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:37
flags
uint8_t flags
Definition: decode-gre.h:2
Packet_::ts
struct timeval ts
Definition: decode.h:452
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:213
AlertJsonOutputCtx_
Definition: output-json-alert.c:102
CreateJSONHeader
json_t * CreateJSONHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type)
Definition: output-json.c:710
detect-metadata.h
JsonAlertLogThread_::json_output_ctx
AlertJsonOutputCtx * json_output_ctx
Definition: output-json-alert.c:116
output-json-nfs.h
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
JsonHttpLogJSONBodyBase64
void JsonHttpLogJSONBodyBase64(json_t *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:475
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:47
JsonSMBAddMetadata
json_t * JsonSMBAddMetadata(const Flow *f, uint64_t tx_id)
Definition: output-json-smb.c:50
Signature_::rev
uint32_t rev
Definition: detect.h:557
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:539
util-classification-config.h
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: output-json-alert.c:805
JsonNFSAddMetadata
json_t * JsonNFSAddMetadata(const Flow *f, uint64_t tx_id)
Definition: output-json-nfs.c:64
JsonAddCommonOptions
void JsonAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, json_t *js)
Definition: output-json.c:390
JsonAddFlow
void JsonAddFlow(Flow *f, json_t *js, json_t *hjs)
Definition: output-json-flow.c:180
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Signature_::prio
int prio
Definition: detect.h:558
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:186
output-json-alert.h
util-optimize.h
OutputRegisterPacketModule
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:172
threadvars.h
util-validate.h
output-json-dns.h
FlowGetAppProtocol
AppProto FlowGetAppProtocol(const Flow *f)
Definition: flow.c:1082
Packet_::root
struct Packet_ * root
Definition: decode.h:578
HttpXFFCfg_::flags
uint8_t flags
Definition: app-layer-htp-xff.h:42
AlertJsonOutputCtx
struct AlertJsonOutputCtx_ AlertJsonOutputCtx
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
JsonAlertLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-alert.c:115
JsonAlertLogThread_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-alert.c:113
ConfNode_
Definition: conf.h:32
util-logopenfile.h
Signature_::id
uint32_t id
Definition: detect.h:555
JsonFTPDataAddMetadata
json_t * JsonFTPDataAddMetadata(const Flow *f)
Definition: app-layer-ftp.c:1433
DetectMetadata_::next
struct DetectMetadata_ * next
Definition: detect-metadata.h:36
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:434
LOG_JSON_HTTP_BODY_BASE64
#define LOG_JSON_HTTP_BODY_BASE64
Definition: output-json-alert.c:90
detect-parse.h
util-buffer.h
LOG_JSON_PACKET
#define LOG_JSON_PACKET
Definition: output-json-alert.c:84
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:591
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
JsonFiveTuple
void JsonFiveTuple(const Packet *p, enum OutputJsonLogDirection dir, json_t *js)
Add five tuple from packet to JSON object.
Definition: output-json.c:455
output-json-ssh.h
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:79
LOG_JSON_HTTP_BODY
#define LOG_JSON_HTTP_BODY
Definition: output-json-alert.c:89
METADATA_DEFAULTS
#define METADATA_DEFAULTS
Definition: output-json-alert.c:94
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:809
DNP3State_
Per flow DNP3 state.
Definition: app-layer-dnp3.h:260
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:244
LOG_JSON_FLOW
#define LOG_JSON_FLOW
Definition: output-json-alert.c:88
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:54
PacketAlert_
Definition: decode.h:270
AlertJsonOutputCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json-alert.c:108
HttpXFFGetCfg
void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:202
output-json-smb.h
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
likely
#define likely(expr)
Definition: util-optimize.h:32
JsonEmailAddMetadata
json_t * JsonEmailAddMetadata(const Flow *f, uint32_t tx_id)
Definition: output-json-email-common.c:398
HttpXFFGetIPFromTx
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:113
JsonDNSLogQuery
json_t * JsonDNSLogQuery(void *txptr, uint64_t tx_id)
Definition: output-json-dns.c:274
output-json-smtp.h
MemBuffer_::buffer
uint8_t * buffer
Definition: util-buffer.h:28
output-json-http.h
util-misc.h
PKT_HAS_TAG
#define PKT_HAS_TAG
Definition: decode.h:1073
Signature_::msg
char * msg
Definition: detect.h:580
flow.h
DetectEngineSetParseMetadata
void DetectEngineSetParseMetadata(void)
Definition: detect-engine.c:4111
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
LOG_JSON_RULE_METADATA
#define LOG_JSON_RULE_METADATA
Definition: output-json-alert.c:91
XFF_DISABLED
#define XFF_DISABLED
Definition: app-layer-htp-xff.h:29
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:252
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:283
SCMutex
#define SCMutex
Definition: threads-debug.h:114
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
JsonDNSLogAnswer
json_t * JsonDNSLogAnswer(void *txptr, uint64_t tx_id)
Definition: output-json-dns.c:291
debug.h
output.h
JsonHttpLogJSONBodyPrintable
void JsonHttpLogJSONBodyPrintable(json_t *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:440
Packet_::tunnel_mutex
SCMutex tunnel_mutex
Definition: decode.h:588
JsonAlertLogRegister
void JsonAlertLogRegister(void)
Definition: output-json-alert.c:995
DNP3Transaction_
DNP3 transaction.
Definition: app-layer-dnp3.h:209
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:847
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843