suricata
output-json-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs alerts in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "packet.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "stream.h"
34 #include "threadvars.h"
35 #include "util-debug.h"
36 #include "stream-tcp.h"
37 
38 #include "util-logopenfile.h"
39 #include "util-misc.h"
40 #include "util-time.h"
41 
42 #include "detect-engine.h"
43 #include "detect-metadata.h"
44 #include "app-layer-parser.h"
45 #include "app-layer-htp-xff.h"
46 #include "app-layer-ftp.h"
47 #include "app-layer-frames.h"
48 #include "log-pcap.h"
49 
50 #include "output.h"
51 #include "output-json.h"
52 #include "output-json-alert.h"
53 #include "output-json-http.h"
54 #include "rust.h"
55 #include "output-json-smtp.h"
57 #include "output-json-nfs.h"
58 #include "output-json-smb.h"
59 #include "output-json-flow.h"
60 #include "output-json-ike.h"
61 #include "output-json-frame.h"
62 
63 #include "util-print.h"
64 #include "util-optimize.h"
65 #include "util-buffer.h"
66 #include "util-reference-config.h"
67 #include "util-validate.h"
68 
69 #include "action-globals.h"
70 
71 #define MODULE_NAME "JsonAlertLog"
72 
73 #define LOG_JSON_PAYLOAD BIT_U16(0)
74 #define LOG_JSON_PACKET BIT_U16(1)
75 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
76 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
77 #define LOG_JSON_APP_LAYER BIT_U16(4)
78 #define LOG_JSON_FLOW BIT_U16(5)
79 #define LOG_JSON_HTTP_BODY BIT_U16(6)
80 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
81 #define LOG_JSON_RULE_METADATA BIT_U16(8)
82 #define LOG_JSON_RULE BIT_U16(9)
83 #define LOG_JSON_VERDICT BIT_U16(10)
84 #define LOG_JSON_WEBSOCKET_PAYLOAD BIT_U16(11)
85 #define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64 BIT_U16(12)
86 #define LOG_JSON_PAYLOAD_LENGTH BIT_U16(13)
87 #define LOG_JSON_REFERENCE BIT_U16(14)
88 
89 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
90  LOG_JSON_APP_LAYER | \
91  LOG_JSON_RULE_METADATA)
92 
93 #define JSON_BODY_LOGGING \
94  (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64 | LOG_JSON_WEBSOCKET_PAYLOAD | \
95  LOG_JSON_WEBSOCKET_PAYLOAD_BASE64)
96 
97 #define JSON_STREAM_BUFFER_SIZE 4096
98 
99 typedef struct AlertJsonOutputCtx_ {
101  uint16_t flags;
107 
108 typedef struct JsonAlertLogThread_ {
113 
114 static void AlertJsonSourceTarget(
115  const Packet *p, const PacketAlert *pa, SCJsonBuilder *js, JsonAddrInfo *addr)
116 {
117  SCJbOpenObject(js, "source");
118  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
119  SCJbSetString(js, "ip", addr->src_ip);
120  switch (p->proto) {
121  case IPPROTO_ICMP:
122  case IPPROTO_ICMPV6:
123  break;
124  case IPPROTO_UDP:
125  case IPPROTO_TCP:
126  case IPPROTO_SCTP:
127  SCJbSetUint(js, "port", addr->sp);
128  break;
129  }
130  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
131  SCJbSetString(js, "ip", addr->dst_ip);
132  switch (p->proto) {
133  case IPPROTO_ICMP:
134  case IPPROTO_ICMPV6:
135  break;
136  case IPPROTO_UDP:
137  case IPPROTO_TCP:
138  case IPPROTO_SCTP:
139  SCJbSetUint(js, "port", addr->dp);
140  break;
141  }
142  }
143  SCJbClose(js);
144 
145  SCJbOpenObject(js, "target");
146  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
147  SCJbSetString(js, "ip", addr->dst_ip);
148  switch (p->proto) {
149  case IPPROTO_ICMP:
150  case IPPROTO_ICMPV6:
151  break;
152  case IPPROTO_UDP:
153  case IPPROTO_TCP:
154  case IPPROTO_SCTP:
155  SCJbSetUint(js, "port", addr->dp);
156  break;
157  }
158  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
159  SCJbSetString(js, "ip", addr->src_ip);
160  switch (p->proto) {
161  case IPPROTO_ICMP:
162  case IPPROTO_ICMPV6:
163  break;
164  case IPPROTO_UDP:
165  case IPPROTO_TCP:
166  case IPPROTO_SCTP:
167  SCJbSetUint(js, "port", addr->sp);
168  break;
169  }
170  }
171  SCJbClose(js);
172 }
173 
174 static void AlertJsonReference(const PacketAlert *pa, SCJsonBuilder *jb)
175 {
176  if (!pa->s->references) {
177  return;
178  }
179 
180  const DetectReference *kv = pa->s->references;
181  SCJbOpenArray(jb, "references");
182  while (kv) {
183  /* Note that the key and reference sizes have been bound
184  * checked during parsing
185  */
186  const size_t size_needed = kv->key_len + kv->reference_len + 1;
187  char kv_store[size_needed];
188  snprintf(kv_store, size_needed, "%s%s", kv->key, kv->reference);
189  SCJbAppendString(jb, kv_store);
190  kv = kv->next;
191  }
192  SCJbClose(jb);
193 }
194 
195 static void AlertJsonMetadata(const PacketAlert *pa, SCJsonBuilder *js)
196 {
197  if (pa->s->metadata && pa->s->metadata->json_str) {
198  SCJbSetFormatted(js, pa->s->metadata->json_str);
199  }
200 }
201 
202 void AlertJsonHeader(const Packet *p, const PacketAlert *pa, SCJsonBuilder *js, uint16_t flags,
203  JsonAddrInfo *addr, char *xff_buffer)
204 {
205  const char *action = "allowed";
206  /* use packet action if rate_filter modified the action */
209  action = "blocked";
210  }
211  } else {
212  if (pa->action & ACTION_REJECT_ANY) {
213  action = "blocked";
214  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
215  action = "blocked";
216  }
217  }
218 
219  /* Add tx_id to root element for correlation with other events. */
220  /* json_object_del(js, "tx_id"); */
221  if (pa->flags & PACKET_ALERT_FLAG_TX) {
222  SCJbSetUint(js, "tx_id", pa->tx_id);
223  }
225  SCJbSetBool(js, "tx_guessed", true);
226  }
227 
228  SCJbOpenObject(js, "alert");
229 
230  SCJbSetString(js, "action", action);
231  SCJbSetUint(js, "gid", pa->s->gid);
232  SCJbSetUint(js, "signature_id", pa->s->id);
233  SCJbSetUint(js, "rev", pa->s->rev);
234  /* TODO: SCJsonBuilder should handle unprintable characters like
235  * SCJsonString. */
236  SCJbSetString(js, "signature", pa->s->msg ? pa->s->msg : "");
237  SCJbSetString(js, "category", pa->s->class_msg ? pa->s->class_msg : "");
238  SCJbSetUint(js, "severity", pa->s->prio);
239 
240  if (p->tenant_id > 0) {
241  SCJbSetUint(js, "tenant_id", p->tenant_id);
242  }
243 
244  if (addr && pa->s->flags & SIG_FLAG_HAS_TARGET) {
245  AlertJsonSourceTarget(p, pa, js, addr);
246  }
247 
248  if ((flags & LOG_JSON_REFERENCE)) {
249  AlertJsonReference(pa, js);
250  }
251 
253  AlertJsonMetadata(pa, js);
254  }
255 
256  if (flags & LOG_JSON_RULE) {
257  SCJbSetString(js, "rule", pa->s->sig_str);
258  }
259  if (xff_buffer && xff_buffer[0]) {
260  SCJbSetString(js, "xff", xff_buffer);
261  }
262 
263  SCJbClose(js);
264 }
265 
266 static void AlertJsonTunnel(const Packet *p, SCJsonBuilder *js)
267 {
268  if (p->root == NULL) {
269  return;
270  }
271 
272  SCJbOpenObject(js, "tunnel");
273 
274  enum PktSrcEnum pkt_src;
275  uint64_t pcap_cnt;
277  JsonAddrInfoInit(p->root, 0, &addr);
278  pcap_cnt = p->root->pcap_cnt;
279  pkt_src = p->root->pkt_src;
280 
281  SCJbSetString(js, "src_ip", addr.src_ip);
282  SCJbSetUint(js, "src_port", addr.sp);
283  SCJbSetString(js, "dest_ip", addr.dst_ip);
284  SCJbSetUint(js, "dest_port", addr.dp);
285  SCJbSetString(js, "proto", addr.proto);
286 
287  SCJbSetUint(js, "depth", p->recursion_level);
288  if (pcap_cnt != 0) {
289  SCJbSetUint(js, "pcap_cnt", pcap_cnt);
290  }
291  SCJbSetString(js, "pkt_src", PktSrcToString(pkt_src));
292  SCJbClose(js);
293 }
294 
295 static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, SCJsonBuilder *js, const Packet *p)
296 {
297  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
298  SCJbSetBase64(js, "payload", p->payload, p->payload_len);
299  }
300  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_LENGTH) {
301  SCJbSetUint(js, "payload_length", p->payload_len);
302  }
303 
304  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
305  uint8_t printable_buf[p->payload_len + 1];
306  uint32_t offset = 0;
307  PrintStringsToBuffer(printable_buf, &offset,
308  p->payload_len + 1,
309  p->payload, p->payload_len);
310  printable_buf[p->payload_len] = '\0';
311  SCJbSetString(js, "payload_printable", (char *)printable_buf);
312  }
313 }
314 
315 static void AlertAddAppLayer(
316  const Packet *p, SCJsonBuilder *jb, const uint64_t tx_id, const uint16_t option_flags)
317 {
318  const AppProto proto = FlowGetAppProtocol(p->flow);
320  SCJsonBuilderMark mark = { 0, 0, 0 };
321  if (al && al->LogTx) {
322  void *state = FlowGetAppState(p->flow);
323  if (state) {
324  void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
325  if (tx) {
326  const int ts =
327  AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
328  const int tc =
329  AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
330  SCJbSetString(jb, "ts_progress",
331  AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
332  SCJbSetString(jb, "tc_progress",
333  AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
334  SCJbGetMark(jb, &mark);
335  switch (proto) {
336  // first check some protocols need special options for alerts logging
337  case ALPROTO_WEBSOCKET:
338  if (option_flags &
340  bool pp = (option_flags & LOG_JSON_WEBSOCKET_PAYLOAD) != 0;
341  bool pb64 = (option_flags & LOG_JSON_WEBSOCKET_PAYLOAD_BASE64) != 0;
342  if (!SCWebSocketLogDetails(tx, jb, pp, pb64)) {
343  SCJbRestoreMark(jb, &mark);
344  }
345  // nothing more to log or do
346  return;
347  }
348  }
349  if (!al->LogTx(tx, jb)) {
350  SCJbRestoreMark(jb, &mark);
351  }
352  }
353  }
354  return;
355  }
356  void *state = FlowGetAppState(p->flow);
357  if (state) {
358  void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
359  if (tx) {
360  const int ts =
361  AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
362  const int tc =
363  AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
364  SCJbSetString(jb, "ts_progress",
365  AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
366  SCJbSetString(jb, "tc_progress",
367  AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
368  }
369  }
370  switch (proto) {
371  case ALPROTO_HTTP1:
372  // TODO: Could result in an empty http object being logged.
373  SCJbOpenObject(jb, "http");
374  if (EveHttpAddMetadata(p->flow, tx_id, jb)) {
375  if (option_flags & LOG_JSON_HTTP_BODY) {
376  EveHttpLogJSONBodyPrintable(jb, p->flow, tx_id);
377  }
378  if (option_flags & LOG_JSON_HTTP_BODY_BASE64) {
379  EveHttpLogJSONBodyBase64(jb, p->flow, tx_id);
380  }
381  }
382  SCJbClose(jb);
383  break;
384  case ALPROTO_SMTP:
385  SCJbGetMark(jb, &mark);
386  SCJbOpenObject(jb, "smtp");
387  if (EveSMTPAddMetadata(p->flow, tx_id, jb)) {
388  SCJbClose(jb);
389  } else {
390  SCJbRestoreMark(jb, &mark);
391  }
392  SCJbGetMark(jb, &mark);
393  SCJbOpenObject(jb, "email");
394  if (EveEmailAddMetadata(p->flow, tx_id, jb)) {
395  SCJbClose(jb);
396  } else {
397  SCJbRestoreMark(jb, &mark);
398  }
399  break;
400  case ALPROTO_NFS:
401  /* rpc */
402  SCJbGetMark(jb, &mark);
403  SCJbOpenObject(jb, "rpc");
404  if (EveNFSAddMetadataRPC(p->flow, tx_id, jb)) {
405  SCJbClose(jb);
406  } else {
407  SCJbRestoreMark(jb, &mark);
408  }
409  /* nfs */
410  SCJbGetMark(jb, &mark);
411  SCJbOpenObject(jb, "nfs");
412  if (EveNFSAddMetadata(p->flow, tx_id, jb)) {
413  SCJbClose(jb);
414  } else {
415  SCJbRestoreMark(jb, &mark);
416  }
417  break;
418  case ALPROTO_SMB:
419  SCJbGetMark(jb, &mark);
420  SCJbOpenObject(jb, "smb");
421  if (EveSMBAddMetadata(p->flow, tx_id, jb)) {
422  SCJbClose(jb);
423  } else {
424  SCJbRestoreMark(jb, &mark);
425  }
426  break;
427  case ALPROTO_IKE:
428  SCJbGetMark(jb, &mark);
429  if (!EveIKEAddMetadata(p->flow, tx_id, jb)) {
430  SCJbRestoreMark(jb, &mark);
431  }
432  break;
433  case ALPROTO_DCERPC: {
434  if (state) {
435  void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
436  if (tx) {
437  SCJbGetMark(jb, &mark);
438  SCJbOpenObject(jb, "dcerpc");
439  if (p->proto == IPPROTO_TCP) {
440  if (!SCDcerpcLogJsonRecordTcp(state, tx, jb)) {
441  SCJbRestoreMark(jb, &mark);
442  }
443  } else {
444  if (!SCDcerpcLogJsonRecordUdp(state, tx, jb)) {
445  SCJbRestoreMark(jb, &mark);
446  }
447  }
448  SCJbClose(jb);
449  }
450  }
451  break;
452  }
453  default:
454  break;
455  }
456 }
457 
458 static void AlertAddFiles(const Packet *p, SCJsonBuilder *jb, const uint64_t tx_id)
459 {
460  const uint8_t direction =
461  (p->flowflags & FLOW_PKT_TOSERVER) ? STREAM_TOSERVER : STREAM_TOCLIENT;
462  FileContainer *ffc = NULL;
463  if (p->flow->alstate != NULL) {
464  void *tx = AppLayerParserGetTx(p->flow->proto, p->flow->alproto, p->flow->alstate, tx_id);
465  if (tx) {
466  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, direction);
467  ffc = files.fc;
468  }
469  }
470  if (ffc != NULL) {
471  File *file = ffc->head;
472  bool isopen = false;
473  while (file) {
474  if (!isopen) {
475  isopen = true;
476  SCJbOpenArray(jb, "files");
477  }
478  SCJbStartObject(jb);
479  EveFileInfo(jb, file, tx_id, file->flags);
480  SCJbClose(jb);
481  file = file->next;
482  }
483  if (isopen) {
484  SCJbClose(jb);
485  }
486  }
487 }
488 
489 static void AlertAddFrame(
490  const Packet *p, const int64_t frame_id, SCJsonBuilder *jb, MemBuffer *buffer)
491 {
492  if (p->flow == NULL || (p->proto == IPPROTO_TCP && p->flow->protoctx == NULL))
493  return;
494 
495  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
496  if (frames_container == NULL)
497  return;
498 
499  Frames *frames = NULL;
500  TcpStream *stream = NULL;
501  if (p->proto == IPPROTO_TCP) {
502  TcpSession *ssn = p->flow->protoctx;
503  if (PKT_IS_TOSERVER(p)) {
504  stream = &ssn->client;
505  frames = &frames_container->toserver;
506  } else {
507  stream = &ssn->server;
508  frames = &frames_container->toclient;
509  }
510  Frame *frame = FrameGetById(frames, frame_id);
511  if (frame != NULL) {
512  FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb, buffer);
513  }
514  } else if (p->proto == IPPROTO_UDP) {
515  if (PKT_IS_TOSERVER(p)) {
516  frames = &frames_container->toserver;
517  } else {
518  frames = &frames_container->toclient;
519  }
520  Frame *frame = FrameGetById(frames, frame_id);
521  if (frame != NULL) {
522  FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb, buffer);
523  }
524  }
525 }
526 
527 /**
528  * \brief Build verdict object
529  *
530  * \param p Pointer to Packet current being logged
531  *
532  */
533 void EveAddVerdict(SCJsonBuilder *jb, const Packet *p)
534 {
535  SCJbOpenObject(jb, "verdict");
536 
537  /* add verdict info */
539  // check rule to define type of reject packet sent
540  if (EngineModeIsIPS()) {
541  JB_SET_STRING(jb, "action", "drop");
542  } else {
543  JB_SET_STRING(jb, "action", "alert");
544  }
546  JB_SET_STRING(jb, "reject-target", "to_client");
547  } else if (PacketCheckAction(p, ACTION_REJECT_DST)) {
548  JB_SET_STRING(jb, "reject-target", "to_server");
549  } else if (PacketCheckAction(p, ACTION_REJECT_BOTH)) {
550  JB_SET_STRING(jb, "reject-target", "both");
551  }
552  SCJbOpenArray(jb, "reject");
553  switch (p->proto) {
554  case IPPROTO_UDP:
555  case IPPROTO_ICMP:
556  case IPPROTO_ICMPV6:
557  SCJbAppendString(jb, "icmp-prohib");
558  break;
559  case IPPROTO_TCP:
560  SCJbAppendString(jb, "tcp-reset");
561  break;
562  }
563  SCJbClose(jb);
564 
565  } else if (PacketCheckAction(p, ACTION_DROP) && EngineModeIsIPS()) {
566  JB_SET_STRING(jb, "action", "drop");
567  } else if (PacketCheckAction(p, ACTION_ACCEPT)) {
568  JB_SET_STRING(jb, "action", "accept");
569  } else if (p->alerts.alerts[p->alerts.cnt].action & ACTION_PASS) {
570  JB_SET_STRING(jb, "action", "pass");
571  } else {
572  // TODO make sure we don't have a situation where this wouldn't work
573  JB_SET_STRING(jb, "action", "alert");
574  }
575 
576  /* Close verdict */
577  SCJbClose(jb);
578 }
579 
582  uint64_t last_re;
583 };
584 
585 static int AlertJsonStreamDataCallback(
586  void *cb_data, const uint8_t *input, const uint32_t input_len, const uint64_t input_offset)
587 {
588  struct AlertJsonStreamDataCallbackData *cbd = cb_data;
589  if (input_offset > cbd->last_re) {
591  cbd->payload, "[%" PRIu64 " bytes missing]", input_offset - cbd->last_re);
592  }
593 
594  int done = 0;
595  uint32_t written = MemBufferWriteRaw(cbd->payload, input, input_len);
596  if (written < input_len)
597  done = 1;
598  cbd->last_re = input_offset + input_len;
599  return done;
600 }
601 
602 /** \internal
603  * \brief try to log stream data into payload/payload_printable
604  * \retval true stream data logged
605  * \retval false stream data not logged
606  */
607 static bool AlertJsonStreamData(const AlertJsonOutputCtx *json_output_ctx, JsonAlertLogThread *aft,
608  Flow *f, const Packet *p, SCJsonBuilder *jb)
609 {
610  TcpSession *ssn = f->protoctx;
611  TcpStream *stream = (PKT_IS_TOSERVER(p)) ? &ssn->client : &ssn->server;
612 
613  MemBufferReset(aft->payload_buffer);
615  .last_re = STREAM_BASE_OFFSET(stream) };
616  uint64_t unused = 0;
617  StreamReassembleLog(ssn, stream, AlertJsonStreamDataCallback, &cbd, STREAM_BASE_OFFSET(stream),
618  &unused, false);
619  if (cbd.payload->offset) {
620  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
621  SCJbSetBase64(jb, "payload", cbd.payload->buffer, cbd.payload->offset);
622  }
623  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_LENGTH) {
624  SCJbSetUint(jb, "payload_length", cbd.payload->offset);
625  }
626 
627  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
628  uint8_t printable_buf[cbd.payload->offset + 1];
629  uint32_t offset = 0;
630  PrintStringsToBuffer(printable_buf, &offset, cbd.payload->offset + 1,
631  cbd.payload->buffer, cbd.payload->offset);
632  SCJbSetString(jb, "payload_printable", (char *)printable_buf);
633  }
634  return true;
635  }
636  return false;
637 }
638 
639 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
640 {
641  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
642 
643  if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
644  return TM_ECODE_OK;
645 
646  for (int i = 0; i < p->alerts.cnt; i++) {
647  const PacketAlert *pa = &p->alerts.alerts[i];
648  if (unlikely(pa->s == NULL)) {
649  continue;
650  }
651 
652  /* First initialize the address info (5-tuple). */
654  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
655 
656  /* Check for XFF, overwriting address info if needed. */
657  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ? json_output_ctx->xff_cfg
658  : json_output_ctx->parent_xff_cfg;
659  int have_xff_ip = 0;
660  char xff_buffer[XFF_MAXLEN];
661  xff_buffer[0] = 0;
662  if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
663  if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP1) {
664  if (pa->flags & PACKET_ALERT_FLAG_TX) {
665  have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg,
666  xff_buffer, XFF_MAXLEN);
667  } else {
668  have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, xff_buffer,
669  XFF_MAXLEN);
670  }
671  }
672 
673  if (have_xff_ip && xff_cfg->flags & XFF_OVERWRITE) {
674  if (p->flowflags & FLOW_PKT_TOCLIENT) {
675  strlcpy(addr.dst_ip, xff_buffer, JSON_ADDR_LEN);
676  } else {
677  strlcpy(addr.src_ip, xff_buffer, JSON_ADDR_LEN);
678  }
679  /* Clear have_xff_ip so the xff field does not get
680  * logged below. */
681  have_xff_ip = false;
682  }
683  if (have_xff_ip && !(xff_cfg->flags & XFF_EXTRADATA)) {
684  // reset xff_buffer so as not to log it
685  xff_buffer[0] = 0;
686  }
687  }
688 
689  SCJsonBuilder *jb =
690  CreateEveHeader(p, LOG_DIR_PACKET, "alert", &addr, json_output_ctx->eve_ctx);
691  if (unlikely(jb == NULL))
692  return TM_ECODE_OK;
693 
694 
695  /* alert */
696  AlertJsonHeader(p, pa, jb, json_output_ctx->flags, &addr, xff_buffer);
697 
698  if (PacketIsTunnel(p)) {
699  AlertJsonTunnel(p, jb);
700  }
701 
702  if (p->flow != NULL) {
703  if (pa->flags & PACKET_ALERT_FLAG_TX) {
704  if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {
705  AlertAddAppLayer(p, jb, pa->tx_id, json_output_ctx->flags);
706  }
707  /* including fileinfo data is configured by the metadata setting */
708  if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
709  AlertAddFiles(p, jb, pa->tx_id);
710  }
711  }
712 
713  EveAddAppProto(p->flow, jb);
714 
715  if (p->flowflags & FLOW_PKT_TOSERVER) {
716  SCJbSetString(jb, "direction", "to_server");
717  } else {
718  SCJbSetString(jb, "direction", "to_client");
719  }
720 
721  if (json_output_ctx->flags & LOG_JSON_FLOW) {
722  SCJbOpenObject(jb, "flow");
723  EveAddFlow(p->flow, jb);
724  if (p->flowflags & FLOW_PKT_TOCLIENT) {
725  SCJbSetString(jb, "src_ip", addr.dst_ip);
726  SCJbSetString(jb, "dest_ip", addr.src_ip);
727  if (addr.sp > 0) {
728  SCJbSetUint(jb, "src_port", addr.dp);
729  SCJbSetUint(jb, "dest_port", addr.sp);
730  }
731  } else {
732  SCJbSetString(jb, "src_ip", addr.src_ip);
733  SCJbSetString(jb, "dest_ip", addr.dst_ip);
734  if (addr.sp > 0) {
735  SCJbSetUint(jb, "src_port", addr.sp);
736  SCJbSetUint(jb, "dest_port", addr.dp);
737  }
738  }
739  SCJbClose(jb);
740  }
741  }
742 
743  /* payload */
744  if (json_output_ctx->flags &
746  int stream = (p->proto == IPPROTO_TCP) ?
748  1 : 0) : 0;
749  // should be impossible, as stream implies flow
750  DEBUG_VALIDATE_BUG_ON(stream && p->flow == NULL);
751 
752  /* Is this a stream? If so, pack part of it into the payload field */
753  if (stream && p->flow != NULL) {
754  const bool stream_data_logged =
755  AlertJsonStreamData(json_output_ctx, aft, p->flow, p, jb);
756  if (!stream_data_logged && p->payload_len) {
757  /* Fallback on packet payload */
758  AlertAddPayload(json_output_ctx, jb, p);
759  }
760  } else {
761  /* This is a single packet and not a stream */
762  AlertAddPayload(json_output_ctx, jb, p);
763  }
764 
765  SCJbSetUint(jb, "stream", stream);
766  }
767 
768  if (pa->flags & PACKET_ALERT_FLAG_FRAME) {
769  AlertAddFrame(p, pa->frame_id, jb, aft->payload_buffer);
770  }
771 
772  /* base64-encoded full packet */
773  if (json_output_ctx->flags & LOG_JSON_PACKET) {
774  EvePacket(p, jb, 0);
775  }
776 
778  if (pcap_filename != NULL) {
779  SCJbSetString(jb, "capture_file", pcap_filename);
780  }
781 
782  if (json_output_ctx->flags & LOG_JSON_VERDICT) {
783  EveAddVerdict(jb, p);
784  }
785 
786  OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
787  SCJbFree(jb);
788  }
789 
790  if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
792  SCJsonBuilder *packetjs =
793  CreateEveHeader(p, LOG_DIR_PACKET, "packet", NULL, json_output_ctx->eve_ctx);
794  if (unlikely(packetjs != NULL)) {
795  EvePacket(p, packetjs, 0);
796  OutputJsonBuilderBuffer(tv, p, p->flow, packetjs, aft->ctx);
797  SCJbFree(packetjs);
798  }
799  }
800 
801  return TM_ECODE_OK;
802 }
803 
804 static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
805 {
806  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
807 
808  if (p->alerts.cnt == 0)
809  return TM_ECODE_OK;
810 
811  for (int i = 0; i < p->alerts.cnt; i++) {
812  const PacketAlert *pa = &p->alerts.alerts[i];
813  if (unlikely(pa->s == NULL)) {
814  continue;
815  }
816 
817  SCJsonBuilder *jb =
818  CreateEveHeader(p, LOG_DIR_PACKET, "alert", NULL, json_output_ctx->eve_ctx);
819  if (unlikely(jb == NULL))
820  return TM_ECODE_OK;
821 
822  AlertJsonHeader(p, pa, jb, json_output_ctx->flags, NULL, NULL);
823 
824  if (PacketIsTunnel(p)) {
825  AlertJsonTunnel(p, jb);
826  }
827 
828  /* base64-encoded full packet */
829  if (json_output_ctx->flags & LOG_JSON_PACKET) {
830  EvePacket(p, jb, 0);
831  }
832 
834  if (pcap_filename != NULL) {
835  SCJbSetString(jb, "capture_file", pcap_filename);
836  }
837 
838  if (json_output_ctx->flags & LOG_JSON_VERDICT) {
839  EveAddVerdict(jb, p);
840  }
841 
842  OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
843  SCJbFree(jb);
844  }
845 
846  return TM_ECODE_OK;
847 }
848 
849 static int JsonAlertFlush(ThreadVars *tv, void *thread_data, const Packet *p)
850 {
851  JsonAlertLogThread *aft = thread_data;
852  SCLogDebug("%s flushing %s", tv->name, ((LogFileCtx *)(aft->ctx->file_ctx))->filename);
853  OutputJsonFlush(aft->ctx);
854  return 0;
855 }
856 
857 static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)
858 {
859  JsonAlertLogThread *aft = thread_data;
860 
861  if (PacketIsIPv4(p) || PacketIsIPv6(p)) {
862  return AlertJson(tv, aft, p);
863  } else if (p->alerts.cnt > 0) {
864  return AlertJsonDecoderEvent(tv, aft, p);
865  }
866  return 0;
867 }
868 
869 static bool JsonAlertLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
870 {
871  return (p->alerts.cnt || (p->flags & PKT_HAS_TAG));
872 }
873 
874 static TmEcode JsonAlertLogThreadInit(ThreadVars *t, const void *initdata, void **data)
875 {
877  if (unlikely(aft == NULL))
878  return TM_ECODE_FAILED;
879 
880  if (initdata == NULL)
881  {
882  SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL");
883  goto error_exit;
884  }
885 
886  /** Use the Output Context (file pointer and mutex) */
887  AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
888 
889  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
890  if (aft->payload_buffer == NULL) {
891  goto error_exit;
892  }
893  aft->ctx = CreateEveThreadCtx(t, json_output_ctx->eve_ctx);
894  if (!aft->ctx) {
895  goto error_exit;
896  }
897 
898  aft->json_output_ctx = json_output_ctx;
899 
900  *data = (void *)aft;
901  return TM_ECODE_OK;
902 
903 error_exit:
904  if (aft->payload_buffer != NULL) {
906  }
907  SCFree(aft);
908  return TM_ECODE_FAILED;
909 }
910 
911 static TmEcode JsonAlertLogThreadDeinit(ThreadVars *t, void *data)
912 {
913  JsonAlertLogThread *aft = (JsonAlertLogThread *)data;
914  if (aft == NULL) {
915  return TM_ECODE_OK;
916  }
917 
919  FreeEveThreadCtx(aft->ctx);
920 
921  /* clear memory */
922  memset(aft, 0, sizeof(JsonAlertLogThread));
923 
924  SCFree(aft);
925  return TM_ECODE_OK;
926 }
927 
928 static void JsonAlertLogDeInitCtxSub(OutputCtx *output_ctx)
929 {
930  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
931 
932  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
933 
934  if (json_output_ctx != NULL) {
935  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
936  if (xff_cfg != NULL) {
937  SCFree(xff_cfg);
938  }
939  SCFree(json_output_ctx);
940  }
941  SCFree(output_ctx);
942 }
943 
944 static void SetFlag(const SCConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
945 {
946  DEBUG_VALIDATE_BUG_ON(conf == NULL);
947  const char *setting = SCConfNodeLookupChildValue(conf, name);
948  if (setting != NULL) {
949  if (SCConfValIsTrue(setting)) {
950  *out_flags |= flag;
951  } else {
952  *out_flags &= ~flag;
953  }
954  }
955 }
956 
957 static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx, SCConfNode *conf)
958 {
959  static bool warn_no_meta = false;
960  uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
961  uint16_t flags = METADATA_DEFAULTS;
962 
963  if (conf != NULL) {
964  /* Check for metadata to enable/disable. */
965  SCConfNode *metadata = SCConfNodeLookupChild(conf, "metadata");
966  if (metadata != NULL) {
967  if (metadata->val != NULL && SCConfValIsFalse(metadata->val)) {
969  } else if (SCConfNodeHasChildren(metadata)) {
970  SCConfNode *rule_metadata = SCConfNodeLookupChild(metadata, "rule");
971  if (rule_metadata) {
972  SetFlag(rule_metadata, "raw", LOG_JSON_RULE, &flags);
973  SetFlag(rule_metadata, "metadata", LOG_JSON_RULE_METADATA,
974  &flags);
975  SetFlag(rule_metadata, "reference", LOG_JSON_REFERENCE, &flags);
976  }
977  SetFlag(metadata, "flow", LOG_JSON_FLOW, &flags);
978  SetFlag(metadata, "app-layer", LOG_JSON_APP_LAYER, &flags);
979  }
980  }
981 
982  /* Non-metadata toggles. */
983  SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
984  SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
985  SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
986  SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
987  SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
988  SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
989  SetFlag(conf, "websocket-payload-printable", LOG_JSON_WEBSOCKET_PAYLOAD, &flags);
990  SetFlag(conf, "websocket-payload", LOG_JSON_WEBSOCKET_PAYLOAD_BASE64, &flags);
991  SetFlag(conf, "verdict", LOG_JSON_VERDICT, &flags);
992  SetFlag(conf, "payload-length", LOG_JSON_PAYLOAD_LENGTH, &flags);
993 
994  /* Check for obsolete flags and warn that they have no effect. */
995  static const char *deprecated_flags[] = { "http", "tls", "ssh", "smtp", "dnp3", "app-layer",
996  "flow", NULL };
997  for (int i = 0; deprecated_flags[i] != NULL; i++) {
998  if (SCConfNodeLookupChildValue(conf, deprecated_flags[i]) != NULL) {
999  SCLogWarning("Found deprecated eve-log.alert flag \"%s\", this flag has no effect",
1000  deprecated_flags[i]);
1001  }
1002  }
1003 
1004  const char *payload_buffer_value = SCConfNodeLookupChildValue(conf, "payload-buffer-size");
1005 
1006  if (payload_buffer_value != NULL) {
1007  uint32_t value;
1008  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
1009  SCLogError("Error parsing "
1010  "payload-buffer-size - %s. Killing engine",
1011  payload_buffer_value);
1012  exit(EXIT_FAILURE);
1013  } else if (value == 0) {
1014  // you should not ask for payload if you want 0 of it
1015  SCLogError("Error payload-buffer-size should not be 0");
1016  exit(EXIT_FAILURE);
1017  } else {
1018  payload_buffer_size = value;
1019  }
1020  }
1021 
1022  if (!warn_no_meta && flags & JSON_BODY_LOGGING) {
1023  if (((flags & LOG_JSON_APP_LAYER) == 0)) {
1024  SCLogWarning("HTTP body logging has been configured, however, "
1025  "metadata logging has not been enabled. HTTP body logging will be "
1026  "disabled.");
1028  warn_no_meta = true;
1029  }
1030  }
1031  }
1032 
1033  if (flags & LOG_JSON_RULE_METADATA) {
1035  }
1036 
1037  json_output_ctx->payload_buffer_size = payload_buffer_size;
1038  json_output_ctx->flags |= flags;
1039 }
1040 
1041 static HttpXFFCfg *JsonAlertLogGetXffCfg(SCConfNode *conf)
1042 {
1043  HttpXFFCfg *xff_cfg = NULL;
1044  if (conf != NULL && SCConfNodeLookupChild(conf, "xff") != NULL) {
1045  xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
1046  if (likely(xff_cfg != NULL)) {
1047  HttpXFFGetCfg(conf, xff_cfg);
1048  }
1049  }
1050  return xff_cfg;
1051 }
1052 
1053 /**
1054  * \brief Create a new LogFileCtx for "fast" output style.
1055  * \param conf The configuration node for this output.
1056  * \return A LogFileCtx pointer on success, NULL on failure.
1057  */
1058 static OutputInitResult JsonAlertLogInitCtxSub(SCConfNode *conf, OutputCtx *parent_ctx)
1059 {
1060  OutputInitResult result = { NULL, false };
1061  OutputJsonCtx *ajt = parent_ctx->data;
1062  AlertJsonOutputCtx *json_output_ctx = NULL;
1063 
1064  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
1065  if (unlikely(output_ctx == NULL))
1066  return result;
1067 
1068  json_output_ctx = SCCalloc(1, sizeof(AlertJsonOutputCtx));
1069  if (unlikely(json_output_ctx == NULL)) {
1070  goto error;
1071  }
1072 
1073  json_output_ctx->file_ctx = ajt->file_ctx;
1074  json_output_ctx->eve_ctx = ajt;
1075 
1076  JsonAlertLogSetupMetadata(json_output_ctx, conf);
1077  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
1078  if (json_output_ctx->xff_cfg == NULL) {
1079  json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
1080  }
1081 
1082  output_ctx->data = json_output_ctx;
1083  output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
1084 
1085  result.ctx = output_ctx;
1086  result.ok = true;
1087  return result;
1088 
1089 error:
1090  if (json_output_ctx != NULL) {
1091  SCFree(json_output_ctx);
1092  }
1093  if (output_ctx != NULL) {
1094  SCFree(output_ctx);
1095  }
1096 
1097  return result;
1098 }
1099 
1101 {
1102  OutputPacketLoggerFunctions output_logger_functions = {
1103  .LogFunc = JsonAlertLogger,
1104  .FlushFunc = JsonAlertFlush,
1105  .ConditionFunc = JsonAlertLogCondition,
1106  .ThreadInitFunc = JsonAlertLogThreadInit,
1107  .ThreadDeinitFunc = JsonAlertLogThreadDeinit,
1108  .ThreadExitPrintStatsFunc = NULL,
1109  };
1110 
1111  OutputRegisterPacketSubModule(LOGGER_JSON_ALERT, "eve-log", MODULE_NAME, "eve-log.alert",
1112  JsonAlertLogInitCtxSub, &output_logger_functions);
1113 }
XFF_MAXLEN
#define XFF_MAXLEN
Definition: app-layer-htp-xff.h:39
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:49
PACKET_ALERT_FLAG_TX_GUESSED
#define PACKET_ALERT_FLAG_TX_GUESSED
Definition: decode.h:272
Packet_::proto
uint8_t proto
Definition: decode.h:514
OutputJsonFlush
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
Definition: output-json.c:993
TcpStream_
Definition: stream-tcp-private.h:106
FileContainer_
Definition: util-file.h:113
ts
uint64_t ts
Definition: source-erf-file.c:55
DetectMetadataHead::json_str
char * json_str
Definition: detect-metadata.h:40
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:551
detect-engine.h
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:247
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:55
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:79
MemBuffer_::buffer
uint8_t buffer[]
Definition: util-buffer.h:30
Signature_::sig_str
char * sig_str
Definition: detect.h:734
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
ThreadVars_::name
char name[16]
Definition: threadvars.h:65
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
AppLayerParserGetStateNameById
const char * AppLayerParserGetStateNameById(uint8_t ipproto, AppProto alproto, const int id, const uint8_t direction)
Definition: app-layer-parser.c:1616
XFF_EXTRADATA
#define XFF_EXTRADATA
Definition: app-layer-htp-xff.h:31
EveAddFlow
void EveAddFlow(Flow *f, SCJsonBuilder *js)
Definition: output-json-flow.c:198
stream-tcp.h
HttpXFFGetCfg
void HttpXFFGetCfg(SCConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:202
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:262
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
EveHttpLogJSONBodyPrintable
void EveHttpLogJSONBodyPrintable(SCJsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:391
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
LOG_JSON_RULE
#define LOG_JSON_RULE
Definition: output-json-alert.c:82
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:270
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:617
AlertJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-alert.c:100
AlertJsonOutputCtx_::parent_xff_cfg
HttpXFFCfg * parent_xff_cfg
Definition: output-json-alert.c:104
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
Flow_::proto
uint8_t proto
Definition: flow.h:378
EveAddAppProto
void EveAddAppProto(Flow *f, SCJsonBuilder *js)
Definition: output-json-flow.c:178
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
AlertJsonStreamDataCallbackData::last_re
uint64_t last_re
Definition: output-json-alert.c:582
Packet_::payload
uint8_t * payload
Definition: decode.h:596
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:281
SIG_FLAG_DEST_IS_TARGET
#define SIG_FLAG_DEST_IS_TARGET
Definition: detect.h:285
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1086
action-globals.h
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:74
Packet_::flags
uint32_t flags
Definition: decode.h:535
CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:834
LOGGER_JSON_ALERT
@ LOGGER_JSON_ALERT
Definition: suricata-common.h:497
OutputJsonCtx_
Definition: output-json.h:75
Frame
Definition: app-layer-frames.h:45
Flow_
Flow data structure.
Definition: flow.h:356
LogFileCtx_
Definition: util-logopenfile.h:72
output-json-frame.h
AlertJsonHeader
void AlertJsonHeader(const Packet *p, const PacketAlert *pa, SCJsonBuilder *js, uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
Definition: output-json-alert.c:202
PacketAlerts_::alerts
PacketAlert * alerts
Definition: decode.h:284
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29
AlertJsonStreamDataCallbackData::payload
MemBuffer * payload
Definition: output-json-alert.c:581
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:233
rust.h
Frames
Definition: app-layer-frames.h:60
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:38
FramesContainer
Definition: app-layer-frames.h:73
SCConfValIsFalse
int SCConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:576
ACTION_DROP_REJECT
#define ACTION_DROP_REJECT
Definition: action-globals.h:40
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:999
proto
uint8_t proto
Definition: decode-template.h:0
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:824
AlertJsonOutputCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-alert.c:105
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:523
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
Flow_::protoctx
void * protoctx
Definition: flow.h:441
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:597
SCConfNodeHasChildren
bool SCConfNodeHasChildren(const SCConfNode *node)
Check if a node has any children.
Definition: conf.c:777
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:611
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:29
EveHttpAddMetadata
bool EveHttpAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
Definition: output-json-http.c:495
HttpXFFGetIP
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:177
OutputCtx_::data
void * data
Definition: tm-modules.h:87
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
PcapLogGetFilename
char * PcapLogGetFilename(void)
Definition: log-pcap.c:1822
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:195
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:872
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:248
EveSMBAddMetadata
bool EveSMBAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
Definition: output-json-smb.c:34
OutputCtx_
Definition: tm-modules.h:84
app-layer-htp-xff.h
PacketAlert_::action
uint8_t action
Definition: decode.h:245
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
JSON_BODY_LOGGING
#define JSON_BODY_LOGGING
Definition: output-json-alert.c:93
OutputJsonThreadCtx_
Definition: output-json.h:83
Signature_::gid
uint32_t gid
Definition: detect.h:703
ACTION_REJECT_DST
#define ACTION_REJECT_DST
Definition: action-globals.h:32
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:470
EveIKEAddMetadata
bool EveIKEAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
Definition: output-json-ike.c:65
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:45
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:75
JsonAlertLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-alert.c:111
EveSMTPAddMetadata
bool EveSMTPAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
Definition: output-json-smtp.c:96
util-debug.h
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition: rust.h:26
output-json-flow.h
MODULE_NAME
#define MODULE_NAME
Definition: output-json-alert.c:71
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:238
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
LOG_JSON_APP_LAYER
#define LOG_JSON_APP_LAYER
Definition: output-json-alert.c:77
LOG_JSON_WEBSOCKET_PAYLOAD
#define LOG_JSON_WEBSOCKET_PAYLOAD
Definition: output-json-alert.c:84
output-json.h
FrameGetById
Frame * FrameGetById(Frames *frames, const int64_t id)
Definition: app-layer-frames.c:124
DetectReference_::key_len
uint16_t key_len
Definition: detect-reference.h:40
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:38
LOG_JSON_PAYLOAD
#define LOG_JSON_PAYLOAD
Definition: output-json-alert.c:73
STREAM_BASE_OFFSET
#define STREAM_BASE_OFFSET(stream)
Definition: stream-tcp-private.h:144
PktSrcEnum
PktSrcEnum
Definition: decode.h:51
util-reference-config.h
AlertJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-alert.c:101
EveAddVerdict
void EveAddVerdict(SCJsonBuilder *jb, const Packet *p)
Build verdict object.
Definition: output-json-alert.c:533
util-print.h
EveNFSAddMetadata
bool EveNFSAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
Definition: output-json-nfs.c:62
Signature_::references
DetectReference * references
Definition: detect.h:730
FileContainer_::head
File * head
Definition: util-file.h:114
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
EveNFSAddMetadataRPC
bool EveNFSAddMetadataRPC(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
Definition: output-json-nfs.c:50
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:827
JsonAlertLogThread
struct JsonAlertLogThread_ JsonAlertLogThread
output-json-email-common.h
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:48
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:250
app-layer-parser.h
JsonAlertLogThread_
Definition: output-json-alert.c:108
DetectReference_
Signature reference list.
Definition: detect-reference.h:30
SCEveJsonSimpleGetLogger
EveJsonSimpleAppLayerLogger * SCEveJsonSimpleGetLogger(AppProto alproto)
Definition: output.c:866
Signature_::flags
uint32_t flags
Definition: detect.h:658
stream.h
DetectReference_::reference_len
uint16_t reference_len
Definition: detect-reference.h:41
JsonAddrInfo_
Definition: output-json.h:41
Packet_
Definition: decode.h:492
EveFileInfo
void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
Definition: output-json.c:124
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:182
DetectReference_::reference
char * reference
Definition: detect-reference.h:34
JSON_STREAM_BUFFER_SIZE
#define JSON_STREAM_BUFFER_SIZE
Definition: output-json-alert.c:97
LOG_JSON_PAYLOAD_BASE64
#define LOG_JSON_PAYLOAD_BASE64
Definition: output-json-alert.c:75
conf.h
SIG_FLAG_HAS_TARGET
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:287
XFF_OVERWRITE
#define XFF_OVERWRITE
Definition: app-layer-htp-xff.h:33
LOG_JSON_PAYLOAD_LENGTH
#define LOG_JSON_PAYLOAD_LENGTH
Definition: output-json-alert.c:86
TmEcode
TmEcode
Definition: tm-threads-common.h:80
name
const char * name
Definition: tm-threads.c:2123
SIG_FLAG_SRC_IS_TARGET
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:283
OutputJsonThreadCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:85
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
AlertJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-alert.c:102
EvePacket
void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
Jsonify a packet.
Definition: output-json.c:425
MemBuffer_
Definition: util-buffer.h:27
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:234
EveJsonSimpleAppLayerLogger
Definition: output-eve-bindgen.h:40
DetectReference_::next
struct DetectReference_ * next
Definition: detect-reference.h:43
LOG_JSON_TAGGED_PACKETS
#define LOG_JSON_TAGGED_PACKETS
Definition: output-json-alert.c:76
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1108
AlertJsonOutputCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json-alert.c:103
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:264
PACKET_ALERT_FLAG_FRAME
#define PACKET_ALERT_FLAG_FRAME
Definition: decode.h:270
log-pcap.h
PacketAlert_::frame_id
int64_t frame_id
Definition: decode.h:249
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:46
Signature_::class_msg
char * class_msg
Definition: detect.h:728
PacketAlert_::flags
uint8_t flags
Definition: decode.h:246
ACTION_REJECT_BOTH
#define ACTION_REJECT_BOTH
Definition: action-globals.h:33
File_::flags
uint16_t flags
Definition: util-file.h:80
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:796
File_
Definition: util-file.h:79
OutputInitResult_
Definition: output.h:46
app-layer-frames.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:537
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:656
EveEmailAddMetadata
bool EveEmailAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
Definition: output-json-email-common.c:195
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
LOG_JSON_WEBSOCKET_PAYLOAD_BASE64
#define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64
Definition: output-json-alert.c:85
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:44
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:90
pcap_filename
char pcap_filename[PATH_MAX]
Definition: source-pcap-file-helper.c:116
EveJsonSimpleAppLayerLogger::LogTx
EveJsonSimpleTxLogFunc LogTx
Definition: output-eve-bindgen.h:41
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:37
AlertJsonOutputCtx_
Definition: output-json-alert.c:99
detect-metadata.h
JsonAlertLogThread_::json_output_ctx
AlertJsonOutputCtx * json_output_ctx
Definition: output-json-alert.c:110
output-json-nfs.h
packet.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:86
LOG_JSON_VERDICT
#define LOG_JSON_VERDICT
Definition: output-json-alert.c:83
File_::next
struct File_ * next
Definition: util-file.h:92
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
OutputPacketLoggerFunctions_::LogFunc
PacketLogger LogFunc
Definition: output.h:88
Signature_::rev
uint32_t rev
Definition: detect.h:704
ALPROTO_WEBSOCKET
@ ALPROTO_WEBSOCKET
Definition: app-layer-protos.h:64
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:297
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, OutputPacketLoggerFunctions *output_logger_functions)
Register a packet output sub-module.
Definition: output.c:212
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Signature_::prio
int prio
Definition: detect.h:705
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:173
output-json-alert.h
util-optimize.h
threadvars.h
util-validate.h
Packet_::root
struct Packet_ * root
Definition: decode.h:644
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:296
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:42
PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED
#define PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED
Definition: decode.h:268
HttpXFFCfg_::flags
uint8_t flags
Definition: app-layer-htp-xff.h:42
Signature_::metadata
DetectMetadataHead * metadata
Definition: detect.h:732
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:262
EveHttpLogJSONBodyBase64
void EveHttpLogJSONBodyBase64(SCJsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:420
AlertJsonOutputCtx
struct AlertJsonOutputCtx_ AlertJsonOutputCtx
JsonAlertLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-alert.c:109
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:602
DetectReference_::key
char * key
Definition: detect-reference.h:32
util-logopenfile.h
Flow_::alstate
void * alstate
Definition: flow.h:479
Signature_::id
uint32_t id
Definition: detect.h:702
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:517
LOG_JSON_HTTP_BODY_BASE64
#define LOG_JSON_HTTP_BODY_BASE64
Definition: output-json-alert.c:80
output-json-ike.h
FrameJsonLogOneFrame
void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, Flow *f, const TcpStream *stream, const Packet *p, SCJsonBuilder *jb, MemBuffer *buffer)
log a single frame
Definition: output-json-frame.c:253
util-buffer.h
LOG_JSON_PACKET
#define LOG_JSON_PACKET
Definition: output-json-alert.c:74
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:266
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:43
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:76
LOG_JSON_HTTP_BODY
#define LOG_JSON_HTTP_BODY
Definition: output-json-alert.c:79
METADATA_DEFAULTS
#define METADATA_DEFAULTS
Definition: output-json-alert.c:89
ACTION_ACCEPT
#define ACTION_ACCEPT
Definition: action-globals.h:36
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:234
LOG_JSON_FLOW
#define LOG_JSON_FLOW
Definition: output-json-alert.c:78
MemBufferWriteRaw
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.c:115
PacketAlert_
Definition: decode.h:243
MemBufferWriteString
void MemBufferWriteString(MemBuffer *dst, const char *fmt,...)
Definition: util-buffer.c:130
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-eve-bindgen.h:32
output-json-smb.h
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:1217
HttpXFFGetIPFromTx
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:116
output-json-smtp.h
TcpSession_
Definition: stream-tcp-private.h:283
output-json-http.h
util-misc.h
PKT_HAS_TAG
#define PKT_HAS_TAG
Definition: decode.h:1245
Signature_::msg
char * msg
Definition: detect.h:725
flow.h
DetectEngineSetParseMetadata
void DetectEngineSetParseMetadata(void)
Definition: detect-engine.c:4936
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
StreamReassembleLog
int StreamReassembleLog(const TcpSession *ssn, const TcpStream *stream, StreamReassembleRawFunc Callback, void *cb_data, const uint64_t progress_in, uint64_t *progress_out, const bool eof)
Definition: stream-tcp-reassemble.c:1970
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCConfNode_
Definition: conf.h:37
LOG_JSON_RULE_METADATA
#define LOG_JSON_RULE_METADATA
Definition: output-json-alert.c:81
OutputPacketLoggerFunctions_
Definition: output.h:87
SCConfNode_::val
char * val
Definition: conf.h:39
XFF_DISABLED
#define XFF_DISABLED
Definition: app-layer-htp-xff.h:29
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
LOG_JSON_REFERENCE
#define LOG_JSON_REFERENCE
Definition: output-json-alert.c:87
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:51
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
output.h
JsonAlertLogRegister
void JsonAlertLogRegister(void)
Definition: output-json-alert.c:1100
AlertJsonStreamDataCallbackData
Definition: output-json-alert.c:580