suricata
output-json-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs alerts in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "packet.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "stream.h"
34 #include "threadvars.h"
35 #include "util-debug.h"
36 #include "stream-tcp.h"
37 
38 #include "util-logopenfile.h"
39 #include "util-misc.h"
40 #include "util-time.h"
41 
42 #include "detect-engine.h"
43 #include "detect-metadata.h"
44 #include "app-layer-parser.h"
45 #include "app-layer-htp-xff.h"
46 #include "app-layer-ftp.h"
47 #include "app-layer-frames.h"
48 #include "log-pcap.h"
49 
50 #include "output.h"
51 #include "output-json.h"
52 #include "output-json-alert.h"
53 #include "output-json-http.h"
54 #include "rust.h"
55 #include "output-json-smtp.h"
57 #include "output-json-nfs.h"
58 #include "output-json-smb.h"
59 #include "output-json-flow.h"
60 #include "output-json-ike.h"
61 #include "output-json-frame.h"
62 
63 #include "util-print.h"
64 #include "util-optimize.h"
65 #include "util-buffer.h"
66 #include "util-reference-config.h"
67 #include "util-validate.h"
68 
69 #include "action-globals.h"
70 
71 #define MODULE_NAME "JsonAlertLog"
72 
73 #define LOG_JSON_PAYLOAD BIT_U16(0)
74 #define LOG_JSON_PACKET BIT_U16(1)
75 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
76 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
77 #define LOG_JSON_APP_LAYER BIT_U16(4)
78 #define LOG_JSON_FLOW BIT_U16(5)
79 #define LOG_JSON_HTTP_BODY BIT_U16(6)
80 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
81 #define LOG_JSON_RULE_METADATA BIT_U16(8)
82 #define LOG_JSON_RULE BIT_U16(9)
83 #define LOG_JSON_VERDICT BIT_U16(10)
84 #define LOG_JSON_WEBSOCKET_PAYLOAD BIT_U16(11)
85 #define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64 BIT_U16(12)
86 #define LOG_JSON_PAYLOAD_LENGTH BIT_U16(13)
87 #define LOG_JSON_REFERENCE BIT_U16(14)
88 
89 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
90  LOG_JSON_APP_LAYER | \
91  LOG_JSON_RULE_METADATA)
92 
93 #define JSON_BODY_LOGGING \
94  (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64 | LOG_JSON_WEBSOCKET_PAYLOAD | \
95  LOG_JSON_WEBSOCKET_PAYLOAD_BASE64)
96 
97 #define JSON_STREAM_BUFFER_SIZE 4096
98 
99 typedef struct AlertJsonOutputCtx_ {
101  uint16_t flags;
107 
108 typedef struct JsonAlertLogThread_ {
113 
114 static void AlertJsonSourceTarget(
115  const Packet *p, const PacketAlert *pa, SCJsonBuilder *js, JsonAddrInfo *addr)
116 {
117  SCJbOpenObject(js, "source");
118  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
119  SCJbSetString(js, "ip", addr->src_ip);
120  switch (p->proto) {
121  case IPPROTO_ICMP:
122  case IPPROTO_ICMPV6:
123  break;
124  case IPPROTO_UDP:
125  case IPPROTO_TCP:
126  case IPPROTO_SCTP:
127  SCJbSetUint(js, "port", addr->sp);
128  break;
129  }
130  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
131  SCJbSetString(js, "ip", addr->dst_ip);
132  switch (p->proto) {
133  case IPPROTO_ICMP:
134  case IPPROTO_ICMPV6:
135  break;
136  case IPPROTO_UDP:
137  case IPPROTO_TCP:
138  case IPPROTO_SCTP:
139  SCJbSetUint(js, "port", addr->dp);
140  break;
141  }
142  }
143  SCJbClose(js);
144 
145  SCJbOpenObject(js, "target");
146  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
147  SCJbSetString(js, "ip", addr->dst_ip);
148  switch (p->proto) {
149  case IPPROTO_ICMP:
150  case IPPROTO_ICMPV6:
151  break;
152  case IPPROTO_UDP:
153  case IPPROTO_TCP:
154  case IPPROTO_SCTP:
155  SCJbSetUint(js, "port", addr->dp);
156  break;
157  }
158  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
159  SCJbSetString(js, "ip", addr->src_ip);
160  switch (p->proto) {
161  case IPPROTO_ICMP:
162  case IPPROTO_ICMPV6:
163  break;
164  case IPPROTO_UDP:
165  case IPPROTO_TCP:
166  case IPPROTO_SCTP:
167  SCJbSetUint(js, "port", addr->sp);
168  break;
169  }
170  }
171  SCJbClose(js);
172 }
173 
174 static void AlertJsonReference(const PacketAlert *pa, SCJsonBuilder *jb)
175 {
176  if (!pa->s->references) {
177  return;
178  }
179 
180  const DetectReference *kv = pa->s->references;
181  SCJbOpenArray(jb, "references");
182  while (kv) {
183  /* Note that the key and reference sizes have been bound
184  * checked during parsing
185  * add +2 to safisfy gcc 15 + -Wformat-truncation=2
186  */
187  const size_t size_needed = kv->key_len + kv->reference_len + 3;
188  char kv_store[size_needed];
189  snprintf(kv_store, size_needed, "%s%s", kv->key, kv->reference);
190  SCJbAppendString(jb, kv_store);
191  kv = kv->next;
192  }
193  SCJbClose(jb);
194 }
195 
196 static void AlertJsonMetadata(const PacketAlert *pa, SCJsonBuilder *js)
197 {
198  if (pa->s->metadata && pa->s->metadata->json_str) {
199  SCJbSetFormatted(js, pa->s->metadata->json_str);
200  }
201 }
202 
203 void AlertJsonHeader(const Packet *p, const PacketAlert *pa, SCJsonBuilder *js, uint16_t flags,
204  JsonAddrInfo *addr, char *xff_buffer)
205 {
206  const char *action = "allowed";
207  /* use packet action if rate_filter modified the action */
210  action = "blocked";
211  }
212  } else {
213  if (pa->action & ACTION_REJECT_ANY) {
214  action = "blocked";
215  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
216  action = "blocked";
217  }
218  }
219 
220  /* Add tx_id to root element for correlation with other events. */
221  /* json_object_del(js, "tx_id"); */
222  if (pa->flags & PACKET_ALERT_FLAG_TX) {
223  SCJbSetUint(js, "tx_id", pa->tx_id);
224  }
226  SCJbSetBool(js, "tx_guessed", true);
227  }
228 
229  SCJbOpenObject(js, "alert");
230 
231  SCJbSetString(js, "action", action);
232  SCJbSetUint(js, "gid", pa->s->gid);
233  SCJbSetUint(js, "signature_id", pa->s->id);
234  SCJbSetUint(js, "rev", pa->s->rev);
235  /* TODO: SCJsonBuilder should handle unprintable characters like
236  * SCJsonString. */
237  SCJbSetString(js, "signature", pa->s->msg ? pa->s->msg : "");
238  SCJbSetString(js, "category", pa->s->class_msg ? pa->s->class_msg : "");
239  SCJbSetUint(js, "severity", pa->s->prio);
240 
241  if (p->tenant_id > 0) {
242  SCJbSetUint(js, "tenant_id", p->tenant_id);
243  }
244 
245  if (addr && pa->s->flags & SIG_FLAG_HAS_TARGET) {
246  AlertJsonSourceTarget(p, pa, js, addr);
247  }
248 
249  if ((flags & LOG_JSON_REFERENCE)) {
250  AlertJsonReference(pa, js);
251  }
252 
254  AlertJsonMetadata(pa, js);
255  }
256 
257  if (pa->json_info != NULL) {
258  SCJbOpenObject(js, "context");
259  const struct PacketContextData *json_info = pa->json_info;
260  while (json_info) {
261  SCLogDebug("JSON string '{%s}'", json_info->json_string);
262  /* The string is valid json as it is validated by JANSSON
263  during parsing and included later via a format string */
264  SCJbSetFormatted(js, json_info->json_string);
265  json_info = json_info->next;
266  }
267  SCJbClose(js);
268  }
269  if (flags & LOG_JSON_RULE) {
270  SCJbSetString(js, "rule", pa->s->sig_str);
271  }
272  if (xff_buffer && xff_buffer[0]) {
273  SCJbSetString(js, "xff", xff_buffer);
274  }
275 
276  SCJbClose(js);
277 }
278 
279 static void AlertJsonTunnel(const Packet *p, SCJsonBuilder *js)
280 {
281  if (p->root == NULL) {
282  return;
283  }
284 
285  SCJbOpenObject(js, "tunnel");
286 
287  enum PktSrcEnum pkt_src;
288  uint64_t pcap_cnt;
290  JsonAddrInfoInit(p->root, 0, &addr);
291  pcap_cnt = p->root->pcap_cnt;
292  pkt_src = p->root->pkt_src;
293 
294  SCJbSetString(js, "src_ip", addr.src_ip);
295  SCJbSetUint(js, "src_port", addr.sp);
296  SCJbSetString(js, "dest_ip", addr.dst_ip);
297  SCJbSetUint(js, "dest_port", addr.dp);
298  SCJbSetString(js, "proto", addr.proto);
299 
300  SCJbSetUint(js, "depth", p->recursion_level);
301  if (pcap_cnt != 0) {
302  SCJbSetUint(js, "pcap_cnt", pcap_cnt);
303  }
304  SCJbSetString(js, "pkt_src", PktSrcToString(pkt_src));
305  SCJbClose(js);
306 }
307 
308 static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, SCJsonBuilder *js, const Packet *p)
309 {
310  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
311  SCJbSetBase64(js, "payload", p->payload, p->payload_len);
312  }
313  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_LENGTH) {
314  SCJbSetUint(js, "payload_length", p->payload_len);
315  }
316 
317  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
318  uint8_t printable_buf[p->payload_len + 1];
319  uint32_t offset = 0;
320  PrintStringsToBuffer(printable_buf, &offset,
321  p->payload_len + 1,
322  p->payload, p->payload_len);
323  printable_buf[p->payload_len] = '\0';
324  SCJbSetString(js, "payload_printable", (char *)printable_buf);
325  }
326 }
327 
328 static void AlertAddAppLayer(
329  const Packet *p, SCJsonBuilder *jb, const uint64_t tx_id, const uint16_t option_flags)
330 {
331  const AppProto proto = FlowGetAppProtocol(p->flow);
333  SCJsonBuilderMark mark = { 0, 0, 0 };
334  if (al && al->LogTx) {
335  void *state = FlowGetAppState(p->flow);
336  if (state) {
337  void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
338  if (tx) {
339  const int ts =
340  AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
341  const int tc =
342  AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
343  SCJbSetString(jb, "ts_progress",
344  AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
345  SCJbSetString(jb, "tc_progress",
346  AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
347  SCJbGetMark(jb, &mark);
348  switch (proto) {
349  // first check some protocols need special options for alerts logging
350  case ALPROTO_WEBSOCKET:
351  if (option_flags &
353  bool pp = (option_flags & LOG_JSON_WEBSOCKET_PAYLOAD) != 0;
354  bool pb64 = (option_flags & LOG_JSON_WEBSOCKET_PAYLOAD_BASE64) != 0;
355  if (!SCWebSocketLogDetails(tx, jb, pp, pb64)) {
356  SCJbRestoreMark(jb, &mark);
357  }
358  // nothing more to log or do
359  return;
360  }
361  }
362  if (!al->LogTx(tx, jb)) {
363  SCJbRestoreMark(jb, &mark);
364  }
365  }
366  }
367  return;
368  }
369  void *state = FlowGetAppState(p->flow);
370  if (state) {
371  void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
372  if (tx) {
373  const int ts =
374  AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
375  const int tc =
376  AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
377  SCJbSetString(jb, "ts_progress",
378  AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
379  SCJbSetString(jb, "tc_progress",
380  AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
381  }
382  }
383  switch (proto) {
384  case ALPROTO_HTTP1:
385  // TODO: Could result in an empty http object being logged.
386  SCJbOpenObject(jb, "http");
387  if (EveHttpAddMetadata(p->flow, tx_id, jb)) {
388  if (option_flags & LOG_JSON_HTTP_BODY) {
389  EveHttpLogJSONBodyPrintable(jb, p->flow, tx_id);
390  }
391  if (option_flags & LOG_JSON_HTTP_BODY_BASE64) {
392  EveHttpLogJSONBodyBase64(jb, p->flow, tx_id);
393  }
394  }
395  SCJbClose(jb);
396  break;
397  case ALPROTO_SMTP:
398  SCJbGetMark(jb, &mark);
399  SCJbOpenObject(jb, "smtp");
400  if (EveSMTPAddMetadata(p->flow, tx_id, jb)) {
401  SCJbClose(jb);
402  } else {
403  SCJbRestoreMark(jb, &mark);
404  }
405  SCJbGetMark(jb, &mark);
406  SCJbOpenObject(jb, "email");
407  if (EveEmailAddMetadata(p->flow, tx_id, jb)) {
408  SCJbClose(jb);
409  } else {
410  SCJbRestoreMark(jb, &mark);
411  }
412  break;
413  case ALPROTO_NFS:
414  /* rpc */
415  SCJbGetMark(jb, &mark);
416  SCJbOpenObject(jb, "rpc");
417  if (EveNFSAddMetadataRPC(p->flow, tx_id, jb)) {
418  SCJbClose(jb);
419  } else {
420  SCJbRestoreMark(jb, &mark);
421  }
422  /* nfs */
423  SCJbGetMark(jb, &mark);
424  SCJbOpenObject(jb, "nfs");
425  if (EveNFSAddMetadata(p->flow, tx_id, jb)) {
426  SCJbClose(jb);
427  } else {
428  SCJbRestoreMark(jb, &mark);
429  }
430  break;
431  case ALPROTO_SMB:
432  SCJbGetMark(jb, &mark);
433  SCJbOpenObject(jb, "smb");
434  if (EveSMBAddMetadata(p->flow, tx_id, jb)) {
435  SCJbClose(jb);
436  } else {
437  SCJbRestoreMark(jb, &mark);
438  }
439  break;
440  case ALPROTO_IKE:
441  SCJbGetMark(jb, &mark);
442  if (!EveIKEAddMetadata(p->flow, tx_id, jb)) {
443  SCJbRestoreMark(jb, &mark);
444  }
445  break;
446  case ALPROTO_DCERPC: {
447  if (state) {
448  void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
449  if (tx) {
450  SCJbGetMark(jb, &mark);
451  SCJbOpenObject(jb, "dcerpc");
452  if (p->proto == IPPROTO_TCP) {
453  if (!SCDcerpcLogJsonRecordTcp(state, tx, jb)) {
454  SCJbRestoreMark(jb, &mark);
455  }
456  } else {
457  if (!SCDcerpcLogJsonRecordUdp(state, tx, jb)) {
458  SCJbRestoreMark(jb, &mark);
459  }
460  }
461  SCJbClose(jb);
462  }
463  }
464  break;
465  }
466  default:
467  break;
468  }
469 }
470 
471 static void AlertAddFiles(const Packet *p, SCJsonBuilder *jb, const uint64_t tx_id)
472 {
473  const uint8_t direction =
474  (p->flowflags & FLOW_PKT_TOSERVER) ? STREAM_TOSERVER : STREAM_TOCLIENT;
475  FileContainer *ffc = NULL;
476  if (p->flow->alstate != NULL) {
477  void *tx = AppLayerParserGetTx(p->flow->proto, p->flow->alproto, p->flow->alstate, tx_id);
478  if (tx) {
479  AppLayerGetFileState files = AppLayerParserGetTxFiles(p->flow, tx, direction);
480  ffc = files.fc;
481  }
482  }
483  if (ffc != NULL) {
484  File *file = ffc->head;
485  bool isopen = false;
486  while (file) {
487  if (!isopen) {
488  isopen = true;
489  SCJbOpenArray(jb, "files");
490  }
491  SCJbStartObject(jb);
492  EveFileInfo(jb, file, tx_id, file->flags);
493  SCJbClose(jb);
494  file = file->next;
495  }
496  if (isopen) {
497  SCJbClose(jb);
498  }
499  }
500 }
501 
502 static void AlertAddFrame(
503  const Packet *p, const int64_t frame_id, SCJsonBuilder *jb, MemBuffer *buffer)
504 {
505  if (p->flow == NULL || (p->proto == IPPROTO_TCP && p->flow->protoctx == NULL))
506  return;
507 
508  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
509  if (frames_container == NULL)
510  return;
511 
512  Frames *frames = NULL;
513  TcpStream *stream = NULL;
514  if (p->proto == IPPROTO_TCP) {
515  TcpSession *ssn = p->flow->protoctx;
516  if (PKT_IS_TOSERVER(p)) {
517  stream = &ssn->client;
518  frames = &frames_container->toserver;
519  } else {
520  stream = &ssn->server;
521  frames = &frames_container->toclient;
522  }
523  Frame *frame = FrameGetById(frames, frame_id);
524  if (frame != NULL) {
525  FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb, buffer);
526  }
527  } else if (p->proto == IPPROTO_UDP) {
528  if (PKT_IS_TOSERVER(p)) {
529  frames = &frames_container->toserver;
530  } else {
531  frames = &frames_container->toclient;
532  }
533  Frame *frame = FrameGetById(frames, frame_id);
534  if (frame != NULL) {
535  FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb, buffer);
536  }
537  }
538 }
539 
540 /**
541  * \brief Build verdict object
542  *
543  * \param p Pointer to Packet current being logged
544  *
545  */
546 void EveAddVerdict(SCJsonBuilder *jb, const Packet *p)
547 {
548  SCJbOpenObject(jb, "verdict");
549 
550  /* add verdict info */
552  // check rule to define type of reject packet sent
553  if (EngineModeIsIPS()) {
554  JB_SET_STRING(jb, "action", "drop");
555  } else {
556  JB_SET_STRING(jb, "action", "alert");
557  }
559  JB_SET_STRING(jb, "reject-target", "to_client");
560  } else if (PacketCheckAction(p, ACTION_REJECT_DST)) {
561  JB_SET_STRING(jb, "reject-target", "to_server");
562  } else if (PacketCheckAction(p, ACTION_REJECT_BOTH)) {
563  JB_SET_STRING(jb, "reject-target", "both");
564  }
565  SCJbOpenArray(jb, "reject");
566  switch (p->proto) {
567  case IPPROTO_UDP:
568  case IPPROTO_ICMP:
569  case IPPROTO_ICMPV6:
570  SCJbAppendString(jb, "icmp-prohib");
571  break;
572  case IPPROTO_TCP:
573  SCJbAppendString(jb, "tcp-reset");
574  break;
575  }
576  SCJbClose(jb);
577 
578  } else if (PacketCheckAction(p, ACTION_DROP) && EngineModeIsIPS()) {
579  JB_SET_STRING(jb, "action", "drop");
580  } else if (PacketCheckAction(p, ACTION_ACCEPT)) {
581  JB_SET_STRING(jb, "action", "accept");
582  } else if (p->alerts.alerts[p->alerts.cnt].action & ACTION_PASS) {
583  JB_SET_STRING(jb, "action", "pass");
584  } else {
585  // TODO make sure we don't have a situation where this wouldn't work
586  JB_SET_STRING(jb, "action", "alert");
587  }
588 
589  /* Close verdict */
590  SCJbClose(jb);
591 }
592 
595  uint64_t last_re;
596 };
597 
598 static int AlertJsonStreamDataCallback(
599  void *cb_data, const uint8_t *input, const uint32_t input_len, const uint64_t input_offset)
600 {
601  struct AlertJsonStreamDataCallbackData *cbd = cb_data;
602  if (input_offset > cbd->last_re) {
604  cbd->payload, "[%" PRIu64 " bytes missing]", input_offset - cbd->last_re);
605  }
606 
607  int done = 0;
608  uint32_t written = MemBufferWriteRaw(cbd->payload, input, input_len);
609  if (written < input_len)
610  done = 1;
611  cbd->last_re = input_offset + input_len;
612  return done;
613 }
614 
615 /** \internal
616  * \brief try to log stream data into payload/payload_printable
617  * \retval true stream data logged
618  * \retval false stream data not logged
619  */
620 static bool AlertJsonStreamData(const AlertJsonOutputCtx *json_output_ctx, JsonAlertLogThread *aft,
621  Flow *f, const Packet *p, SCJsonBuilder *jb)
622 {
623  TcpSession *ssn = f->protoctx;
624  TcpStream *stream = (PKT_IS_TOSERVER(p)) ? &ssn->client : &ssn->server;
625 
626  MemBufferReset(aft->payload_buffer);
628  .last_re = STREAM_BASE_OFFSET(stream) };
629  uint64_t unused = 0;
630  StreamReassembleLog(ssn, stream, AlertJsonStreamDataCallback, &cbd, STREAM_BASE_OFFSET(stream),
631  &unused, false);
632  if (cbd.payload->offset) {
633  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
634  SCJbSetBase64(jb, "payload", cbd.payload->buffer, cbd.payload->offset);
635  }
636  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_LENGTH) {
637  SCJbSetUint(jb, "payload_length", cbd.payload->offset);
638  }
639 
640  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
641  uint8_t printable_buf[cbd.payload->offset + 1];
642  uint32_t offset = 0;
643  PrintStringsToBuffer(printable_buf, &offset, cbd.payload->offset + 1,
644  cbd.payload->buffer, cbd.payload->offset);
645  SCJbSetString(jb, "payload_printable", (char *)printable_buf);
646  }
647  return true;
648  }
649  return false;
650 }
651 
652 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
653 {
654  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
655 
656  if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
657  return TM_ECODE_OK;
658 
659  for (int i = 0; i < p->alerts.cnt; i++) {
660  const PacketAlert *pa = &p->alerts.alerts[i];
661  if (unlikely(pa->s == NULL)) {
662  continue;
663  }
664 
665  /* First initialize the address info (5-tuple). */
667  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
668 
669  /* Check for XFF, overwriting address info if needed. */
670  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ? json_output_ctx->xff_cfg
671  : json_output_ctx->parent_xff_cfg;
672  int have_xff_ip = 0;
673  char xff_buffer[XFF_MAXLEN];
674  xff_buffer[0] = 0;
675  if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
676  if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP1) {
677  if (pa->flags & PACKET_ALERT_FLAG_TX) {
678  have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg,
679  xff_buffer, XFF_MAXLEN);
680  } else {
681  have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, xff_buffer,
682  XFF_MAXLEN);
683  }
684  }
685 
686  if (have_xff_ip && xff_cfg->flags & XFF_OVERWRITE) {
687  if (p->flowflags & FLOW_PKT_TOCLIENT) {
688  strlcpy(addr.dst_ip, xff_buffer, JSON_ADDR_LEN);
689  } else {
690  strlcpy(addr.src_ip, xff_buffer, JSON_ADDR_LEN);
691  }
692  /* Clear have_xff_ip so the xff field does not get
693  * logged below. */
694  have_xff_ip = false;
695  }
696  if (have_xff_ip && !(xff_cfg->flags & XFF_EXTRADATA)) {
697  // reset xff_buffer so as not to log it
698  xff_buffer[0] = 0;
699  }
700  }
701 
702  SCJsonBuilder *jb =
703  CreateEveHeader(p, LOG_DIR_PACKET, "alert", &addr, json_output_ctx->eve_ctx);
704  if (unlikely(jb == NULL))
705  return TM_ECODE_OK;
706 
707 
708  /* alert */
709  AlertJsonHeader(p, pa, jb, json_output_ctx->flags, &addr, xff_buffer);
710 
711  if (PacketIsTunnel(p)) {
712  AlertJsonTunnel(p, jb);
713  }
714 
715  if (p->flow != NULL) {
716  if (pa->flags & PACKET_ALERT_FLAG_TX) {
717  if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {
718  AlertAddAppLayer(p, jb, pa->tx_id, json_output_ctx->flags);
719  }
720  /* including fileinfo data is configured by the metadata setting */
721  if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
722  AlertAddFiles(p, jb, pa->tx_id);
723  }
724  }
725 
726  EveAddAppProto(p->flow, jb);
727 
728  if (p->flowflags & FLOW_PKT_TOSERVER) {
729  SCJbSetString(jb, "direction", "to_server");
730  } else {
731  SCJbSetString(jb, "direction", "to_client");
732  }
733 
734  if (json_output_ctx->flags & LOG_JSON_FLOW) {
735  SCJbOpenObject(jb, "flow");
736  EveAddFlow(p->flow, jb);
737  if (p->flowflags & FLOW_PKT_TOCLIENT) {
738  SCJbSetString(jb, "src_ip", addr.dst_ip);
739  SCJbSetString(jb, "dest_ip", addr.src_ip);
740  if (addr.sp > 0) {
741  SCJbSetUint(jb, "src_port", addr.dp);
742  SCJbSetUint(jb, "dest_port", addr.sp);
743  }
744  } else {
745  SCJbSetString(jb, "src_ip", addr.src_ip);
746  SCJbSetString(jb, "dest_ip", addr.dst_ip);
747  if (addr.sp > 0) {
748  SCJbSetUint(jb, "src_port", addr.sp);
749  SCJbSetUint(jb, "dest_port", addr.dp);
750  }
751  }
752  SCJbClose(jb);
753  }
754  }
755 
756  /* payload */
757  if (json_output_ctx->flags &
759  int stream = (p->proto == IPPROTO_TCP) ?
761  1 : 0) : 0;
762  // should be impossible, as stream implies flow
763  DEBUG_VALIDATE_BUG_ON(stream && p->flow == NULL);
764 
765  /* Is this a stream? If so, pack part of it into the payload field */
766  if (stream && p->flow != NULL) {
767  const bool stream_data_logged =
768  AlertJsonStreamData(json_output_ctx, aft, p->flow, p, jb);
769  if (!stream_data_logged && p->payload_len) {
770  /* Fallback on packet payload */
771  AlertAddPayload(json_output_ctx, jb, p);
772  }
773  } else {
774  /* This is a single packet and not a stream */
775  AlertAddPayload(json_output_ctx, jb, p);
776  }
777 
778  SCJbSetUint(jb, "stream", stream);
779  }
780 
781  if (pa->flags & PACKET_ALERT_FLAG_FRAME) {
782  AlertAddFrame(p, pa->frame_id, jb, aft->payload_buffer);
783  }
784 
785  /* base64-encoded full packet */
786  if (json_output_ctx->flags & LOG_JSON_PACKET) {
787  EvePacket(p, jb, 0);
788  }
789 
791  if (pcap_filename != NULL) {
792  SCJbSetString(jb, "capture_file", pcap_filename);
793  }
794 
795  if (json_output_ctx->flags & LOG_JSON_VERDICT) {
796  EveAddVerdict(jb, p);
797  }
798 
799  OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
800  SCJbFree(jb);
801  }
802 
803  if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
805  SCJsonBuilder *packetjs =
806  CreateEveHeader(p, LOG_DIR_PACKET, "packet", NULL, json_output_ctx->eve_ctx);
807  if (unlikely(packetjs != NULL)) {
808  EvePacket(p, packetjs, 0);
809  OutputJsonBuilderBuffer(tv, p, p->flow, packetjs, aft->ctx);
810  SCJbFree(packetjs);
811  }
812  }
813 
814  return TM_ECODE_OK;
815 }
816 
817 static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
818 {
819  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
820 
821  if (p->alerts.cnt == 0)
822  return TM_ECODE_OK;
823 
824  for (int i = 0; i < p->alerts.cnt; i++) {
825  const PacketAlert *pa = &p->alerts.alerts[i];
826  if (unlikely(pa->s == NULL)) {
827  continue;
828  }
829 
830  SCJsonBuilder *jb =
831  CreateEveHeader(p, LOG_DIR_PACKET, "alert", NULL, json_output_ctx->eve_ctx);
832  if (unlikely(jb == NULL))
833  return TM_ECODE_OK;
834 
835  AlertJsonHeader(p, pa, jb, json_output_ctx->flags, NULL, NULL);
836 
837  if (PacketIsTunnel(p)) {
838  AlertJsonTunnel(p, jb);
839  }
840 
841  /* base64-encoded full packet */
842  if (json_output_ctx->flags & LOG_JSON_PACKET) {
843  EvePacket(p, jb, 0);
844  }
845 
847  if (pcap_filename != NULL) {
848  SCJbSetString(jb, "capture_file", pcap_filename);
849  }
850 
851  if (json_output_ctx->flags & LOG_JSON_VERDICT) {
852  EveAddVerdict(jb, p);
853  }
854 
855  OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
856  SCJbFree(jb);
857  }
858 
859  return TM_ECODE_OK;
860 }
861 
862 static int JsonAlertFlush(ThreadVars *tv, void *thread_data, const Packet *p)
863 {
864  JsonAlertLogThread *aft = thread_data;
865  SCLogDebug("%s flushing %s", tv->name, ((LogFileCtx *)(aft->ctx->file_ctx))->filename);
866  OutputJsonFlush(aft->ctx);
867  return 0;
868 }
869 
870 static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)
871 {
872  JsonAlertLogThread *aft = thread_data;
873 
874  if (PacketIsIPv4(p) || PacketIsIPv6(p)) {
875  return AlertJson(tv, aft, p);
876  } else if (p->alerts.cnt > 0) {
877  return AlertJsonDecoderEvent(tv, aft, p);
878  }
879  return 0;
880 }
881 
882 static bool JsonAlertLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
883 {
884  return (p->alerts.cnt || (p->flags & PKT_HAS_TAG));
885 }
886 
887 static TmEcode JsonAlertLogThreadInit(ThreadVars *t, const void *initdata, void **data)
888 {
890  if (unlikely(aft == NULL))
891  return TM_ECODE_FAILED;
892 
893  if (initdata == NULL)
894  {
895  SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL");
896  goto error_exit;
897  }
898 
899  /** Use the Output Context (file pointer and mutex) */
900  AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
901 
902  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
903  if (aft->payload_buffer == NULL) {
904  goto error_exit;
905  }
906  aft->ctx = CreateEveThreadCtx(t, json_output_ctx->eve_ctx);
907  if (!aft->ctx) {
908  goto error_exit;
909  }
910 
911  aft->json_output_ctx = json_output_ctx;
912 
913  *data = (void *)aft;
914  return TM_ECODE_OK;
915 
916 error_exit:
917  if (aft->payload_buffer != NULL) {
919  }
920  SCFree(aft);
921  return TM_ECODE_FAILED;
922 }
923 
924 static TmEcode JsonAlertLogThreadDeinit(ThreadVars *t, void *data)
925 {
926  JsonAlertLogThread *aft = (JsonAlertLogThread *)data;
927  if (aft == NULL) {
928  return TM_ECODE_OK;
929  }
930 
932  FreeEveThreadCtx(aft->ctx);
933 
934  /* clear memory */
935  memset(aft, 0, sizeof(JsonAlertLogThread));
936 
937  SCFree(aft);
938  return TM_ECODE_OK;
939 }
940 
941 static void JsonAlertLogDeInitCtxSub(OutputCtx *output_ctx)
942 {
943  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
944 
945  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
946 
947  if (json_output_ctx != NULL) {
948  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
949  if (xff_cfg != NULL) {
950  SCFree(xff_cfg);
951  }
952  SCFree(json_output_ctx);
953  }
954  SCFree(output_ctx);
955 }
956 
957 static void SetFlag(const SCConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
958 {
959  DEBUG_VALIDATE_BUG_ON(conf == NULL);
960  const char *setting = SCConfNodeLookupChildValue(conf, name);
961  if (setting != NULL) {
962  if (SCConfValIsTrue(setting)) {
963  *out_flags |= flag;
964  } else {
965  *out_flags &= ~flag;
966  }
967  }
968 }
969 
970 static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx, SCConfNode *conf)
971 {
972  static bool warn_no_meta = false;
973  uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
974  uint16_t flags = METADATA_DEFAULTS;
975 
976  if (conf != NULL) {
977  /* Check for metadata to enable/disable. */
978  SCConfNode *metadata = SCConfNodeLookupChild(conf, "metadata");
979  if (metadata != NULL) {
980  if (metadata->val != NULL && SCConfValIsFalse(metadata->val)) {
982  } else if (SCConfNodeHasChildren(metadata)) {
983  SCConfNode *rule_metadata = SCConfNodeLookupChild(metadata, "rule");
984  if (rule_metadata) {
985  SetFlag(rule_metadata, "raw", LOG_JSON_RULE, &flags);
986  SetFlag(rule_metadata, "metadata", LOG_JSON_RULE_METADATA,
987  &flags);
988  SetFlag(rule_metadata, "reference", LOG_JSON_REFERENCE, &flags);
989  }
990  SetFlag(metadata, "flow", LOG_JSON_FLOW, &flags);
991  SetFlag(metadata, "app-layer", LOG_JSON_APP_LAYER, &flags);
992  }
993  }
994 
995  /* Non-metadata toggles. */
996  SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
997  SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
998  SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
999  SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
1000  SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
1001  SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
1002  SetFlag(conf, "websocket-payload-printable", LOG_JSON_WEBSOCKET_PAYLOAD, &flags);
1003  SetFlag(conf, "websocket-payload", LOG_JSON_WEBSOCKET_PAYLOAD_BASE64, &flags);
1004  SetFlag(conf, "verdict", LOG_JSON_VERDICT, &flags);
1005  SetFlag(conf, "payload-length", LOG_JSON_PAYLOAD_LENGTH, &flags);
1006 
1007  /* Check for obsolete flags and warn that they have no effect. */
1008  static const char *deprecated_flags[] = { "http", "tls", "ssh", "smtp", "dnp3", "app-layer",
1009  "flow", NULL };
1010  for (int i = 0; deprecated_flags[i] != NULL; i++) {
1011  if (SCConfNodeLookupChildValue(conf, deprecated_flags[i]) != NULL) {
1012  SCLogWarning("Found deprecated eve-log.alert flag \"%s\", this flag has no effect",
1013  deprecated_flags[i]);
1014  }
1015  }
1016 
1017  const char *payload_buffer_value = SCConfNodeLookupChildValue(conf, "payload-buffer-size");
1018 
1019  if (payload_buffer_value != NULL) {
1020  uint32_t value;
1021  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
1022  SCLogError("Error parsing "
1023  "payload-buffer-size - %s. Killing engine",
1024  payload_buffer_value);
1025  exit(EXIT_FAILURE);
1026  } else if (value == 0) {
1027  // you should not ask for payload if you want 0 of it
1028  SCLogError("Error payload-buffer-size should not be 0");
1029  exit(EXIT_FAILURE);
1030  } else {
1031  payload_buffer_size = value;
1032  }
1033  }
1034 
1035  if (!warn_no_meta && flags & JSON_BODY_LOGGING) {
1036  if (((flags & LOG_JSON_APP_LAYER) == 0)) {
1037  SCLogWarning("HTTP body logging has been configured, however, "
1038  "metadata logging has not been enabled. HTTP body logging will be "
1039  "disabled.");
1041  warn_no_meta = true;
1042  }
1043  }
1044  }
1045 
1046  if (flags & LOG_JSON_RULE_METADATA) {
1048  }
1049 
1050  json_output_ctx->payload_buffer_size = payload_buffer_size;
1051  json_output_ctx->flags |= flags;
1052 }
1053 
1054 static HttpXFFCfg *JsonAlertLogGetXffCfg(SCConfNode *conf)
1055 {
1056  HttpXFFCfg *xff_cfg = NULL;
1057  if (conf != NULL && SCConfNodeLookupChild(conf, "xff") != NULL) {
1058  xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
1059  if (likely(xff_cfg != NULL)) {
1060  HttpXFFGetCfg(conf, xff_cfg);
1061  }
1062  }
1063  return xff_cfg;
1064 }
1065 
1066 /**
1067  * \brief Create a new LogFileCtx for "fast" output style.
1068  * \param conf The configuration node for this output.
1069  * \return A LogFileCtx pointer on success, NULL on failure.
1070  */
1071 static OutputInitResult JsonAlertLogInitCtxSub(SCConfNode *conf, OutputCtx *parent_ctx)
1072 {
1073  OutputInitResult result = { NULL, false };
1074  OutputJsonCtx *ajt = parent_ctx->data;
1075  AlertJsonOutputCtx *json_output_ctx = NULL;
1076 
1077  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
1078  if (unlikely(output_ctx == NULL))
1079  return result;
1080 
1081  json_output_ctx = SCCalloc(1, sizeof(AlertJsonOutputCtx));
1082  if (unlikely(json_output_ctx == NULL)) {
1083  goto error;
1084  }
1085 
1086  json_output_ctx->file_ctx = ajt->file_ctx;
1087  json_output_ctx->eve_ctx = ajt;
1088 
1089  JsonAlertLogSetupMetadata(json_output_ctx, conf);
1090  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
1091  if (json_output_ctx->xff_cfg == NULL) {
1092  json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
1093  }
1094 
1095  output_ctx->data = json_output_ctx;
1096  output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
1097 
1098  result.ctx = output_ctx;
1099  result.ok = true;
1100  return result;
1101 
1102 error:
1103  if (json_output_ctx != NULL) {
1104  SCFree(json_output_ctx);
1105  }
1106  if (output_ctx != NULL) {
1107  SCFree(output_ctx);
1108  }
1109 
1110  return result;
1111 }
1112 
1114 {
1115  OutputPacketLoggerFunctions output_logger_functions = {
1116  .LogFunc = JsonAlertLogger,
1117  .FlushFunc = JsonAlertFlush,
1118  .ConditionFunc = JsonAlertLogCondition,
1119  .ThreadInitFunc = JsonAlertLogThreadInit,
1120  .ThreadDeinitFunc = JsonAlertLogThreadDeinit,
1121  .ThreadExitPrintStatsFunc = NULL,
1122  };
1123 
1124  OutputRegisterPacketSubModule(LOGGER_JSON_ALERT, "eve-log", MODULE_NAME, "eve-log.alert",
1125  JsonAlertLogInitCtxSub, &output_logger_functions);
1126 }
XFF_MAXLEN
#define XFF_MAXLEN
Definition: app-layer-htp-xff.h:39
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:50
PACKET_ALERT_FLAG_TX_GUESSED
#define PACKET_ALERT_FLAG_TX_GUESSED
Definition: decode.h:278
Packet_::proto
uint8_t proto
Definition: decode.h:523
OutputJsonFlush
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
Definition: output-json.c:1009
TcpStream_
Definition: stream-tcp-private.h:106
FileContainer_
Definition: util-file.h:37
ts
uint64_t ts
Definition: source-erf-file.c:55
DetectMetadataHead::json_str
char * json_str
Definition: detect-metadata.h:40
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:551
detect-engine.h
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:252
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:55
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:79
MemBuffer_::buffer
uint8_t buffer[]
Definition: util-buffer.h:30
Signature_::sig_str
char * sig_str
Definition: detect.h:745
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
ThreadVars_::name
char name[16]
Definition: threadvars.h:65
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
AppLayerParserGetStateNameById
const char * AppLayerParserGetStateNameById(uint8_t ipproto, AppProto alproto, const int id, const uint8_t direction)
Definition: app-layer-parser.c:1617
XFF_EXTRADATA
#define XFF_EXTRADATA
Definition: app-layer-htp-xff.h:31
EveAddFlow
void EveAddFlow(Flow *f, SCJsonBuilder *js)
Definition: output-json-flow.c:198
stream-tcp.h
HttpXFFGetCfg
void HttpXFFGetCfg(SCConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:202
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:268
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
EveHttpLogJSONBodyPrintable
void EveHttpLogJSONBodyPrintable(SCJsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:391
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
LOG_JSON_RULE
#define LOG_JSON_RULE
Definition: output-json-alert.c:82
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:626
AlertJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-alert.c:100
AlertJsonOutputCtx_::parent_xff_cfg
HttpXFFCfg * parent_xff_cfg
Definition: output-json-alert.c:104
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
Flow_::proto
uint8_t proto
Definition: flow.h:370
EveAddAppProto
void EveAddAppProto(Flow *f, SCJsonBuilder *js)
Definition: output-json-flow.c:178
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
AlertJsonStreamDataCallbackData::last_re
uint64_t last_re
Definition: output-json-alert.c:595
Packet_::payload
uint8_t * payload
Definition: decode.h:605
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:287
SIG_FLAG_DEST_IS_TARGET
#define SIG_FLAG_DEST_IS_TARGET
Definition: detect.h:285
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1087
action-globals.h
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:74
Packet_::flags
uint32_t flags
Definition: decode.h:544
CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:850
LOGGER_JSON_ALERT
@ LOGGER_JSON_ALERT
Definition: suricata-common.h:497
OutputJsonCtx_
Definition: output-json.h:75
Frame
Definition: app-layer-frames.h:45
Flow_
Flow data structure.
Definition: flow.h:348
LogFileCtx_
Definition: util-logopenfile.h:72
output-json-frame.h
AlertJsonHeader
void AlertJsonHeader(const Packet *p, const PacketAlert *pa, SCJsonBuilder *js, uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
Definition: output-json-alert.c:203
PacketAlerts_::alerts
PacketAlert * alerts
Definition: decode.h:290
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29
AlertJsonStreamDataCallbackData::payload
MemBuffer * payload
Definition: output-json-alert.c:594
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
rust.h
Frames
Definition: app-layer-frames.h:60
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:38
FramesContainer
Definition: app-layer-frames.h:73
SCConfValIsFalse
int SCConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:576
ACTION_DROP_REJECT
#define ACTION_DROP_REJECT
Definition: action-globals.h:40
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:1015
proto
uint8_t proto
Definition: decode-template.h:0
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:824
AlertJsonOutputCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-alert.c:105
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
Flow_::protoctx
void * protoctx
Definition: flow.h:433
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:606
SCConfNodeHasChildren
bool SCConfNodeHasChildren(const SCConfNode *node)
Check if a node has any children.
Definition: conf.c:777
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:620
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:29
EveHttpAddMetadata
bool EveHttpAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
Definition: output-json-http.c:495
HttpXFFGetIP
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:177
OutputCtx_::data
void * data
Definition: tm-modules.h:91
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
PcapLogGetFilename
char * PcapLogGetFilename(void)
Definition: log-pcap.c:1828
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:195
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:873
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:253
EveSMBAddMetadata
bool EveSMBAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
Definition: output-json-smb.c:34
OutputCtx_
Definition: tm-modules.h:88
app-layer-htp-xff.h
PacketAlert_::action
uint8_t action
Definition: decode.h:250
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
JSON_BODY_LOGGING
#define JSON_BODY_LOGGING
Definition: output-json-alert.c:93
OutputJsonThreadCtx_
Definition: output-json.h:83
Signature_::gid
uint32_t gid
Definition: detect.h:714
ACTION_REJECT_DST
#define ACTION_REJECT_DST
Definition: action-globals.h:32
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:486
EveIKEAddMetadata
bool EveIKEAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
Definition: output-json-ike.c:65
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:45
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:75
JsonAlertLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-alert.c:111
PacketAlert_::json_info
struct PacketContextData * json_info
Definition: decode.h:255
EveSMTPAddMetadata
bool EveSMTPAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
Definition: output-json-smtp.c:96
util-debug.h
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition: rust.h:31
output-json-flow.h
MODULE_NAME
#define MODULE_NAME
Definition: output-json-alert.c:71
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:238
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
LOG_JSON_APP_LAYER
#define LOG_JSON_APP_LAYER
Definition: output-json-alert.c:77
LOG_JSON_WEBSOCKET_PAYLOAD
#define LOG_JSON_WEBSOCKET_PAYLOAD
Definition: output-json-alert.c:84
output-json.h
FrameGetById
Frame * FrameGetById(Frames *frames, const int64_t id)
Definition: app-layer-frames.c:124
DetectReference_::key_len
uint16_t key_len
Definition: detect-reference.h:40
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:38
LOG_JSON_PAYLOAD
#define LOG_JSON_PAYLOAD
Definition: output-json-alert.c:73
STREAM_BASE_OFFSET
#define STREAM_BASE_OFFSET(stream)
Definition: stream-tcp-private.h:144
AppLayerGetFileState
struct AppLayerGetFileState AppLayerGetFileState
Definition: app-layer-parser.h:41
PktSrcEnum
PktSrcEnum
Definition: decode.h:51
util-reference-config.h
AlertJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-alert.c:101
EveAddVerdict
void EveAddVerdict(SCJsonBuilder *jb, const Packet *p)
Build verdict object.
Definition: output-json-alert.c:546
util-print.h
EveNFSAddMetadata
bool EveNFSAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
Definition: output-json-nfs.c:62
Signature_::references
DetectReference * references
Definition: detect.h:741
FileContainer_::head
File * head
Definition: util-file.h:38
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PacketContextData
Definition: decode.h:241
EveNFSAddMetadataRPC
bool EveNFSAddMetadataRPC(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
Definition: output-json-nfs.c:50
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:856
JsonAlertLogThread
struct JsonAlertLogThread_ JsonAlertLogThread
output-json-email-common.h
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:48
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:259
app-layer-parser.h
JsonAlertLogThread_
Definition: output-json-alert.c:108
DetectReference_
Signature reference list.
Definition: detect-reference.h:30
SCEveJsonSimpleGetLogger
EveJsonSimpleAppLayerLogger * SCEveJsonSimpleGetLogger(AppProto alproto)
Definition: output.c:931
Signature_::flags
uint32_t flags
Definition: detect.h:669
stream.h
DetectReference_::reference_len
uint16_t reference_len
Definition: detect-reference.h:41
JsonAddrInfo_
Definition: output-json.h:41
Packet_
Definition: decode.h:501
EveFileInfo
void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
Definition: output-json.c:124
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:184
DetectReference_::reference
char * reference
Definition: detect-reference.h:34
JSON_STREAM_BUFFER_SIZE
#define JSON_STREAM_BUFFER_SIZE
Definition: output-json-alert.c:97
LOG_JSON_PAYLOAD_BASE64
#define LOG_JSON_PAYLOAD_BASE64
Definition: output-json-alert.c:75
conf.h
SIG_FLAG_HAS_TARGET
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:287
XFF_OVERWRITE
#define XFF_OVERWRITE
Definition: app-layer-htp-xff.h:33
LOG_JSON_PAYLOAD_LENGTH
#define LOG_JSON_PAYLOAD_LENGTH
Definition: output-json-alert.c:86
TmEcode
TmEcode
Definition: tm-threads-common.h:80
name
const char * name
Definition: tm-threads.c:2163
SIG_FLAG_SRC_IS_TARGET
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:283
OutputJsonThreadCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:85
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
AlertJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-alert.c:102
EvePacket
void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
Jsonify a packet.
Definition: output-json.c:441
MemBuffer_
Definition: util-buffer.h:27
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
EveJsonSimpleAppLayerLogger
Definition: output-eve-bindgen.h:40
DetectReference_::next
struct DetectReference_ * next
Definition: detect-reference.h:43
LOG_JSON_TAGGED_PACKETS
#define LOG_JSON_TAGGED_PACKETS
Definition: output-json-alert.c:76
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1109
AlertJsonOutputCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json-alert.c:103
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:270
PACKET_ALERT_FLAG_FRAME
#define PACKET_ALERT_FLAG_FRAME
Definition: decode.h:276
log-pcap.h
PacketAlert_::frame_id
int64_t frame_id
Definition: decode.h:254
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:46
Signature_::class_msg
char * class_msg
Definition: detect.h:739
PacketAlert_::flags
uint8_t flags
Definition: decode.h:251
ACTION_REJECT_BOTH
#define ACTION_REJECT_BOTH
Definition: action-globals.h:33
File_::flags
uint16_t flags
Definition: util-file.h:108
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:796
File_
Definition: util-file.h:107
OutputInitResult_
Definition: output.h:46
app-layer-frames.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:665
EveEmailAddMetadata
bool EveEmailAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
Definition: output-json-email-common.c:195
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
LOG_JSON_WEBSOCKET_PAYLOAD_BASE64
#define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64
Definition: output-json-alert.c:85
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:44
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:94
pcap_filename
char pcap_filename[PATH_MAX]
Definition: source-pcap-file-helper.c:116
EveJsonSimpleAppLayerLogger::LogTx
EveJsonSimpleTxLogFunc LogTx
Definition: output-eve-bindgen.h:41
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:37
AlertJsonOutputCtx_
Definition: output-json-alert.c:99
detect-metadata.h
JsonAlertLogThread_::json_output_ctx
AlertJsonOutputCtx * json_output_ctx
Definition: output-json-alert.c:110
output-json-nfs.h
packet.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:86
LOG_JSON_VERDICT
#define LOG_JSON_VERDICT
Definition: output-json-alert.c:83
File_::next
struct File_ * next
Definition: util-file.h:120
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
OutputPacketLoggerFunctions_::LogFunc
PacketLogger LogFunc
Definition: output.h:88
Signature_::rev
uint32_t rev
Definition: detect.h:715
ALPROTO_WEBSOCKET
@ ALPROTO_WEBSOCKET
Definition: app-layer-protos.h:64
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:297
PacketContextData::next
struct PacketContextData * next
Definition: decode.h:243
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, OutputPacketLoggerFunctions *output_logger_functions)
Register a packet output sub-module.
Definition: output.c:234
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Signature_::prio
int prio
Definition: detect.h:716
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:174
output-json-alert.h
util-optimize.h
threadvars.h
util-validate.h
Packet_::root
struct Packet_ * root
Definition: decode.h:653
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:296
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:42
PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED
#define PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED
Definition: decode.h:274
HttpXFFCfg_::flags
uint8_t flags
Definition: app-layer-htp-xff.h:42
Signature_::metadata
DetectMetadataHead * metadata
Definition: detect.h:743
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:271
EveHttpLogJSONBodyBase64
void EveHttpLogJSONBodyBase64(SCJsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:420
AlertJsonOutputCtx
struct AlertJsonOutputCtx_ AlertJsonOutputCtx
JsonAlertLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-alert.c:109
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:611
DetectReference_::key
char * key
Definition: detect-reference.h:32
util-logopenfile.h
Flow_::alstate
void * alstate
Definition: flow.h:471
Signature_::id
uint32_t id
Definition: detect.h:713
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:526
LOG_JSON_HTTP_BODY_BASE64
#define LOG_JSON_HTTP_BODY_BASE64
Definition: output-json-alert.c:80
output-json-ike.h
FrameJsonLogOneFrame
void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, Flow *f, const TcpStream *stream, const Packet *p, SCJsonBuilder *jb, MemBuffer *buffer)
log a single frame
Definition: output-json-frame.c:253
util-buffer.h
LOG_JSON_PACKET
#define LOG_JSON_PACKET
Definition: output-json-alert.c:74
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:272
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:43
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:76
LOG_JSON_HTTP_BODY
#define LOG_JSON_HTTP_BODY
Definition: output-json-alert.c:79
METADATA_DEFAULTS
#define METADATA_DEFAULTS
Definition: output-json-alert.c:89
ACTION_ACCEPT
#define ACTION_ACCEPT
Definition: action-globals.h:36
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:242
LOG_JSON_FLOW
#define LOG_JSON_FLOW
Definition: output-json-alert.c:78
MemBufferWriteRaw
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.c:115
PacketAlert_
Definition: decode.h:248
MemBufferWriteString
void MemBufferWriteString(MemBuffer *dst, const char *fmt,...)
Definition: util-buffer.c:130
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-eve-bindgen.h:32
output-json-smb.h
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:43
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:1230
PacketContextData::json_string
char * json_string
Definition: decode.h:242
HttpXFFGetIPFromTx
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:116
output-json-smtp.h
TcpSession_
Definition: stream-tcp-private.h:283
output-json-http.h
util-misc.h
PKT_HAS_TAG
#define PKT_HAS_TAG
Definition: decode.h:1260
Signature_::msg
char * msg
Definition: detect.h:736
flow.h
DetectEngineSetParseMetadata
void DetectEngineSetParseMetadata(void)
Definition: detect-engine.c:4963
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
StreamReassembleLog
int StreamReassembleLog(const TcpSession *ssn, const TcpStream *stream, StreamReassembleRawFunc Callback, void *cb_data, const uint64_t progress_in, uint64_t *progress_out, const bool eof)
Definition: stream-tcp-reassemble.c:1969
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCConfNode_
Definition: conf.h:37
LOG_JSON_RULE_METADATA
#define LOG_JSON_RULE_METADATA
Definition: output-json-alert.c:81
OutputPacketLoggerFunctions_
Definition: output.h:87
SCConfNode_::val
char * val
Definition: conf.h:39
XFF_DISABLED
#define XFF_DISABLED
Definition: app-layer-htp-xff.h:29
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
LOG_JSON_REFERENCE
#define LOG_JSON_REFERENCE
Definition: output-json-alert.c:87
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:51
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
output.h
JsonAlertLogRegister
void JsonAlertLogRegister(void)
Definition: output-json-alert.c:1113
AlertJsonStreamDataCallbackData
Definition: output-json-alert.c:593