Go to the documentation of this file.
71 #define MODULE_NAME "JsonAlertLog"
73 #define LOG_JSON_PAYLOAD BIT_U16(0)
74 #define LOG_JSON_PACKET BIT_U16(1)
75 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
76 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
77 #define LOG_JSON_APP_LAYER BIT_U16(4)
78 #define LOG_JSON_FLOW BIT_U16(5)
79 #define LOG_JSON_HTTP_BODY BIT_U16(6)
80 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
81 #define LOG_JSON_RULE_METADATA BIT_U16(8)
82 #define LOG_JSON_RULE BIT_U16(9)
83 #define LOG_JSON_VERDICT BIT_U16(10)
84 #define LOG_JSON_WEBSOCKET_PAYLOAD BIT_U16(11)
85 #define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64 BIT_U16(12)
86 #define LOG_JSON_PAYLOAD_LENGTH BIT_U16(13)
87 #define LOG_JSON_REFERENCE BIT_U16(14)
89 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
90 LOG_JSON_APP_LAYER | \
91 LOG_JSON_RULE_METADATA)
93 #define JSON_BODY_LOGGING \
94 (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64 | LOG_JSON_WEBSOCKET_PAYLOAD | \
95 LOG_JSON_WEBSOCKET_PAYLOAD_BASE64)
97 #define JSON_STREAM_BUFFER_SIZE 4096
114 static void AlertJsonSourceTarget(
117 SCJbOpenObject(js,
"source");
119 SCJbSetString(js,
"ip", addr->
src_ip);
127 SCJbSetUint(js,
"port", addr->
sp);
131 SCJbSetString(js,
"ip", addr->
dst_ip);
139 SCJbSetUint(js,
"port", addr->
dp);
145 SCJbOpenObject(js,
"target");
147 SCJbSetString(js,
"ip", addr->
dst_ip);
155 SCJbSetUint(js,
"port", addr->
dp);
159 SCJbSetString(js,
"ip", addr->
src_ip);
167 SCJbSetUint(js,
"port", addr->
sp);
174 static void AlertJsonReference(
const PacketAlert *pa, SCJsonBuilder *jb)
181 SCJbOpenArray(jb,
"references");
187 char kv_store[size_needed];
188 snprintf(kv_store, size_needed,
"%s%s", kv->
key, kv->
reference);
189 SCJbAppendString(jb, kv_store);
195 static void AlertJsonMetadata(
const PacketAlert *pa, SCJsonBuilder *js)
205 const char *action =
"allowed";
222 SCJbSetUint(js,
"tx_id", pa->
tx_id);
225 SCJbSetBool(js,
"tx_guessed",
true);
228 SCJbOpenObject(js,
"alert");
230 SCJbSetString(js,
"action", action);
231 SCJbSetUint(js,
"gid", pa->
s->
gid);
232 SCJbSetUint(js,
"signature_id", pa->
s->
id);
233 SCJbSetUint(js,
"rev", pa->
s->
rev);
236 SCJbSetString(js,
"signature", pa->
s->
msg ? pa->
s->
msg :
"");
238 SCJbSetUint(js,
"severity", pa->
s->
prio);
241 SCJbSetUint(js,
"tenant_id", p->
tenant_id);
245 AlertJsonSourceTarget(p, pa, js, addr);
249 AlertJsonReference(pa, js);
253 AlertJsonMetadata(pa, js);
257 SCJbSetString(js,
"rule", pa->
s->
sig_str);
259 if (xff_buffer && xff_buffer[0]) {
260 SCJbSetString(js,
"xff", xff_buffer);
266 static void AlertJsonTunnel(
const Packet *p, SCJsonBuilder *js)
268 if (p->
root == NULL) {
272 SCJbOpenObject(js,
"tunnel");
281 SCJbSetString(js,
"src_ip", addr.
src_ip);
282 SCJbSetUint(js,
"src_port", addr.
sp);
283 SCJbSetString(js,
"dest_ip", addr.
dst_ip);
284 SCJbSetUint(js,
"dest_port", addr.
dp);
285 SCJbSetString(js,
"proto", addr.
proto);
289 SCJbSetUint(js,
"pcap_cnt", pcap_cnt);
311 SCJbSetString(js,
"payload_printable", (
char *)printable_buf);
315 static void AlertAddAppLayer(
316 const Packet *p, SCJsonBuilder *jb,
const uint64_t tx_id,
const uint16_t option_flags)
320 SCJsonBuilderMark mark = { 0, 0, 0 };
321 if (al && al->
LogTx) {
322 void *state = FlowGetAppState(p->
flow);
330 SCJbSetString(jb,
"ts_progress",
332 SCJbSetString(jb,
"tc_progress",
334 SCJbGetMark(jb, &mark);
342 if (!SCWebSocketLogDetails(tx, jb, pp, pb64)) {
343 SCJbRestoreMark(jb, &mark);
349 if (!al->
LogTx(tx, jb)) {
350 SCJbRestoreMark(jb, &mark);
356 void *state = FlowGetAppState(p->
flow);
364 SCJbSetString(jb,
"ts_progress",
366 SCJbSetString(jb,
"tc_progress",
373 SCJbOpenObject(jb,
"http");
385 SCJbGetMark(jb, &mark);
386 SCJbOpenObject(jb,
"smtp");
390 SCJbRestoreMark(jb, &mark);
392 SCJbGetMark(jb, &mark);
393 SCJbOpenObject(jb,
"email");
397 SCJbRestoreMark(jb, &mark);
402 SCJbGetMark(jb, &mark);
403 SCJbOpenObject(jb,
"rpc");
407 SCJbRestoreMark(jb, &mark);
410 SCJbGetMark(jb, &mark);
411 SCJbOpenObject(jb,
"nfs");
415 SCJbRestoreMark(jb, &mark);
419 SCJbGetMark(jb, &mark);
420 SCJbOpenObject(jb,
"smb");
424 SCJbRestoreMark(jb, &mark);
428 SCJbGetMark(jb, &mark);
430 SCJbRestoreMark(jb, &mark);
437 SCJbGetMark(jb, &mark);
438 SCJbOpenObject(jb,
"dcerpc");
439 if (p->
proto == IPPROTO_TCP) {
440 if (!SCDcerpcLogJsonRecordTcp(state, tx, jb)) {
441 SCJbRestoreMark(jb, &mark);
444 if (!SCDcerpcLogJsonRecordUdp(state, tx, jb)) {
445 SCJbRestoreMark(jb, &mark);
458 static void AlertAddFiles(
const Packet *p, SCJsonBuilder *jb,
const uint64_t tx_id)
460 const uint8_t direction =
476 SCJbOpenArray(jb,
"files");
489 static void AlertAddFrame(
490 const Packet *p,
const int64_t frame_id, SCJsonBuilder *jb,
MemBuffer *buffer)
496 if (frames_container == NULL)
501 if (p->
proto == IPPROTO_TCP) {
505 frames = &frames_container->
toserver;
508 frames = &frames_container->
toclient;
514 }
else if (p->
proto == IPPROTO_UDP) {
516 frames = &frames_container->
toserver;
518 frames = &frames_container->
toclient;
535 SCJbOpenObject(jb,
"verdict");
552 SCJbOpenArray(jb,
"reject");
557 SCJbAppendString(jb,
"icmp-prohib");
560 SCJbAppendString(jb,
"tcp-reset");
583 static int AlertJsonStreamDataCallback(
584 void *cb_data,
const uint8_t *input,
const uint32_t input_len,
const uint64_t input_offset)
587 if (input_offset > cbd->
last_re) {
589 cbd->
payload,
"[%" PRIu64
" bytes missing]", input_offset - cbd->
last_re);
594 if (written < input_len)
596 cbd->
last_re = input_offset + input_len;
630 SCJbSetString(jb,
"payload_printable", (
char *)printable_buf);
644 for (
int i = 0; i < p->
alerts.
cnt; i++) {
696 if (PacketIsTunnel(p)) {
697 AlertJsonTunnel(p, jb);
700 if (p->
flow != NULL) {
703 AlertAddAppLayer(p, jb, pa->
tx_id, json_output_ctx->
flags);
707 AlertAddFiles(p, jb, pa->
tx_id);
714 SCJbSetString(jb,
"direction",
"to_server");
716 SCJbSetString(jb,
"direction",
"to_client");
720 SCJbOpenObject(jb,
"flow");
723 SCJbSetString(jb,
"src_ip", addr.
dst_ip);
724 SCJbSetString(jb,
"dest_ip", addr.
src_ip);
726 SCJbSetUint(jb,
"src_port", addr.
dp);
727 SCJbSetUint(jb,
"dest_port", addr.
sp);
730 SCJbSetString(jb,
"src_ip", addr.
src_ip);
731 SCJbSetString(jb,
"dest_ip", addr.
dst_ip);
733 SCJbSetUint(jb,
"src_port", addr.
sp);
734 SCJbSetUint(jb,
"dest_port", addr.
dp);
742 if (json_output_ctx->
flags &
744 int stream = (p->
proto == IPPROTO_TCP) ?
751 if (stream && p->
flow != NULL) {
752 const bool stream_data_logged =
753 AlertJsonStreamData(json_output_ctx, aft, p->
flow, p, jb);
756 AlertAddPayload(json_output_ctx, jb, p);
760 AlertAddPayload(json_output_ctx, jb, p);
763 SCJbSetUint(jb,
"stream", stream);
790 SCJsonBuilder *packetjs =
809 for (
int i = 0; i < p->
alerts.
cnt; i++) {
822 if (PacketIsTunnel(p)) {
823 AlertJsonTunnel(p, jb);
859 if (PacketIsIPv4(p) || PacketIsIPv6(p)) {
860 return AlertJson(
tv, aft, p);
862 return AlertJsonDecoderEvent(
tv, aft, p);
872 static TmEcode JsonAlertLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
878 if (initdata == NULL)
880 SCLogDebug(
"Error getting context for EveLogAlert. \"initdata\" argument NULL");
926 static void JsonAlertLogDeInitCtxSub(
OutputCtx *output_ctx)
928 SCLogDebug(
"cleaning up sub output_ctx %p", output_ctx);
932 if (json_output_ctx != NULL) {
934 if (xff_cfg != NULL) {
942 static void SetFlag(
const SCConfNode *conf,
const char *
name, uint16_t flag, uint16_t *out_flags)
946 if (setting != NULL) {
957 static bool warn_no_meta =
false;
964 if (metadata != NULL) {
993 static const char *deprecated_flags[] = {
"http",
"tls",
"ssh",
"smtp",
"dnp3",
"app-layer",
995 for (
int i = 0; deprecated_flags[i] != NULL; i++) {
997 SCLogWarning(
"Found deprecated eve-log.alert flag \"%s\", this flag has no effect",
998 deprecated_flags[i]);
1004 if (payload_buffer_value != NULL) {
1008 "payload-buffer-size - %s. Killing engine",
1009 payload_buffer_value);
1012 payload_buffer_size = value;
1018 SCLogWarning(
"HTTP body logging has been configured, however, "
1019 "metadata logging has not been enabled. HTTP body logging will be "
1022 warn_no_meta =
true;
1040 if (
likely(xff_cfg != NULL)) {
1063 if (
unlikely(json_output_ctx == NULL)) {
1068 json_output_ctx->
eve_ctx = ajt;
1070 JsonAlertLogSetupMetadata(json_output_ctx, conf);
1071 json_output_ctx->
xff_cfg = JsonAlertLogGetXffCfg(conf);
1072 if (json_output_ctx->
xff_cfg == NULL) {
1076 output_ctx->
data = json_output_ctx;
1077 output_ctx->
DeInit = JsonAlertLogDeInitCtxSub;
1079 result.
ctx = output_ctx;
1084 if (json_output_ctx != NULL) {
1087 if (output_ctx != NULL) {
1098 .FlushFunc = JsonAlertFlush,
1099 .ConditionFunc = JsonAlertLogCondition,
1100 .ThreadInitFunc = JsonAlertLogThreadInit,
1101 .ThreadDeinitFunc = JsonAlertLogThreadDeinit,
1102 .ThreadExitPrintStatsFunc = NULL,
1106 JsonAlertLogInitCtxSub, &output_logger_functions);
bool PacketCheckAction(const Packet *p, const uint8_t a)
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
int SCConfValIsTrue(const char *val)
Check if a value is true.
#define PACKET_ALERT_FLAG_STREAM_MATCH
const struct Signature_ * s
const char * AppLayerParserGetStateNameById(uint8_t ipproto, AppProto alproto, const int id, const uint8_t direction)
#define PACKET_ALERT_FLAG_TX
void EveAddFlow(Flow *f, SCJsonBuilder *js)
void HttpXFFGetCfg(SCConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
void EveHttpLogJSONBodyPrintable(SCJsonBuilder *js, Flow *f, uint64_t tx_id)
HttpXFFCfg * parent_xff_cfg
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
void EveAddAppProto(Flow *f, SCJsonBuilder *js)
#define SIG_FLAG_DEST_IS_TARGET
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
void AlertJsonHeader(const Packet *p, const PacketAlert *pa, SCJsonBuilder *js, uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
const JsonAddrInfo json_addr_info_zero
#define FLOW_PKT_TOSERVER
#define ACTION_REJECT_ANY
int SCConfValIsFalse(const char *val)
Check if a value is false.
#define ACTION_DROP_REJECT
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
bool SCConfNodeHasChildren(const SCConfNode *node)
Check if a node has any children.
bool EveHttpAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
char * PcapLogGetFilename(void)
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
bool EveSMBAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
size_t strlcpy(char *dst, const char *src, size_t siz)
#define JSON_BODY_LOGGING
#define ACTION_REJECT_DST
void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
bool EveIKEAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
OutputJsonThreadCtx * ctx
bool EveSMTPAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
#define JB_SET_STRING(jb, key, val)
#define PKT_IS_TOSERVER(p)
#define LOG_JSON_APP_LAYER
#define LOG_JSON_WEBSOCKET_PAYLOAD
Frame * FrameGetById(Frames *frames, const int64_t id)
#define STREAM_BASE_OFFSET(stream)
void EveAddVerdict(SCJsonBuilder *jb, const Packet *p)
Build verdict object.
bool EveNFSAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
DetectReference * references
Per thread variable structure.
bool EveNFSAddMetadataRPC(const Flow *f, uint64_t tx_id, SCJsonBuilder *jb)
const char * PktSrcToString(enum PktSrcEnum pkt_src)
struct JsonAlertLogThread_ JsonAlertLogThread
#define PACKET_ALERT_FLAG_TX_GUESSED
#define SCLogWarning(...)
Macro used to log WARNING messages.
Signature reference list.
EveJsonSimpleAppLayerLogger * SCEveJsonSimpleGetLogger(AppProto alproto)
void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
FramesContainer * AppLayerFramesGetContainer(Flow *f)
#define JSON_STREAM_BUFFER_SIZE
#define LOG_JSON_PAYLOAD_BASE64
#define SIG_FLAG_HAS_TARGET
#define LOG_JSON_PAYLOAD_LENGTH
#define SIG_FLAG_SRC_IS_TARGET
uint32_t payload_buffer_size
void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
Jsonify a packet.
#define FLOW_PKT_TOCLIENT
struct DetectReference_ * next
#define LOG_JSON_TAGGED_PACKETS
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
char proto[JSON_PROTO_LEN]
#define ACTION_REJECT_BOTH
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
#define PACKET_ALERT_RATE_FILTER_MODIFIED
bool EveEmailAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
#define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64
void(* DeInit)(struct OutputCtx_ *)
char pcap_filename[PATH_MAX]
EveJsonSimpleTxLogFunc LogTx
AlertJsonOutputCtx * json_output_ctx
void MemBufferFree(MemBuffer *buffer)
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, OutputPacketLoggerFunctions *output_logger_functions)
Register a packet output sub-module.
int ParseSizeStringU32(const char *size, uint32_t *res)
char src_ip[JSON_ADDR_LEN]
DetectMetadataHead * metadata
#define PACKET_ALERT_FLAG_FRAME
#define SCLogError(...)
Macro used to log ERROR messages.
void EveHttpLogJSONBodyBase64(SCJsonBuilder *js, Flow *f, uint64_t tx_id)
struct AlertJsonOutputCtx_ AlertJsonOutputCtx
MemBuffer * payload_buffer
#define LOG_JSON_HTTP_BODY_BASE64
void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, Flow *f, const TcpStream *stream, const Packet *p, SCJsonBuilder *jb, MemBuffer *buffer)
log a single frame
char dst_ip[JSON_ADDR_LEN]
#define LOG_JSON_HTTP_BODY
#define METADATA_DEFAULTS
int EngineModeIsIPS(void)
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
void MemBufferWriteString(MemBuffer *dst, const char *fmt,...)
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
void DetectEngineSetParseMetadata(void)
AppProto alproto
application level protocol
int StreamReassembleLog(const TcpSession *ssn, const TcpStream *stream, StreamReassembleRawFunc Callback, void *cb_data, const uint64_t progress_in, uint64_t *progress_out, const bool eof)
#define LOG_JSON_RULE_METADATA
#define PACKET_ALERT_FLAG_STATE_MATCH
#define DEBUG_VALIDATE_BUG_ON(exp)
#define LOG_JSON_REFERENCE
MemBuffer * MemBufferCreateNew(uint32_t size)
void JsonAlertLogRegister(void)