suricata
output-json-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs alerts in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "packet.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "stream.h"
34 #include "threadvars.h"
35 #include "util-debug.h"
36 #include "stream-tcp.h"
37 
38 #include "util-logopenfile.h"
39 #include "util-misc.h"
40 #include "util-time.h"
41 
42 #include "detect-engine.h"
43 #include "detect-metadata.h"
44 #include "app-layer-parser.h"
45 #include "app-layer-dnp3.h"
46 #include "app-layer-htp-xff.h"
47 #include "app-layer-ftp.h"
48 #include "app-layer-frames.h"
49 #include "log-pcap.h"
50 
51 #include "output.h"
52 #include "output-json.h"
53 #include "output-json-alert.h"
54 #include "output-json-dnp3.h"
55 #include "output-json-dns.h"
56 #include "output-json-http.h"
57 #include "output-json-tls.h"
58 #include "rust.h"
59 #include "output-json-smtp.h"
61 #include "output-json-nfs.h"
62 #include "output-json-smb.h"
63 #include "output-json-flow.h"
64 #include "output-json-mqtt.h"
65 #include "output-json-ike.h"
66 #include "output-json-frame.h"
67 
68 #include "util-print.h"
69 #include "util-optimize.h"
70 #include "util-buffer.h"
71 #include "util-validate.h"
72 
73 #include "action-globals.h"
74 
75 #define MODULE_NAME "JsonAlertLog"
76 
77 #define LOG_JSON_PAYLOAD BIT_U16(0)
78 #define LOG_JSON_PACKET BIT_U16(1)
79 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
80 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
81 #define LOG_JSON_APP_LAYER BIT_U16(4)
82 #define LOG_JSON_FLOW BIT_U16(5)
83 #define LOG_JSON_HTTP_BODY BIT_U16(6)
84 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
85 #define LOG_JSON_RULE_METADATA BIT_U16(8)
86 #define LOG_JSON_RULE BIT_U16(9)
87 #define LOG_JSON_VERDICT BIT_U16(10)
88 #define LOG_JSON_WEBSOCKET_PAYLOAD BIT_U16(11)
89 #define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64 BIT_U16(12)
90 
91 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
92  LOG_JSON_APP_LAYER | \
93  LOG_JSON_RULE_METADATA)
94 
95 #define JSON_BODY_LOGGING \
96  (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64 | LOG_JSON_WEBSOCKET_PAYLOAD | \
97  LOG_JSON_WEBSOCKET_PAYLOAD_BASE64)
98 
99 #define JSON_STREAM_BUFFER_SIZE 4096
100 
101 typedef struct AlertJsonOutputCtx_ {
103  uint16_t flags;
109 
110 typedef struct JsonAlertLogThread_ {
115 
116 static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
117  JsonBuilder *js, JsonAddrInfo *addr)
118 {
119  jb_open_object(js, "source");
120  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
121  jb_set_string(js, "ip", addr->src_ip);
122  switch (p->proto) {
123  case IPPROTO_ICMP:
124  case IPPROTO_ICMPV6:
125  break;
126  case IPPROTO_UDP:
127  case IPPROTO_TCP:
128  case IPPROTO_SCTP:
129  jb_set_uint(js, "port", addr->sp);
130  break;
131  }
132  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
133  jb_set_string(js, "ip", addr->dst_ip);
134  switch (p->proto) {
135  case IPPROTO_ICMP:
136  case IPPROTO_ICMPV6:
137  break;
138  case IPPROTO_UDP:
139  case IPPROTO_TCP:
140  case IPPROTO_SCTP:
141  jb_set_uint(js, "port", addr->dp);
142  break;
143  }
144  }
145  jb_close(js);
146 
147  jb_open_object(js, "target");
148  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
149  jb_set_string(js, "ip", addr->dst_ip);
150  switch (p->proto) {
151  case IPPROTO_ICMP:
152  case IPPROTO_ICMPV6:
153  break;
154  case IPPROTO_UDP:
155  case IPPROTO_TCP:
156  case IPPROTO_SCTP:
157  jb_set_uint(js, "port", addr->dp);
158  break;
159  }
160  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
161  jb_set_string(js, "ip", addr->src_ip);
162  switch (p->proto) {
163  case IPPROTO_ICMP:
164  case IPPROTO_ICMPV6:
165  break;
166  case IPPROTO_UDP:
167  case IPPROTO_TCP:
168  case IPPROTO_SCTP:
169  jb_set_uint(js, "port", addr->sp);
170  break;
171  }
172  }
173  jb_close(js);
174 }
175 
176 static void AlertJsonMetadata(AlertJsonOutputCtx *json_output_ctx,
177  const PacketAlert *pa, JsonBuilder *js)
178 {
179  if (pa->s->metadata && pa->s->metadata->json_str) {
180  jb_set_formatted(js, pa->s->metadata->json_str);
181  }
182 }
183 
184 void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js,
185  uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
186 {
187  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *)ctx;
188  const char *action = "allowed";
189  /* use packet action if rate_filter modified the action */
192  action = "blocked";
193  }
194  } else {
195  if (pa->action & ACTION_REJECT_ANY) {
196  action = "blocked";
197  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
198  action = "blocked";
199  }
200  }
201 
202  /* Add tx_id to root element for correlation with other events. */
203  /* json_object_del(js, "tx_id"); */
204  if (pa->flags & PACKET_ALERT_FLAG_TX) {
205  jb_set_uint(js, "tx_id", pa->tx_id);
206  }
207 
208  jb_open_object(js, "alert");
209 
210  jb_set_string(js, "action", action);
211  jb_set_uint(js, "gid", pa->s->gid);
212  jb_set_uint(js, "signature_id", pa->s->id);
213  jb_set_uint(js, "rev", pa->s->rev);
214  /* TODO: JsonBuilder should handle unprintable characters like
215  * SCJsonString. */
216  jb_set_string(js, "signature", pa->s->msg ? pa->s->msg: "");
217  jb_set_string(js, "category", pa->s->class_msg ? pa->s->class_msg: "");
218  jb_set_uint(js, "severity", pa->s->prio);
219 
220  if (p->tenant_id > 0) {
221  jb_set_uint(js, "tenant_id", p->tenant_id);
222  }
223 
224  if (addr && pa->s->flags & SIG_FLAG_HAS_TARGET) {
225  AlertJsonSourceTarget(p, pa, js, addr);
226  }
227 
228  if ((json_output_ctx != NULL) && (flags & LOG_JSON_RULE_METADATA)) {
229  AlertJsonMetadata(json_output_ctx, pa, js);
230  }
231 
232  if (flags & LOG_JSON_RULE) {
233  jb_set_string(js, "rule", pa->s->sig_str);
234  }
235  if (xff_buffer && xff_buffer[0]) {
236  jb_set_string(js, "xff", xff_buffer);
237  }
238 
239  jb_close(js);
240 }
241 
242 static void AlertJsonTunnel(const Packet *p, JsonBuilder *js)
243 {
244  if (p->root == NULL) {
245  return;
246  }
247 
248  jb_open_object(js, "tunnel");
249 
250  enum PktSrcEnum pkt_src;
251  uint64_t pcap_cnt;
253  JsonAddrInfoInit(p->root, 0, &addr);
254  pcap_cnt = p->root->pcap_cnt;
255  pkt_src = p->root->pkt_src;
256 
257  jb_set_string(js, "src_ip", addr.src_ip);
258  jb_set_uint(js, "src_port", addr.sp);
259  jb_set_string(js, "dest_ip", addr.dst_ip);
260  jb_set_uint(js, "dest_port", addr.dp);
261  jb_set_string(js, "proto", addr.proto);
262 
263  jb_set_uint(js, "depth", p->recursion_level);
264  if (pcap_cnt != 0) {
265  jb_set_uint(js, "pcap_cnt", pcap_cnt);
266  }
267  jb_set_string(js, "pkt_src", PktSrcToString(pkt_src));
268  jb_close(js);
269 }
270 
271 static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, JsonBuilder *js, const Packet *p)
272 {
273  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
274  jb_set_base64(js, "payload", p->payload, p->payload_len);
275  }
276 
277  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
278  uint8_t printable_buf[p->payload_len + 1];
279  uint32_t offset = 0;
280  PrintStringsToBuffer(printable_buf, &offset,
281  p->payload_len + 1,
282  p->payload, p->payload_len);
283  printable_buf[p->payload_len] = '\0';
284  jb_set_string(js, "payload_printable", (char *)printable_buf);
285  }
286 }
287 
288 static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
289  const uint64_t tx_id, const uint16_t option_flags)
290 {
291  const AppProto proto = FlowGetAppProtocol(p->flow);
293  JsonBuilderMark mark = { 0, 0, 0 };
294  if (al && al->LogTx) {
295  void *state = FlowGetAppState(p->flow);
296  if (state) {
297  void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
298  if (tx) {
299  jb_get_mark(jb, &mark);
300  switch (proto) {
301  // first check some protocols need special options for alerts logging
302  case ALPROTO_WEBSOCKET:
303  if (option_flags &
305  bool pp = (option_flags & LOG_JSON_WEBSOCKET_PAYLOAD) != 0;
306  bool pb64 = (option_flags & LOG_JSON_WEBSOCKET_PAYLOAD_BASE64) != 0;
307  if (!SCWebSocketLogDetails(tx, jb, pp, pb64)) {
308  jb_restore_mark(jb, &mark);
309  }
310  // nothing more to log or do
311  return;
312  }
313  }
314  if (!al->LogTx(tx, jb)) {
315  jb_restore_mark(jb, &mark);
316  }
317  }
318  }
319  return;
320  }
321  switch (proto) {
322  case ALPROTO_HTTP1:
323  // TODO: Could result in an empty http object being logged.
324  jb_open_object(jb, "http");
325  if (EveHttpAddMetadata(p->flow, tx_id, jb)) {
326  if (option_flags & LOG_JSON_HTTP_BODY) {
327  EveHttpLogJSONBodyPrintable(jb, p->flow, tx_id);
328  }
329  if (option_flags & LOG_JSON_HTTP_BODY_BASE64) {
330  EveHttpLogJSONBodyBase64(jb, p->flow, tx_id);
331  }
332  }
333  jb_close(jb);
334  break;
335  case ALPROTO_SMTP:
336  jb_get_mark(jb, &mark);
337  jb_open_object(jb, "smtp");
338  if (EveSMTPAddMetadata(p->flow, tx_id, jb)) {
339  jb_close(jb);
340  } else {
341  jb_restore_mark(jb, &mark);
342  }
343  jb_get_mark(jb, &mark);
344  jb_open_object(jb, "email");
345  if (EveEmailAddMetadata(p->flow, tx_id, jb)) {
346  jb_close(jb);
347  } else {
348  jb_restore_mark(jb, &mark);
349  }
350  break;
351  case ALPROTO_NFS:
352  /* rpc */
353  jb_get_mark(jb, &mark);
354  jb_open_object(jb, "rpc");
355  if (EveNFSAddMetadataRPC(p->flow, tx_id, jb)) {
356  jb_close(jb);
357  } else {
358  jb_restore_mark(jb, &mark);
359  }
360  /* nfs */
361  jb_get_mark(jb, &mark);
362  jb_open_object(jb, "nfs");
363  if (EveNFSAddMetadata(p->flow, tx_id, jb)) {
364  jb_close(jb);
365  } else {
366  jb_restore_mark(jb, &mark);
367  }
368  break;
369  case ALPROTO_SMB:
370  jb_get_mark(jb, &mark);
371  jb_open_object(jb, "smb");
372  if (EveSMBAddMetadata(p->flow, tx_id, jb)) {
373  jb_close(jb);
374  } else {
375  jb_restore_mark(jb, &mark);
376  }
377  break;
378  case ALPROTO_IKE:
379  jb_get_mark(jb, &mark);
380  if (!EveIKEAddMetadata(p->flow, tx_id, jb)) {
381  jb_restore_mark(jb, &mark);
382  }
383  break;
384  default:
385  break;
386  }
387 }
388 
389 static void AlertAddFiles(const Packet *p, JsonBuilder *jb, const uint64_t tx_id)
390 {
391  const uint8_t direction =
392  (p->flowflags & FLOW_PKT_TOSERVER) ? STREAM_TOSERVER : STREAM_TOCLIENT;
393  FileContainer *ffc = NULL;
394  if (p->flow->alstate != NULL) {
395  void *tx = AppLayerParserGetTx(p->flow->proto, p->flow->alproto, p->flow->alstate, tx_id);
396  if (tx) {
397  AppLayerGetFileState files =
398  AppLayerParserGetTxFiles(p->flow, p->flow->alstate, tx, direction);
399  ffc = files.fc;
400  }
401  }
402  if (ffc != NULL) {
403  File *file = ffc->head;
404  bool isopen = false;
405  while (file) {
406  if (!isopen) {
407  isopen = true;
408  jb_open_array(jb, "files");
409  }
410  jb_start_object(jb);
411  EveFileInfo(jb, file, tx_id, file->flags);
412  jb_close(jb);
413  file = file->next;
414  }
415  if (isopen) {
416  jb_close(jb);
417  }
418  }
419 }
420 
421 static void AlertAddFrame(
422  const Packet *p, const int64_t frame_id, JsonBuilder *jb, MemBuffer *buffer)
423 {
424  if (p->flow == NULL || (p->proto == IPPROTO_TCP && p->flow->protoctx == NULL))
425  return;
426 
427  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
428  if (frames_container == NULL)
429  return;
430 
431  Frames *frames = NULL;
432  TcpStream *stream = NULL;
433  if (p->proto == IPPROTO_TCP) {
434  TcpSession *ssn = p->flow->protoctx;
435  if (PKT_IS_TOSERVER(p)) {
436  stream = &ssn->client;
437  frames = &frames_container->toserver;
438  } else {
439  stream = &ssn->server;
440  frames = &frames_container->toclient;
441  }
442  Frame *frame = FrameGetById(frames, frame_id);
443  if (frame != NULL) {
444  FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb, buffer);
445  }
446  } else if (p->proto == IPPROTO_UDP) {
447  if (PKT_IS_TOSERVER(p)) {
448  frames = &frames_container->toserver;
449  } else {
450  frames = &frames_container->toclient;
451  }
452  Frame *frame = FrameGetById(frames, frame_id);
453  if (frame != NULL) {
454  FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb, buffer);
455  }
456  }
457 }
458 
459 /**
460  * \brief Build verdict object
461  *
462  * \param p Pointer to Packet current being logged
463  *
464  */
465 void EveAddVerdict(JsonBuilder *jb, const Packet *p)
466 {
467  jb_open_object(jb, "verdict");
468 
469  /* add verdict info */
471  // check rule to define type of reject packet sent
472  if (EngineModeIsIPS()) {
473  JB_SET_STRING(jb, "action", "drop");
474  } else {
475  JB_SET_STRING(jb, "action", "alert");
476  }
478  JB_SET_STRING(jb, "reject-target", "to_client");
479  } else if (PacketCheckAction(p, ACTION_REJECT_DST)) {
480  JB_SET_STRING(jb, "reject-target", "to_server");
481  } else if (PacketCheckAction(p, ACTION_REJECT_BOTH)) {
482  JB_SET_STRING(jb, "reject-target", "both");
483  }
484  jb_open_array(jb, "reject");
485  switch (p->proto) {
486  case IPPROTO_UDP:
487  case IPPROTO_ICMP:
488  case IPPROTO_ICMPV6:
489  jb_append_string(jb, "icmp-prohib");
490  break;
491  case IPPROTO_TCP:
492  jb_append_string(jb, "tcp-reset");
493  break;
494  }
495  jb_close(jb);
496 
497  } else if (PacketCheckAction(p, ACTION_DROP) && EngineModeIsIPS()) {
498  JB_SET_STRING(jb, "action", "drop");
499  } else if (p->alerts.alerts[p->alerts.cnt].action & ACTION_PASS) {
500  JB_SET_STRING(jb, "action", "pass");
501  } else {
502  // TODO make sure we don't have a situation where this wouldn't work
503  JB_SET_STRING(jb, "action", "alert");
504  }
505 
506  /* Close verdict */
507  jb_close(jb);
508 }
509 
512  uint64_t last_re;
513 };
514 
515 static int AlertJsonStreamDataCallback(
516  void *cb_data, const uint8_t *input, const uint32_t input_len, const uint64_t input_offset)
517 {
518  struct AlertJsonStreamDataCallbackData *cbd = cb_data;
519  if (input_offset > cbd->last_re) {
521  cbd->payload, "[%" PRIu64 " bytes missing]", input_offset - cbd->last_re);
522  }
523 
524  int done = 0;
525  uint32_t written = MemBufferWriteRaw(cbd->payload, input, input_len);
526  if (written < input_len)
527  done = 1;
528  cbd->last_re = input_offset + input_len;
529  return done;
530 }
531 
532 /** \internal
533  * \brief try to log stream data into payload/payload_printable
534  * \retval true stream data logged
535  * \retval false stream data not logged
536  */
537 static bool AlertJsonStreamData(const AlertJsonOutputCtx *json_output_ctx, JsonAlertLogThread *aft,
538  Flow *f, const Packet *p, JsonBuilder *jb)
539 {
540  TcpSession *ssn = f->protoctx;
541  TcpStream *stream = (PKT_IS_TOSERVER(p)) ? &ssn->client : &ssn->server;
542 
543  MemBufferReset(aft->payload_buffer);
545  .last_re = STREAM_BASE_OFFSET(stream) };
546  uint64_t unused = 0;
547  StreamReassembleLog(ssn, stream, AlertJsonStreamDataCallback, &cbd, STREAM_BASE_OFFSET(stream),
548  &unused, false);
549  if (cbd.payload->offset) {
550  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
551  jb_set_base64(jb, "payload", cbd.payload->buffer, cbd.payload->offset);
552  }
553 
554  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
555  uint8_t printable_buf[cbd.payload->offset + 1];
556  uint32_t offset = 0;
557  PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), cbd.payload->buffer,
558  cbd.payload->offset);
559  jb_set_string(jb, "payload_printable", (char *)printable_buf);
560  }
561  return true;
562  }
563  return false;
564 }
565 
566 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
567 {
568  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
569 
570  if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
571  return TM_ECODE_OK;
572 
573  for (int i = 0; i < p->alerts.cnt; i++) {
574  const PacketAlert *pa = &p->alerts.alerts[i];
575  if (unlikely(pa->s == NULL)) {
576  continue;
577  }
578 
579  /* First initialize the address info (5-tuple). */
581  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
582 
583  /* Check for XFF, overwriting address info if needed. */
584  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ? json_output_ctx->xff_cfg
585  : json_output_ctx->parent_xff_cfg;
586  int have_xff_ip = 0;
587  char xff_buffer[XFF_MAXLEN];
588  xff_buffer[0] = 0;
589  if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
590  if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP1) {
591  if (pa->flags & PACKET_ALERT_FLAG_TX) {
592  have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg,
593  xff_buffer, XFF_MAXLEN);
594  } else {
595  have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, xff_buffer,
596  XFF_MAXLEN);
597  }
598  }
599 
600  if (have_xff_ip && xff_cfg->flags & XFF_OVERWRITE) {
601  if (p->flowflags & FLOW_PKT_TOCLIENT) {
602  strlcpy(addr.dst_ip, xff_buffer, JSON_ADDR_LEN);
603  } else {
604  strlcpy(addr.src_ip, xff_buffer, JSON_ADDR_LEN);
605  }
606  /* Clear have_xff_ip so the xff field does not get
607  * logged below. */
608  have_xff_ip = false;
609  }
610  if (have_xff_ip && !(xff_cfg->flags & XFF_EXTRADATA)) {
611  // reset xff_buffer so as not to log it
612  xff_buffer[0] = 0;
613  }
614  }
615 
616  JsonBuilder *jb =
617  CreateEveHeader(p, LOG_DIR_PACKET, "alert", &addr, json_output_ctx->eve_ctx);
618  if (unlikely(jb == NULL))
619  return TM_ECODE_OK;
620 
621 
622  /* alert */
623  AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, &addr, xff_buffer);
624 
625  if (PacketIsTunnel(p)) {
626  AlertJsonTunnel(p, jb);
627  }
628 
629  if (p->flow != NULL) {
630  if (pa->flags & PACKET_ALERT_FLAG_TX) {
631  if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {
632  AlertAddAppLayer(p, jb, pa->tx_id, json_output_ctx->flags);
633  }
634  /* including fileinfo data is configured by the metadata setting */
635  if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
636  AlertAddFiles(p, jb, pa->tx_id);
637  }
638  }
639 
640  EveAddAppProto(p->flow, jb);
641 
642  if (p->flowflags & FLOW_PKT_TOSERVER) {
643  jb_set_string(jb, "direction", "to_server");
644  } else {
645  jb_set_string(jb, "direction", "to_client");
646  }
647 
648  if (json_output_ctx->flags & LOG_JSON_FLOW) {
649  jb_open_object(jb, "flow");
650  EveAddFlow(p->flow, jb);
651  if (p->flowflags & FLOW_PKT_TOCLIENT) {
652  jb_set_string(jb, "src_ip", addr.dst_ip);
653  jb_set_string(jb, "dest_ip", addr.src_ip);
654  if (addr.sp > 0) {
655  jb_set_uint(jb, "src_port", addr.dp);
656  jb_set_uint(jb, "dest_port", addr.sp);
657  }
658  } else {
659  jb_set_string(jb, "src_ip", addr.src_ip);
660  jb_set_string(jb, "dest_ip", addr.dst_ip);
661  if (addr.sp > 0) {
662  jb_set_uint(jb, "src_port", addr.sp);
663  jb_set_uint(jb, "dest_port", addr.dp);
664  }
665  }
666  jb_close(jb);
667  }
668  }
669 
670  /* payload */
671  if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
672  int stream = (p->proto == IPPROTO_TCP) ?
674  1 : 0) : 0;
675  // should be impossible, as stream implies flow
676  DEBUG_VALIDATE_BUG_ON(stream && p->flow == NULL);
677 
678  /* Is this a stream? If so, pack part of it into the payload field */
679  if (stream && p->flow != NULL) {
680  const bool stream_data_logged =
681  AlertJsonStreamData(json_output_ctx, aft, p->flow, p, jb);
682  if (!stream_data_logged && p->payload_len) {
683  /* Fallback on packet payload */
684  AlertAddPayload(json_output_ctx, jb, p);
685  }
686  } else {
687  /* This is a single packet and not a stream */
688  AlertAddPayload(json_output_ctx, jb, p);
689  }
690 
691  jb_set_uint(jb, "stream", stream);
692  }
693 
694  if (pa->flags & PACKET_ALERT_FLAG_FRAME) {
695  AlertAddFrame(p, pa->frame_id, jb, aft->payload_buffer);
696  }
697 
698  /* base64-encoded full packet */
699  if (json_output_ctx->flags & LOG_JSON_PACKET) {
700  EvePacket(p, jb, 0);
701  }
702 
704  if (pcap_filename != NULL) {
705  jb_set_string(jb, "capture_file", pcap_filename);
706  }
707 
708  if (json_output_ctx->flags & LOG_JSON_VERDICT) {
709  EveAddVerdict(jb, p);
710  }
711 
712  OutputJsonBuilderBuffer(jb, aft->ctx);
713  jb_free(jb);
714  }
715 
716  if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
718  JsonBuilder *packetjs =
719  CreateEveHeader(p, LOG_DIR_PACKET, "packet", NULL, json_output_ctx->eve_ctx);
720  if (unlikely(packetjs != NULL)) {
721  EvePacket(p, packetjs, 0);
722  OutputJsonBuilderBuffer(packetjs, aft->ctx);
723  jb_free(packetjs);
724  }
725  }
726 
727  return TM_ECODE_OK;
728 }
729 
730 static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
731 {
732  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
733  char timebuf[64];
734 
735  if (p->alerts.cnt == 0)
736  return TM_ECODE_OK;
737 
738  CreateIsoTimeString(p->ts, timebuf, sizeof(timebuf));
739 
740  for (int i = 0; i < p->alerts.cnt; i++) {
741  const PacketAlert *pa = &p->alerts.alerts[i];
742  if (unlikely(pa->s == NULL)) {
743  continue;
744  }
745 
746  JsonBuilder *jb = jb_new_object();
747  if (unlikely(jb == NULL)) {
748  return TM_ECODE_OK;
749  }
750 
751  /* just the timestamp, no tuple */
752  jb_set_string(jb, "timestamp", timebuf);
753 
754  AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, NULL, NULL);
755 
756  OutputJsonBuilderBuffer(jb, aft->ctx);
757  jb_free(jb);
758  }
759 
760  return TM_ECODE_OK;
761 }
762 
763 static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)
764 {
765  JsonAlertLogThread *aft = thread_data;
766 
767  if (PacketIsIPv4(p) || PacketIsIPv6(p)) {
768  return AlertJson(tv, aft, p);
769  } else if (p->alerts.cnt > 0) {
770  return AlertJsonDecoderEvent(tv, aft, p);
771  }
772  return 0;
773 }
774 
775 static bool JsonAlertLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
776 {
777  return (p->alerts.cnt || (p->flags & PKT_HAS_TAG));
778 }
779 
780 static TmEcode JsonAlertLogThreadInit(ThreadVars *t, const void *initdata, void **data)
781 {
783  if (unlikely(aft == NULL))
784  return TM_ECODE_FAILED;
785 
786  if (initdata == NULL)
787  {
788  SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL");
789  goto error_exit;
790  }
791 
792  /** Use the Output Context (file pointer and mutex) */
793  AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
794 
795  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
796  if (aft->payload_buffer == NULL) {
797  goto error_exit;
798  }
799  aft->ctx = CreateEveThreadCtx(t, json_output_ctx->eve_ctx);
800  if (!aft->ctx) {
801  goto error_exit;
802  }
803 
804  aft->json_output_ctx = json_output_ctx;
805 
806  *data = (void *)aft;
807  return TM_ECODE_OK;
808 
809 error_exit:
810  if (aft->payload_buffer != NULL) {
812  }
813  SCFree(aft);
814  return TM_ECODE_FAILED;
815 }
816 
817 static TmEcode JsonAlertLogThreadDeinit(ThreadVars *t, void *data)
818 {
819  JsonAlertLogThread *aft = (JsonAlertLogThread *)data;
820  if (aft == NULL) {
821  return TM_ECODE_OK;
822  }
823 
825  FreeEveThreadCtx(aft->ctx);
826 
827  /* clear memory */
828  memset(aft, 0, sizeof(JsonAlertLogThread));
829 
830  SCFree(aft);
831  return TM_ECODE_OK;
832 }
833 
834 static void JsonAlertLogDeInitCtxSub(OutputCtx *output_ctx)
835 {
836  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
837 
838  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
839 
840  if (json_output_ctx != NULL) {
841  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
842  if (xff_cfg != NULL) {
843  SCFree(xff_cfg);
844  }
845  SCFree(json_output_ctx);
846  }
847  SCFree(output_ctx);
848 }
849 
850 static void SetFlag(const ConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
851 {
852  DEBUG_VALIDATE_BUG_ON(conf == NULL);
853  const char *setting = ConfNodeLookupChildValue(conf, name);
854  if (setting != NULL) {
855  if (ConfValIsTrue(setting)) {
856  *out_flags |= flag;
857  } else {
858  *out_flags &= ~flag;
859  }
860  }
861 }
862 
863 static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
864  ConfNode *conf)
865 {
866  static bool warn_no_meta = false;
867  uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
868  uint16_t flags = METADATA_DEFAULTS;
869 
870  if (conf != NULL) {
871  /* Check for metadata to enable/disable. */
872  ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
873  if (metadata != NULL) {
874  if (metadata->val != NULL && ConfValIsFalse(metadata->val)) {
876  } else if (ConfNodeHasChildren(metadata)) {
877  ConfNode *rule_metadata = ConfNodeLookupChild(metadata, "rule");
878  if (rule_metadata) {
879  SetFlag(rule_metadata, "raw", LOG_JSON_RULE, &flags);
880  SetFlag(rule_metadata, "metadata", LOG_JSON_RULE_METADATA,
881  &flags);
882  }
883  SetFlag(metadata, "flow", LOG_JSON_FLOW, &flags);
884  SetFlag(metadata, "app-layer", LOG_JSON_APP_LAYER, &flags);
885  }
886  }
887 
888  /* Non-metadata toggles. */
889  SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
890  SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
891  SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
892  SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
893  SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
894  SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
895  SetFlag(conf, "websocket-payload-printable", LOG_JSON_WEBSOCKET_PAYLOAD, &flags);
896  SetFlag(conf, "websocket-payload", LOG_JSON_WEBSOCKET_PAYLOAD_BASE64, &flags);
897  SetFlag(conf, "verdict", LOG_JSON_VERDICT, &flags);
898 
899  /* Check for obsolete flags and warn that they have no effect. */
900  static const char *deprecated_flags[] = { "http", "tls", "ssh", "smtp", "dnp3", "app-layer",
901  "flow", NULL };
902  for (int i = 0; deprecated_flags[i] != NULL; i++) {
903  if (ConfNodeLookupChildValue(conf, deprecated_flags[i]) != NULL) {
904  SCLogWarning("Found deprecated eve-log.alert flag \"%s\", this flag has no effect",
905  deprecated_flags[i]);
906  }
907  }
908 
909  const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
910 
911  if (payload_buffer_value != NULL) {
912  uint32_t value;
913  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
914  SCLogError("Error parsing "
915  "payload-buffer-size - %s. Killing engine",
916  payload_buffer_value);
917  exit(EXIT_FAILURE);
918  } else {
919  payload_buffer_size = value;
920  }
921  }
922 
923  if (!warn_no_meta && flags & JSON_BODY_LOGGING) {
924  if (((flags & LOG_JSON_APP_LAYER) == 0)) {
925  SCLogWarning("HTTP body logging has been configured, however, "
926  "metadata logging has not been enabled. HTTP body logging will be "
927  "disabled.");
929  warn_no_meta = true;
930  }
931  }
932  }
933 
936  }
937 
938  json_output_ctx->payload_buffer_size = payload_buffer_size;
939  json_output_ctx->flags |= flags;
940 }
941 
942 static HttpXFFCfg *JsonAlertLogGetXffCfg(ConfNode *conf)
943 {
944  HttpXFFCfg *xff_cfg = NULL;
945  if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
946  xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
947  if (likely(xff_cfg != NULL)) {
948  HttpXFFGetCfg(conf, xff_cfg);
949  }
950  }
951  return xff_cfg;
952 }
953 
954 /**
955  * \brief Create a new LogFileCtx for "fast" output style.
956  * \param conf The configuration node for this output.
957  * \return A LogFileCtx pointer on success, NULL on failure.
958  */
959 static OutputInitResult JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
960 {
961  OutputInitResult result = { NULL, false };
962  OutputJsonCtx *ajt = parent_ctx->data;
963  AlertJsonOutputCtx *json_output_ctx = NULL;
964 
965  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
966  if (unlikely(output_ctx == NULL))
967  return result;
968 
969  json_output_ctx = SCCalloc(1, sizeof(AlertJsonOutputCtx));
970  if (unlikely(json_output_ctx == NULL)) {
971  goto error;
972  }
973 
974  json_output_ctx->file_ctx = ajt->file_ctx;
975  json_output_ctx->eve_ctx = ajt;
976 
977  JsonAlertLogSetupMetadata(json_output_ctx, conf);
978  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
979  if (json_output_ctx->xff_cfg == NULL) {
980  json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
981  }
982 
983  output_ctx->data = json_output_ctx;
984  output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
985 
986  result.ctx = output_ctx;
987  result.ok = true;
988  return result;
989 
990 error:
991  if (json_output_ctx != NULL) {
992  SCFree(json_output_ctx);
993  }
994  if (output_ctx != NULL) {
995  SCFree(output_ctx);
996  }
997 
998  return result;
999 }
1000 
1002 {
1004  "eve-log.alert", JsonAlertLogInitCtxSub, JsonAlertLogger,
1005  JsonAlertLogCondition, JsonAlertLogThreadInit, JsonAlertLogThreadDeinit,
1006  NULL);
1007 }
XFF_MAXLEN
#define XFF_MAXLEN
Definition: app-layer-htp-xff.h:39
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:48
Packet_::proto
uint8_t proto
Definition: decode.h:504
TcpStream_
Definition: stream-tcp-private.h:106
FileContainer_
Definition: util-file.h:113
DetectMetadataHead::json_str
char * json_str
Definition: detect-metadata.h:40
detect-engine.h
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:262
EveSMTPAddMetadata
bool EveSMTPAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-smtp.c:96
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:252
EveHttpLogJSONBodyPrintable
void EveHttpLogJSONBodyPrintable(JsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:395
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:49
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:85
MemBuffer_::buffer
uint8_t buffer[]
Definition: util-buffer.h:30
Signature_::sig_str
char * sig_str
Definition: detect.h:669
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:264
XFF_EXTRADATA
#define XFF_EXTRADATA
Definition: app-layer-htp-xff.h:31
CreateIsoTimeString
void CreateIsoTimeString(const SCTime_t ts, char *str, size_t size)
Definition: util-time.c:209
ConfNode_::val
char * val
Definition: conf.h:34
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
output-json-mqtt.h
LOG_JSON_RULE
#define LOG_JSON_RULE
Definition: output-json-alert.c:86
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:609
AlertJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-alert.c:102
AlertJsonOutputCtx_::parent_xff_cfg
HttpXFFCfg * parent_xff_cfg
Definition: output-json-alert.c:106
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
Flow_::proto
uint8_t proto
Definition: flow.h:378
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:82
AlertJsonStreamDataCallbackData::last_re
uint64_t last_re
Definition: output-json-alert.c:512
Packet_::payload
uint8_t * payload
Definition: decode.h:588
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:274
SIG_FLAG_DEST_IS_TARGET
#define SIG_FLAG_DEST_IS_TARGET
Definition: detect.h:280
SCEveJsonSimpleGetLogger
EveJsonSimpleAppLayerLogger * SCEveJsonSimpleGetLogger(AppProto alproto)
Definition: output.c:1158
action-globals.h
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:74
Packet_::flags
uint32_t flags
Definition: decode.h:519
LOGGER_JSON_ALERT
@ LOGGER_JSON_ALERT
Definition: suricata-common.h:479
OutputJsonCtx_
Definition: output-json.h:81
Frame
Definition: app-layer-frames.h:45
Flow_
Flow data structure.
Definition: flow.h:356
LogFileCtx_
Definition: util-logopenfile.h:72
output-json-frame.h
EveNFSAddMetadata
bool EveNFSAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-nfs.c:62
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:931
PacketAlerts_::alerts
PacketAlert * alerts
Definition: decode.h:277
output-json-tls.h
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29
AlertJsonStreamDataCallbackData::payload
MemBuffer * payload
Definition: output-json-alert.c:511
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:80
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:228
rust.h
Frames
Definition: app-layer-frames.h:60
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:37
FramesContainer
Definition: app-layer-frames.h:73
EveFileInfo
void EveFileInfo(JsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
Definition: output-json.c:123
ACTION_DROP_REJECT
#define ACTION_DROP_REJECT
Definition: action-globals.h:39
proto
uint8_t proto
Definition: decode-template.h:0
AlertJsonOutputCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-alert.c:107
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:513
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:85
Flow_::protoctx
void * protoctx
Definition: flow.h:446
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:589
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:603
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:29
EveHttpAddMetadata
bool EveHttpAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-http.c:503
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:537
HttpXFFGetIP
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:180
OutputCtx_::data
void * data
Definition: tm-modules.h:88
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:84
PcapLogGetFilename
char * PcapLogGetFilename(void)
Definition: log-pcap.c:1770
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:199
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:253
OutputCtx_
Definition: tm-modules.h:85
app-layer-htp-xff.h
PacketAlert_::action
uint8_t action
Definition: decode.h:250
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
JSON_BODY_LOGGING
#define JSON_BODY_LOGGING
Definition: output-json-alert.c:95
OutputJsonThreadCtx_
Definition: output-json.h:89
Signature_::gid
uint32_t gid
Definition: detect.h:638
output-json-dnp3.h
ACTION_REJECT_DST
#define ACTION_REJECT_DST
Definition: action-globals.h:32
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:51
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:75
JsonAlertLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-alert.c:113
util-debug.h
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition: rust.h:26
output-json-flow.h
MODULE_NAME
#define MODULE_NAME
Definition: output-json-alert.c:75
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:243
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
LOG_JSON_APP_LAYER
#define LOG_JSON_APP_LAYER
Definition: output-json-alert.c:81
Packet_::ts
SCTime_t ts
Definition: decode.h:530
LOG_JSON_WEBSOCKET_PAYLOAD
#define LOG_JSON_WEBSOCKET_PAYLOAD
Definition: output-json-alert.c:88
app-layer-dnp3.h
output-json.h
FrameGetById
Frame * FrameGetById(Frames *frames, const int64_t id)
Definition: app-layer-frames.c:86
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
EveIKEAddMetadata
bool EveIKEAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-ike.c:65
LOG_JSON_PAYLOAD
#define LOG_JSON_PAYLOAD
Definition: output-json-alert.c:77
STREAM_BASE_OFFSET
#define STREAM_BASE_OFFSET(stream)
Definition: stream-tcp-private.h:144
PktSrcEnum
PktSrcEnum
Definition: decode.h:54
AlertJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-alert.c:103
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:780
util-print.h
FileContainer_::head
File * head
Definition: util-file.h:114
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:823
JsonAlertLogThread
struct JsonAlertLogThread_ JsonAlertLogThread
output-json-email-common.h
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:48
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
EveHttpLogJSONBodyBase64
void EveHttpLogJSONBodyBase64(JsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:426
app-layer-parser.h
JsonAlertLogThread_
Definition: output-json-alert.c:110
Signature_::flags
uint32_t flags
Definition: detect.h:603
stream.h
JsonAddrInfo_
Definition: output-json.h:47
Packet_
Definition: decode.h:482
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:176
JSON_STREAM_BUFFER_SIZE
#define JSON_STREAM_BUFFER_SIZE
Definition: output-json-alert.c:99
LOG_JSON_PAYLOAD_BASE64
#define LOG_JSON_PAYLOAD_BASE64
Definition: output-json-alert.c:79
conf.h
SIG_FLAG_HAS_TARGET
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:282
XFF_OVERWRITE
#define XFF_OVERWRITE
Definition: app-layer-htp-xff.h:33
TmEcode
TmEcode
Definition: tm-threads-common.h:83
SIG_FLAG_SRC_IS_TARGET
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:278
EveNFSAddMetadataRPC
bool EveNFSAddMetadataRPC(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-nfs.c:50
AlertJsonHeader
void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js, uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
Definition: output-json-alert.c:184
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
AlertJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-alert.c:104
ConfNodeHasChildren
bool ConfNodeHasChildren(const ConfNode *node)
Check if a node has any children.
Definition: conf.c:767
MemBuffer_
Definition: util-buffer.h:27
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:229
EveJsonSimpleAppLayerLogger
Definition: output.h:194
LOG_JSON_TAGGED_PACKETS
#define LOG_JSON_TAGGED_PACKETS
Definition: output-json-alert.c:80
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1108
EveEmailAddMetadata
bool EveEmailAddMetadata(const Flow *f, uint32_t tx_id, JsonBuilder *js)
Definition: output-json-email-common.c:359
AlertJsonOutputCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json-alert.c:105
log-pcap.h
PacketAlert_::frame_id
int64_t frame_id
Definition: decode.h:254
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:52
Signature_::class_msg
char * class_msg
Definition: detect.h:663
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:786
PacketAlert_::flags
uint8_t flags
Definition: decode.h:251
ACTION_REJECT_BOTH
#define ACTION_REJECT_BOTH
Definition: action-globals.h:33
File_::flags
uint16_t flags
Definition: util-file.h:80
PACKET_ALERT_RATE_FILTER_MODIFIED
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:266
File_
Definition: util-file.h:79
OutputInitResult_
Definition: output.h:46
app-layer-frames.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:521
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:648
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:37
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
LOG_JSON_WEBSOCKET_PAYLOAD_BASE64
#define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64
Definition: output-json-alert.c:89
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:50
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:91
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:210
pcap_filename
char pcap_filename[PATH_MAX]
Definition: source-pcap-file-helper.c:116
EveJsonSimpleAppLayerLogger::LogTx
EveJsonSimpleTxLogFunc LogTx
Definition: output.h:196
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:43
AlertJsonOutputCtx_
Definition: output-json-alert.c:101
detect-metadata.h
JsonAlertLogThread_::json_output_ctx
AlertJsonOutputCtx * json_output_ctx
Definition: output-json-alert.c:112
output-json-nfs.h
packet.h
EveAddVerdict
void EveAddVerdict(JsonBuilder *jb, const Packet *p)
Build verdict object.
Definition: output-json-alert.c:465
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:81
LOG_JSON_VERDICT
#define LOG_JSON_VERDICT
Definition: output-json-alert.c:87
File_::next
struct File_ * next
Definition: util-file.h:92
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
EveAddAppProto
void EveAddAppProto(Flow *f, JsonBuilder *js)
Definition: output-json-flow.c:169
Signature_::rev
uint32_t rev
Definition: detect.h:639
EvePacket
void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length)
Jsonify a packet.
Definition: output-json.c:431
ALPROTO_WEBSOCKET
@ ALPROTO_WEBSOCKET
Definition: app-layer-protos.h:59
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:295
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Signature_::prio
int prio
Definition: detect.h:640
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:181
output-json-alert.h
util-optimize.h
threadvars.h
util-validate.h
output-json-dns.h
Packet_::root
struct Packet_ * root
Definition: decode.h:636
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:294
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:48
HttpXFFCfg_::flags
uint8_t flags
Definition: app-layer-htp-xff.h:42
Signature_::metadata
DetectMetadataHead * metadata
Definition: detect.h:667
PACKET_ALERT_FLAG_FRAME
#define PACKET_ALERT_FLAG_FRAME
Definition: decode.h:268
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
AlertJsonOutputCtx
struct AlertJsonOutputCtx_ AlertJsonOutputCtx
JsonAlertLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-alert.c:111
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:594
ConfNode_
Definition: conf.h:32
util-logopenfile.h
Flow_::alstate
void * alstate
Definition: flow.h:481
Signature_::id
uint32_t id
Definition: detect.h:637
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:507
LOG_JSON_HTTP_BODY_BASE64
#define LOG_JSON_HTTP_BODY_BASE64
Definition: output-json-alert.c:84
output-json-ike.h
util-buffer.h
LOG_JSON_PACKET
#define LOG_JSON_PACKET
Definition: output-json-alert.c:78
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:562
FrameJsonLogOneFrame
void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, Flow *f, const TcpStream *stream, const Packet *p, JsonBuilder *jb, MemBuffer *buffer)
log a single frame
Definition: output-json-frame.c:253
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:49
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:82
LOG_JSON_HTTP_BODY
#define LOG_JSON_HTTP_BODY
Definition: output-json-alert.c:83
METADATA_DEFAULTS
#define METADATA_DEFAULTS
Definition: output-json-alert.c:91
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:231
LOG_JSON_FLOW
#define LOG_JSON_FLOW
Definition: output-json-alert.c:82
MemBufferWriteRaw
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.c:112
PacketAlert_
Definition: decode.h:248
MemBufferWriteString
void MemBufferWriteString(MemBuffer *dst, const char *fmt,...)
Definition: util-buffer.c:127
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:468
HttpXFFGetCfg
void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:205
output-json-smb.h
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:1203
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *state, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:871
HttpXFFGetIPFromTx
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:116
output-json-smtp.h
TcpSession_
Definition: stream-tcp-private.h:283
output-json-http.h
util-misc.h
PKT_HAS_TAG
#define PKT_HAS_TAG
Definition: decode.h:1270
Signature_::msg
char * msg
Definition: detect.h:660
flow.h
DetectEngineSetParseMetadata
void DetectEngineSetParseMetadata(void)
Definition: detect-engine.c:4865
EveSMBAddMetadata
bool EveSMBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-smb.c:34
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
StreamReassembleLog
int StreamReassembleLog(const TcpSession *ssn, const TcpStream *stream, StreamReassembleRawFunc Callback, void *cb_data, const uint64_t progress_in, uint64_t *progress_out, const bool eof)
Definition: stream-tcp-reassemble.c:1921
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LOG_JSON_RULE_METADATA
#define LOG_JSON_RULE_METADATA
Definition: output-json-alert.c:85
XFF_DISABLED
#define XFF_DISABLED
Definition: app-layer-htp-xff.h:29
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:260
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
output.h
JsonAlertLogRegister
void JsonAlertLogRegister(void)
Definition: output-json-alert.c:1001
AlertJsonStreamDataCallbackData
Definition: output-json-alert.c:510
EveAddFlow
void EveAddFlow(Flow *f, JsonBuilder *js)
Definition: output-json-flow.c:190
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:814