suricata
output-json-alert.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs alerts in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "threads.h"
34 #include "tm-threads.h"
35 #include "threadvars.h"
36 #include "util-debug.h"
37 
38 #include "util-logopenfile.h"
39 #include "util-misc.h"
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 
43 #include "detect-parse.h"
44 #include "detect-engine.h"
45 #include "detect-engine-mpm.h"
46 #include "detect-reference.h"
47 #include "detect-metadata.h"
48 #include "app-layer-parser.h"
49 #include "app-layer-dnp3.h"
50 #include "app-layer-htp.h"
51 #include "app-layer-htp-xff.h"
52 #include "app-layer-ftp.h"
53 #include "app-layer-frames.h"
55 #include "util-syslog.h"
56 #include "util-logopenfile.h"
57 #include "log-pcap.h"
58 
59 #include "output.h"
60 #include "output-json.h"
61 #include "output-json-alert.h"
62 #include "output-json-dnp3.h"
63 #include "output-json-dns.h"
64 #include "output-json-http.h"
65 #include "output-json-tls.h"
66 #include "output-json-ssh.h"
67 #include "rust.h"
68 #include "output-json-smtp.h"
70 #include "output-json-nfs.h"
71 #include "output-json-smb.h"
72 #include "output-json-flow.h"
73 #include "output-json-sip.h"
74 #include "output-json-rfb.h"
75 #include "output-json-mqtt.h"
76 #include "output-json-ike.h"
77 #include "output-json-modbus.h"
78 #include "output-json-frame.h"
79 #include "output-json-quic.h"
80 
81 #include "util-byte.h"
82 #include "util-privs.h"
83 #include "util-print.h"
84 #include "util-proto-name.h"
85 #include "util-optimize.h"
86 #include "util-buffer.h"
87 #include "util-validate.h"
88 
89 #define MODULE_NAME "JsonAlertLog"
90 
91 #define LOG_JSON_PAYLOAD BIT_U16(0)
92 #define LOG_JSON_PACKET BIT_U16(1)
93 #define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2)
94 #define LOG_JSON_TAGGED_PACKETS BIT_U16(3)
95 #define LOG_JSON_APP_LAYER BIT_U16(4)
96 #define LOG_JSON_FLOW BIT_U16(5)
97 #define LOG_JSON_HTTP_BODY BIT_U16(6)
98 #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
99 #define LOG_JSON_RULE_METADATA BIT_U16(8)
100 #define LOG_JSON_RULE BIT_U16(9)
101 
102 #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
103  LOG_JSON_APP_LAYER | \
104  LOG_JSON_RULE_METADATA)
105 
106 #define JSON_BODY_LOGGING (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64)
107 
108 #define JSON_STREAM_BUFFER_SIZE 4096
109 
110 typedef struct AlertJsonOutputCtx_ {
112  uint16_t flags;
118 
119 typedef struct JsonAlertLogThread_ {
124 
125 /* Callback function to pack payload contents from a stream into a buffer
126  * so we can report them in JSON output. */
127 static int AlertJsonDumpStreamSegmentCallback(
128  const Packet *p, TcpSegment *seg, void *data, const uint8_t *buf, uint32_t buflen)
129 {
130  MemBuffer *payload = (MemBuffer *)data;
131  MemBufferWriteRaw(payload, buf, buflen);
132 
133  return 1;
134 }
135 
136 static void AlertJsonTls(const Flow *f, JsonBuilder *js)
137 {
138  SSLState *ssl_state = (SSLState *)FlowGetAppState(f);
139  if (ssl_state) {
140  jb_open_object(js, "tls");
141 
142  JsonTlsLogJSONExtended(js, ssl_state);
143 
144  jb_close(js);
145  }
146 
147  return;
148 }
149 
150 static void AlertJsonSsh(const Flow *f, JsonBuilder *js)
151 {
152  void *ssh_state = FlowGetAppState(f);
153  if (ssh_state) {
154  JsonBuilderMark mark = { 0, 0, 0 };
155  void *tx_ptr = rs_ssh_state_get_tx(ssh_state, 0);
156  jb_get_mark(js, &mark);
157  jb_open_object(js, "ssh");
158  if (rs_ssh_log_json(tx_ptr, js)) {
159  jb_close(js);
160  } else {
161  jb_restore_mark(js, &mark);
162  }
163  }
164 
165  return;
166 }
167 
168 static void AlertJsonHttp2(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
169 {
170  void *h2_state = FlowGetAppState(f);
171  if (h2_state) {
172  void *tx_ptr = rs_http2_state_get_tx(h2_state, tx_id);
173  if (tx_ptr) {
174  JsonBuilderMark mark = { 0, 0, 0 };
175  jb_get_mark(js, &mark);
176  jb_open_object(js, "http");
177  if (rs_http2_log_json(tx_ptr, js)) {
178  jb_close(js);
179  } else {
180  jb_restore_mark(js, &mark);
181  }
182  }
183  }
184 
185  return;
186 }
187 
188 static void AlertJsonDnp3(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
189 {
190  DNP3State *dnp3_state = (DNP3State *)FlowGetAppState(f);
191  if (dnp3_state) {
193  dnp3_state, tx_id);
194  if (tx) {
195  JsonBuilderMark mark = { 0, 0, 0 };
196  jb_get_mark(js, &mark);
197  bool logged = false;
198  jb_open_object(js, "dnp3");
199  if (tx->has_request && tx->request_done) {
200  jb_open_object(js, "request");
201  JsonDNP3LogRequest(js, tx);
202  jb_close(js);
203  logged = true;
204  }
205  if (tx->has_response && tx->response_done) {
206  jb_open_object(js, "response");
207  JsonDNP3LogResponse(js, tx);
208  jb_close(js);
209  logged = true;
210  }
211  if (logged) {
212  /* Close dnp3 object. */
213  jb_close(js);
214  } else {
215  jb_restore_mark(js, &mark);
216  }
217  }
218  }
219 }
220 
221 static void AlertJsonDns(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
222 {
223  void *dns_state = (void *)FlowGetAppState(f);
224  if (dns_state) {
225  void *txptr = AppLayerParserGetTx(f->proto, ALPROTO_DNS,
226  dns_state, tx_id);
227  if (txptr) {
228  jb_open_object(js, "dns");
229  JsonBuilder *qjs = JsonDNSLogQuery(txptr, tx_id);
230  if (qjs != NULL) {
231  jb_set_object(js, "query", qjs);
232  jb_free(qjs);
233  }
234  JsonBuilder *ajs = JsonDNSLogAnswer(txptr, tx_id);
235  if (ajs != NULL) {
236  jb_set_object(js, "answer", ajs);
237  jb_free(ajs);
238  }
239  jb_close(js);
240  }
241  }
242  return;
243 }
244 
245 static void AlertJsonSNMP(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
246 {
247  void *snmp_state = (void *)FlowGetAppState(f);
248  if (snmp_state != NULL) {
249  void *tx = AppLayerParserGetTx(f->proto, ALPROTO_SNMP, snmp_state,
250  tx_id);
251  if (tx != NULL) {
252  jb_open_object(js, "snmp");
253  rs_snmp_log_json_response(js, snmp_state, tx);
254  jb_close(js);
255  }
256  }
257 }
258 
259 static void AlertJsonRDP(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
260 {
261  void *rdp_state = (void *)FlowGetAppState(f);
262  if (rdp_state != NULL) {
263  void *tx = AppLayerParserGetTx(f->proto, ALPROTO_RDP, rdp_state,
264  tx_id);
265  if (tx != NULL) {
266  JsonBuilderMark mark = { 0, 0, 0 };
267  jb_get_mark(js, &mark);
268  if (!rs_rdp_to_json(tx, js)) {
269  jb_restore_mark(js, &mark);
270  }
271  }
272  }
273 }
274 
275 static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
276  JsonBuilder *js, JsonAddrInfo *addr)
277 {
278  jb_open_object(js, "source");
279  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
280  jb_set_string(js, "ip", addr->src_ip);
281  switch (p->proto) {
282  case IPPROTO_ICMP:
283  case IPPROTO_ICMPV6:
284  break;
285  case IPPROTO_UDP:
286  case IPPROTO_TCP:
287  case IPPROTO_SCTP:
288  jb_set_uint(js, "port", addr->sp);
289  break;
290  }
291  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
292  jb_set_string(js, "ip", addr->dst_ip);
293  switch (p->proto) {
294  case IPPROTO_ICMP:
295  case IPPROTO_ICMPV6:
296  break;
297  case IPPROTO_UDP:
298  case IPPROTO_TCP:
299  case IPPROTO_SCTP:
300  jb_set_uint(js, "port", addr->dp);
301  break;
302  }
303  }
304  jb_close(js);
305 
306  jb_open_object(js, "target");
307  if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
308  jb_set_string(js, "ip", addr->dst_ip);
309  switch (p->proto) {
310  case IPPROTO_ICMP:
311  case IPPROTO_ICMPV6:
312  break;
313  case IPPROTO_UDP:
314  case IPPROTO_TCP:
315  case IPPROTO_SCTP:
316  jb_set_uint(js, "port", addr->dp);
317  break;
318  }
319  } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
320  jb_set_string(js, "ip", addr->src_ip);
321  switch (p->proto) {
322  case IPPROTO_ICMP:
323  case IPPROTO_ICMPV6:
324  break;
325  case IPPROTO_UDP:
326  case IPPROTO_TCP:
327  case IPPROTO_SCTP:
328  jb_set_uint(js, "port", addr->sp);
329  break;
330  }
331  }
332  jb_close(js);
333 }
334 
335 static void AlertJsonMetadata(AlertJsonOutputCtx *json_output_ctx,
336  const PacketAlert *pa, JsonBuilder *js)
337 {
338  if (pa->s->metadata && pa->s->metadata->json_str) {
339  jb_set_formatted(js, pa->s->metadata->json_str);
340  }
341 }
342 
343 void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js,
344  uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
345 {
346  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *)ctx;
347  const char *action = "allowed";
348  /* use packet action if rate_filter modified the action */
350  if (PacketTestAction(
352  action = "blocked";
353  }
354  } else {
356  action = "blocked";
357  } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
358  action = "blocked";
359  }
360  }
361 
362  /* Add tx_id to root element for correlation with other events. */
363  /* json_object_del(js, "tx_id"); */
364  if (pa->flags & PACKET_ALERT_FLAG_TX) {
365  jb_set_uint(js, "tx_id", pa->tx_id);
366  }
367 
368  jb_open_object(js, "alert");
369 
370  jb_set_string(js, "action", action);
371  jb_set_uint(js, "gid", pa->s->gid);
372  jb_set_uint(js, "signature_id", pa->s->id);
373  jb_set_uint(js, "rev", pa->s->rev);
374  /* TODO: JsonBuilder should handle unprintable characters like
375  * SCJsonString. */
376  jb_set_string(js, "signature", pa->s->msg ? pa->s->msg: "");
377  jb_set_string(js, "category", pa->s->class_msg ? pa->s->class_msg: "");
378  jb_set_uint(js, "severity", pa->s->prio);
379 
380  if (p->tenant_id > 0) {
381  jb_set_uint(js, "tenant_id", p->tenant_id);
382  }
383 
384  if (addr && pa->s->flags & SIG_FLAG_HAS_TARGET) {
385  AlertJsonSourceTarget(p, pa, js, addr);
386  }
387 
388  if ((json_output_ctx != NULL) && (flags & LOG_JSON_RULE_METADATA)) {
389  AlertJsonMetadata(json_output_ctx, pa, js);
390  }
391 
392  if (flags & LOG_JSON_RULE) {
393  jb_set_string(js, "rule", pa->s->sig_str);
394  }
395  if (xff_buffer && xff_buffer[0]) {
396  jb_set_string(js, "xff", xff_buffer);
397  }
398 
399  jb_close(js);
400 }
401 
402 static void AlertJsonTunnel(const Packet *p, JsonBuilder *js)
403 {
404  if (p->root == NULL) {
405  return;
406  }
407 
408  jb_open_object(js, "tunnel");
409 
410  /* get a lock to access root packet fields */
411  SCMutex *m = &p->root->tunnel_mutex;
412 
413  enum PktSrcEnum pkt_src;
414  uint64_t pcap_cnt;
416  SCMutexLock(m);
417  JsonAddrInfoInit(p->root, 0, &addr);
418  pcap_cnt = p->root->pcap_cnt;
419  pkt_src = p->root->pkt_src;
420  SCMutexUnlock(m);
421 
422  jb_set_string(js, "src_ip", addr.src_ip);
423  jb_set_uint(js, "src_port", addr.sp);
424  jb_set_string(js, "dest_ip", addr.dst_ip);
425  jb_set_uint(js, "dest_port", addr.dp);
426  jb_set_string(js, "proto", addr.proto);
427 
428  jb_set_uint(js, "depth", p->recursion_level);
429  if (pcap_cnt != 0) {
430  jb_set_uint(js, "pcap_cnt", pcap_cnt);
431  }
432  jb_set_string(js, "pkt_src", PktSrcToString(pkt_src));
433  jb_close(js);
434 }
435 
436 static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, JsonBuilder *js, const Packet *p)
437 {
438  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
439  jb_set_base64(js, "payload", p->payload, p->payload_len);
440  }
441 
442  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
443  uint8_t printable_buf[p->payload_len + 1];
444  uint32_t offset = 0;
445  PrintStringsToBuffer(printable_buf, &offset,
446  p->payload_len + 1,
447  p->payload, p->payload_len);
448  printable_buf[p->payload_len] = '\0';
449  jb_set_string(js, "payload_printable", (char *)printable_buf);
450  }
451 }
452 
453 static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
454  const uint64_t tx_id, const uint16_t option_flags)
455 {
457  JsonBuilderMark mark = { 0, 0, 0 };
458  switch (proto) {
459  case ALPROTO_HTTP1:
460  // TODO: Could result in an empty http object being logged.
461  jb_open_object(jb, "http");
462  if (EveHttpAddMetadata(p->flow, tx_id, jb)) {
463  if (option_flags & LOG_JSON_HTTP_BODY) {
464  EveHttpLogJSONBodyPrintable(jb, p->flow, tx_id);
465  }
466  if (option_flags & LOG_JSON_HTTP_BODY_BASE64) {
467  EveHttpLogJSONBodyBase64(jb, p->flow, tx_id);
468  }
469  }
470  jb_close(jb);
471  break;
472  case ALPROTO_TLS:
473  AlertJsonTls(p->flow, jb);
474  break;
475  case ALPROTO_SSH:
476  AlertJsonSsh(p->flow, jb);
477  break;
478  case ALPROTO_SMTP:
479  jb_get_mark(jb, &mark);
480  jb_open_object(jb, "smtp");
481  if (EveSMTPAddMetadata(p->flow, tx_id, jb)) {
482  jb_close(jb);
483  } else {
484  jb_restore_mark(jb, &mark);
485  }
486  jb_get_mark(jb, &mark);
487  jb_open_object(jb, "email");
488  if (EveEmailAddMetadata(p->flow, tx_id, jb)) {
489  jb_close(jb);
490  } else {
491  jb_restore_mark(jb, &mark);
492  }
493  break;
494  case ALPROTO_NFS:
495  /* rpc */
496  jb_get_mark(jb, &mark);
497  jb_open_object(jb, "rpc");
498  if (EveNFSAddMetadataRPC(p->flow, tx_id, jb)) {
499  jb_close(jb);
500  } else {
501  jb_restore_mark(jb, &mark);
502  }
503  /* nfs */
504  jb_get_mark(jb, &mark);
505  jb_open_object(jb, "nfs");
506  if (EveNFSAddMetadata(p->flow, tx_id, jb)) {
507  jb_close(jb);
508  } else {
509  jb_restore_mark(jb, &mark);
510  }
511  break;
512  case ALPROTO_SMB:
513  jb_get_mark(jb, &mark);
514  jb_open_object(jb, "smb");
515  if (EveSMBAddMetadata(p->flow, tx_id, jb)) {
516  jb_close(jb);
517  } else {
518  jb_restore_mark(jb, &mark);
519  }
520  break;
521  case ALPROTO_SIP:
522  JsonSIPAddMetadata(jb, p->flow, tx_id);
523  break;
524  case ALPROTO_RFB:
525  jb_get_mark(jb, &mark);
526  if (!JsonRFBAddMetadata(p->flow, tx_id, jb)) {
527  jb_restore_mark(jb, &mark);
528  }
529  break;
530  case ALPROTO_FTPDATA:
531  jb_get_mark(jb, &mark);
532  jb_open_object(jb, "ftp_data");
533  EveFTPDataAddMetadata(p->flow, jb);
534  jb_close(jb);
535  break;
536  case ALPROTO_DNP3:
537  AlertJsonDnp3(p->flow, tx_id, jb);
538  break;
539  case ALPROTO_HTTP2:
540  AlertJsonHttp2(p->flow, tx_id, jb);
541  break;
542  case ALPROTO_DNS:
543  AlertJsonDns(p->flow, tx_id, jb);
544  break;
545  case ALPROTO_IKE:
546  jb_get_mark(jb, &mark);
547  if (!EveIKEAddMetadata(p->flow, tx_id, jb)) {
548  jb_restore_mark(jb, &mark);
549  }
550  break;
551  case ALPROTO_MQTT:
552  jb_get_mark(jb, &mark);
553  if (!JsonMQTTAddMetadata(p->flow, tx_id, jb)) {
554  jb_restore_mark(jb, &mark);
555  }
556  break;
557  case ALPROTO_QUIC:
558  jb_get_mark(jb, &mark);
559  if (!JsonQuicAddMetadata(p->flow, tx_id, jb)) {
560  jb_restore_mark(jb, &mark);
561  }
562  break;
563  case ALPROTO_SNMP:
564  AlertJsonSNMP(p->flow, tx_id, jb);
565  break;
566  case ALPROTO_RDP:
567  AlertJsonRDP(p->flow, tx_id, jb);
568  break;
569  case ALPROTO_MODBUS:
570  jb_get_mark(jb, &mark);
571  if (!JsonModbusAddMetadata(p->flow, tx_id, jb)) {
572  jb_restore_mark(jb, &mark);
573  }
574  break;
575  default:
576  break;
577  }
578 }
579 
580 static void AlertAddFiles(const Packet *p, JsonBuilder *jb, const uint64_t tx_id)
581 {
583  p->flowflags & FLOW_PKT_TOSERVER ? STREAM_TOSERVER:STREAM_TOCLIENT);
584  if (ffc != NULL) {
585  File *file = ffc->head;
586  bool isopen = false;
587  while (file) {
588  if (tx_id == file->txid) {
589  if (!isopen) {
590  isopen = true;
591  jb_open_array(jb, "files");
592  }
593  jb_start_object(jb);
594  EveFileInfo(jb, file, file->flags & FILE_STORED);
595  jb_close(jb);
596  }
597  file = file->next;
598  }
599  if (isopen) {
600  jb_close(jb);
601  }
602  }
603 }
604 
605 static void AlertAddFrame(const Packet *p, JsonBuilder *jb, const int64_t frame_id)
606 {
607  if (p->flow == NULL || (p->proto == IPPROTO_TCP && p->flow->protoctx == NULL))
608  return;
609 
610  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
611  if (frames_container == NULL)
612  return;
613 
614  Frames *frames = NULL;
615  TcpStream *stream = NULL;
616  if (p->proto == IPPROTO_TCP) {
617  TcpSession *ssn = p->flow->protoctx;
618  if (PKT_IS_TOSERVER(p)) {
619  stream = &ssn->client;
620  frames = &frames_container->toserver;
621  } else {
622  stream = &ssn->server;
623  frames = &frames_container->toclient;
624  }
625  Frame *frame = FrameGetById(frames, frame_id);
626  if (frame != NULL) {
627  FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb);
628  }
629  } else if (p->proto == IPPROTO_UDP) {
630  if (PKT_IS_TOSERVER(p)) {
631  frames = &frames_container->toserver;
632  } else {
633  frames = &frames_container->toclient;
634  }
635  Frame *frame = FrameGetById(frames, frame_id);
636  if (frame != NULL) {
637  FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb);
638  }
639  }
640 }
641 
642 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
643 {
644  MemBuffer *payload = aft->payload_buffer;
645  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
646 
647  if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
648  return TM_ECODE_OK;
649 
650  for (int i = 0; i < p->alerts.cnt; i++) {
651  const PacketAlert *pa = &p->alerts.alerts[i];
652  if (unlikely(pa->s == NULL)) {
653  continue;
654  }
655 
656  /* First initialize the address info (5-tuple). */
658  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
659 
660  /* Check for XFF, overwriting address info if needed. */
661  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ?
662  json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;
663  int have_xff_ip = 0;
664  char xff_buffer[XFF_MAXLEN];
665  xff_buffer[0] = 0;
666  if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
668  if (pa->flags & PACKET_ALERT_FLAG_TX) {
669  have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg,
670  xff_buffer, XFF_MAXLEN);
671  } else {
672  have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, xff_buffer,
673  XFF_MAXLEN);
674  }
675  }
676 
677  if (have_xff_ip && xff_cfg->flags & XFF_OVERWRITE) {
678  if (p->flowflags & FLOW_PKT_TOCLIENT) {
679  strlcpy(addr.dst_ip, xff_buffer, JSON_ADDR_LEN);
680  } else {
681  strlcpy(addr.src_ip, xff_buffer, JSON_ADDR_LEN);
682  }
683  /* Clear have_xff_ip so the xff field does not get
684  * logged below. */
685  have_xff_ip = false;
686  }
687  if (have_xff_ip && !(xff_cfg->flags & XFF_EXTRADATA)) {
688  // reset xff_buffer so as not to log it
689  xff_buffer[0] = 0;
690  }
691  }
692 
693  JsonBuilder *jb =
694  CreateEveHeader(p, LOG_DIR_PACKET, "alert", &addr, json_output_ctx->eve_ctx);
695  if (unlikely(jb == NULL))
696  return TM_ECODE_OK;
697 
698 
699  /* alert */
700  AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, &addr, xff_buffer);
701 
702  if (IS_TUNNEL_PKT(p)) {
703  AlertJsonTunnel(p, jb);
704  }
705 
706  if (p->flow != NULL) {
707  if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {
708  AlertAddAppLayer(p, jb, pa->tx_id, json_output_ctx->flags);
709  }
710  /* including fileinfo data is configured by the metadata setting */
711  if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
712  AlertAddFiles(p, jb, pa->tx_id);
713  }
714 
715  EveAddAppProto(p->flow, jb);
716  if (json_output_ctx->flags & LOG_JSON_FLOW) {
717  jb_open_object(jb, "flow");
718  EveAddFlow(p->flow, jb);
719  jb_close(jb);
720  }
721  }
722 
723  /* payload */
724  if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
725  int stream = (p->proto == IPPROTO_TCP) ?
727  1 : 0) : 0;
728 
729  /* Is this a stream? If so, pack part of it into the payload field */
730  if (stream) {
731  uint8_t flag;
732 
733  MemBufferReset(payload);
734 
735  if (p->flowflags & FLOW_PKT_TOSERVER) {
736  flag = STREAM_DUMP_TOCLIENT;
737  } else {
738  flag = STREAM_DUMP_TOSERVER;
739  }
740 
741  StreamSegmentForEach((const Packet *)p, flag,
742  AlertJsonDumpStreamSegmentCallback,
743  (void *)payload);
744  if (payload->offset) {
745  if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
746  jb_set_base64(jb, "payload", payload->buffer, payload->offset);
747  }
748 
749  if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
750  uint8_t printable_buf[payload->offset + 1];
751  uint32_t offset = 0;
752  PrintStringsToBuffer(printable_buf, &offset,
753  sizeof(printable_buf),
754  payload->buffer, payload->offset);
755  jb_set_string(jb, "payload_printable", (char *)printable_buf);
756  }
757  } else if (p->payload_len) {
758  /* Fallback on packet payload */
759  AlertAddPayload(json_output_ctx, jb, p);
760  }
761  } else {
762  /* This is a single packet and not a stream */
763  AlertAddPayload(json_output_ctx, jb, p);
764  }
765 
766  jb_set_uint(jb, "stream", stream);
767  }
768 
769  if (pa->flags & PACKET_ALERT_FLAG_FRAME) {
770  AlertAddFrame(p, jb, pa->frame_id);
771  }
772 
773  /* base64-encoded full packet */
774  if (json_output_ctx->flags & LOG_JSON_PACKET) {
775  EvePacket(p, jb, 0);
776  }
777 
779  if (pcap_filename != NULL) {
780  jb_set_string(jb, "capture_file", pcap_filename);
781  }
782 
783  OutputJsonBuilderBuffer(jb, aft->ctx);
784  jb_free(jb);
785  }
786 
787  if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
789  JsonBuilder *packetjs =
790  CreateEveHeader(p, LOG_DIR_PACKET, "packet", NULL, json_output_ctx->eve_ctx);
791  if (unlikely(packetjs != NULL)) {
792  EvePacket(p, packetjs, 0);
793  OutputJsonBuilderBuffer(packetjs, aft->ctx);
794  jb_free(packetjs);
795  }
796  }
797 
798  return TM_ECODE_OK;
799 }
800 
801 static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
802 {
803  AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
804  char timebuf[64];
805 
806  if (p->alerts.cnt == 0)
807  return TM_ECODE_OK;
808 
809  CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf));
810 
811  for (int i = 0; i < p->alerts.cnt; i++) {
812  const PacketAlert *pa = &p->alerts.alerts[i];
813  if (unlikely(pa->s == NULL)) {
814  continue;
815  }
816 
817  JsonBuilder *jb = jb_new_object();
818  if (unlikely(jb == NULL)) {
819  return TM_ECODE_OK;
820  }
821 
822  /* just the timestamp, no tuple */
823  jb_set_string(jb, "timestamp", timebuf);
824 
825  AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, NULL, NULL);
826 
827  OutputJsonBuilderBuffer(jb, aft->ctx);
828  jb_free(jb);
829  }
830 
831  return TM_ECODE_OK;
832 }
833 
834 static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)
835 {
836  JsonAlertLogThread *aft = thread_data;
837 
838  if (PKT_IS_IPV4(p) || PKT_IS_IPV6(p)) {
839  return AlertJson(tv, aft, p);
840  } else if (p->alerts.cnt > 0) {
841  return AlertJsonDecoderEvent(tv, aft, p);
842  }
843  return 0;
844 }
845 
846 static int JsonAlertLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
847 {
848  if (p->alerts.cnt || (p->flags & PKT_HAS_TAG)) {
849  return TRUE;
850  }
851  return FALSE;
852 }
853 
854 static TmEcode JsonAlertLogThreadInit(ThreadVars *t, const void *initdata, void **data)
855 {
857  if (unlikely(aft == NULL))
858  return TM_ECODE_FAILED;
859 
860  if (initdata == NULL)
861  {
862  SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL");
863  goto error_exit;
864  }
865 
866  /** Use the Output Context (file pointer and mutex) */
867  AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
868 
869  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
870  if (aft->payload_buffer == NULL) {
871  goto error_exit;
872  }
873  aft->ctx = CreateEveThreadCtx(t, json_output_ctx->eve_ctx);
874  if (!aft->ctx) {
875  goto error_exit;
876  }
877 
878  aft->json_output_ctx = json_output_ctx;
879 
880  *data = (void *)aft;
881  return TM_ECODE_OK;
882 
883 error_exit:
884  if (aft->payload_buffer != NULL) {
886  }
887  SCFree(aft);
888  return TM_ECODE_FAILED;
889 }
890 
891 static TmEcode JsonAlertLogThreadDeinit(ThreadVars *t, void *data)
892 {
893  JsonAlertLogThread *aft = (JsonAlertLogThread *)data;
894  if (aft == NULL) {
895  return TM_ECODE_OK;
896  }
897 
899  FreeEveThreadCtx(aft->ctx);
900 
901  /* clear memory */
902  memset(aft, 0, sizeof(JsonAlertLogThread));
903 
904  SCFree(aft);
905  return TM_ECODE_OK;
906 }
907 
908 static void JsonAlertLogDeInitCtxSub(OutputCtx *output_ctx)
909 {
910  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
911 
912  AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *) output_ctx->data;
913 
914  if (json_output_ctx != NULL) {
915  HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
916  if (xff_cfg != NULL) {
917  SCFree(xff_cfg);
918  }
919  SCFree(json_output_ctx);
920  }
921  SCFree(output_ctx);
922 }
923 
924 static void SetFlag(const ConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
925 {
926  DEBUG_VALIDATE_BUG_ON(conf == NULL);
927  const char *setting = ConfNodeLookupChildValue(conf, name);
928  if (setting != NULL) {
929  if (ConfValIsTrue(setting)) {
930  *out_flags |= flag;
931  } else {
932  *out_flags &= ~flag;
933  }
934  }
935 }
936 
937 #define DEFAULT_LOG_FILENAME "alert.json"
938 
939 static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
940  ConfNode *conf)
941 {
942  static bool warn_no_meta = false;
943  uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
944  uint16_t flags = METADATA_DEFAULTS;
945 
946  if (conf != NULL) {
947  /* Check for metadata to enable/disable. */
948  ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
949  if (metadata != NULL) {
950  if (metadata->val != NULL && ConfValIsFalse(metadata->val)) {
952  } else if (ConfNodeHasChildren(metadata)) {
953  ConfNode *rule_metadata = ConfNodeLookupChild(metadata, "rule");
954  if (rule_metadata) {
955  SetFlag(rule_metadata, "raw", LOG_JSON_RULE, &flags);
956  SetFlag(rule_metadata, "metadata", LOG_JSON_RULE_METADATA,
957  &flags);
958  }
959  SetFlag(metadata, "flow", LOG_JSON_FLOW, &flags);
960  SetFlag(metadata, "app-layer", LOG_JSON_APP_LAYER, &flags);
961  }
962  }
963 
964  /* Non-metadata toggles. */
965  SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
966  SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
967  SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
968  SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
969  SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
970  SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
971 
972  /* Check for obsolete configuration flags to enable specific
973  * protocols. These are now just aliases for enabling
974  * app-layer logging. */
975  SetFlag(conf, "http", LOG_JSON_APP_LAYER, &flags);
976  SetFlag(conf, "tls", LOG_JSON_APP_LAYER, &flags);
977  SetFlag(conf, "ssh", LOG_JSON_APP_LAYER, &flags);
978  SetFlag(conf, "smtp", LOG_JSON_APP_LAYER, &flags);
979  SetFlag(conf, "dnp3", LOG_JSON_APP_LAYER, &flags);
980 
981  /* And check for obsolete configuration flags for enabling
982  * app-layer and flow as these have been moved under the
983  * metadata key. */
984  SetFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags);
985  SetFlag(conf, "flow", LOG_JSON_FLOW, &flags);
986 
987  const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
988 
989  if (payload_buffer_value != NULL) {
990  uint32_t value;
991  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
992  SCLogError(SC_ERR_ALERT_PAYLOAD_BUFFER, "Error parsing "
993  "payload-buffer-size - %s. Killing engine",
994  payload_buffer_value);
995  exit(EXIT_FAILURE);
996  } else {
997  payload_buffer_size = value;
998  }
999  }
1000 
1001  if (!warn_no_meta && flags & JSON_BODY_LOGGING) {
1002  if (((flags & LOG_JSON_APP_LAYER) == 0)) {
1003  SCLogWarning(SC_WARN_ALERT_CONFIG, "HTTP body logging has been configured, however, "
1004  "metadata logging has not been enabled. HTTP body logging will be disabled.");
1006  warn_no_meta = true;
1007  }
1008  }
1009 
1010  json_output_ctx->payload_buffer_size = payload_buffer_size;
1011  }
1012 
1013  if (flags & LOG_JSON_RULE_METADATA) {
1015  }
1016 
1017  json_output_ctx->flags |= flags;
1018 }
1019 
1020 static HttpXFFCfg *JsonAlertLogGetXffCfg(ConfNode *conf)
1021 {
1022  HttpXFFCfg *xff_cfg = NULL;
1023  if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
1024  xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
1025  if (likely(xff_cfg != NULL)) {
1026  HttpXFFGetCfg(conf, xff_cfg);
1027  }
1028  }
1029  return xff_cfg;
1030 }
1031 
1032 /**
1033  * \brief Create a new LogFileCtx for "fast" output style.
1034  * \param conf The configuration node for this output.
1035  * \return A LogFileCtx pointer on success, NULL on failure.
1036  */
1037 static OutputInitResult JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
1038 {
1039  OutputInitResult result = { NULL, false };
1040  OutputJsonCtx *ajt = parent_ctx->data;
1041  AlertJsonOutputCtx *json_output_ctx = NULL;
1042 
1043  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
1044  if (unlikely(output_ctx == NULL))
1045  return result;
1046 
1047  json_output_ctx = SCMalloc(sizeof(AlertJsonOutputCtx));
1048  if (unlikely(json_output_ctx == NULL)) {
1049  goto error;
1050  }
1051  memset(json_output_ctx, 0, sizeof(AlertJsonOutputCtx));
1052 
1053  json_output_ctx->file_ctx = ajt->file_ctx;
1054  json_output_ctx->eve_ctx = ajt;
1055 
1056  JsonAlertLogSetupMetadata(json_output_ctx, conf);
1057  json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
1058  if (json_output_ctx->xff_cfg == NULL) {
1059  json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
1060  }
1061 
1062  output_ctx->data = json_output_ctx;
1063  output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
1064 
1065  result.ctx = output_ctx;
1066  result.ok = true;
1067  return result;
1068 
1069 error:
1070  if (json_output_ctx != NULL) {
1071  SCFree(json_output_ctx);
1072  }
1073  if (output_ctx != NULL) {
1074  SCFree(output_ctx);
1075  }
1076 
1077  return result;
1078 }
1079 
1081 {
1083  "eve-log.alert", JsonAlertLogInitCtxSub, JsonAlertLogger,
1084  JsonAlertLogCondition, JsonAlertLogThreadInit, JsonAlertLogThreadDeinit,
1085  NULL);
1086 }
XFF_MAXLEN
#define XFF_MAXLEN
Definition: app-layer-htp-xff.h:39
util-byte.h
tm-threads.h
FrameJsonLogOneFrame
void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, const Flow *f, const TcpStream *stream, const Packet *p, JsonBuilder *jb)
log a single frame
Definition: output-json-frame.c:218
Packet_::proto
uint8_t proto
Definition: decode.h:464
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:243
TcpStream_
Definition: stream-tcp-private.h:109
FileContainer_
Definition: util-file.h:110
DetectMetadataHead::json_str
char * json_str
Definition: detect-metadata.h:40
DNP3Transaction_::response_done
uint8_t response_done
Definition: app-layer-dnp3.h:232
detect-engine.h
PACKET_ALERT_FLAG_STREAM_MATCH
#define PACKET_ALERT_FLAG_STREAM_MATCH
Definition: decode.h:294
EveSMTPAddMetadata
bool EveSMTPAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-smtp.c:97
PacketAlert_::s
const struct Signature_ * s
Definition: decode.h:284
EveHttpLogJSONBodyPrintable
void EveHttpLogJSONBodyPrintable(JsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:405
ALPROTO_IKE
@ ALPROTO_IKE
Definition: app-layer-protos.h:49
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:85
output-json-modbus.h
Signature_::sig_str
char * sig_str
Definition: detect.h:618
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
STREAM_DUMP_TOSERVER
#define STREAM_DUMP_TOSERVER
Definition: stream.h:33
PACKET_ALERT_FLAG_TX
#define PACKET_ALERT_FLAG_TX
Definition: decode.h:296
CreateIsoTimeString
void CreateIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:213
XFF_EXTRADATA
#define XFF_EXTRADATA
Definition: app-layer-htp-xff.h:31
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:263
ConfNode_::val
char * val
Definition: conf.h:34
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
output-json-mqtt.h
LOG_JSON_RULE
#define LOG_JSON_RULE
Definition: output-json-alert.c:100
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DNP3Transaction_::request_done
uint8_t request_done
Definition: app-layer-dnp3.h:218
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:603
AlertJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-alert.c:111
AlertJsonOutputCtx_::parent_xff_cfg
HttpXFFCfg * parent_xff_cfg
Definition: output-json-alert.c:115
ALPROTO_MODBUS
@ ALPROTO_MODBUS
Definition: app-layer-protos.h:42
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:73
Flow_::proto
uint8_t proto
Definition: flow.h:378
StreamSegmentForEach
int StreamSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
Definition: stream.c:40
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
ALPROTO_QUIC
@ ALPROTO_QUIC
Definition: app-layer-protos.h:51
Packet_::payload
uint8_t * payload
Definition: decode.h:582
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:306
DNP3Transaction_::has_request
uint8_t has_request
Definition: app-layer-dnp3.h:217
SIG_FLAG_DEST_IS_TARGET
#define SIG_FLAG_DEST_IS_TARGET
Definition: detect.h:254
JsonModbusAddMetadata
bool JsonModbusAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-modbus.c:140
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:76
Packet_::flags
uint32_t flags
Definition: decode.h:477
threads.h
LOGGER_JSON_ALERT
@ LOGGER_JSON_ALERT
Definition: suricata-common.h:479
OutputJsonCtx_
Definition: output-json.h:81
Frame
Definition: app-layer-frames.h:45
Flow_
Flow data structure.
Definition: flow.h:356
util-syslog.h
logged
int logged
Definition: app-layer-htp.h:1
LogFileCtx_
Definition: util-logopenfile.h:64
JsonQuicAddMetadata
bool JsonQuicAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-quic.c:144
output-json-frame.h
EveNFSAddMetadata
bool EveNFSAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-nfs.c:63
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:954
PacketAlerts_::alerts
PacketAlert * alerts
Definition: decode.h:309
output-json-tls.h
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:44
ALPROTO_SIP
@ ALPROTO_SIP
Definition: app-layer-protos.h:54
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:85
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:226
output-json-sip.h
rust.h
Frames
Definition: app-layer-frames.h:61
FramesContainer
Definition: app-layer-frames.h:75
AppLayerParserGetFiles
FileContainer * AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
Definition: app-layer-parser.c:894
util-privs.h
proto
uint8_t proto
Definition: decode-template.h:0
m
SCMutex m
Definition: flow-hash.h:6
AlertJsonOutputCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-alert.c:116
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:34
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:473
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:83
Flow_::protoctx
void * protoctx
Definition: flow.h:454
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:583
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:597
util-unittest.h
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:30
EveHttpAddMetadata
bool EveHttpAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-http.c:516
DNP3Transaction_::has_response
uint8_t has_response
Definition: app-layer-dnp3.h:231
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:521
FlowGetAppState
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1128
util-unittest-helper.h
HttpXFFGetIP
int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:177
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:82
PcapLogGetFilename
char * PcapLogGetFilename(void)
Definition: log-pcap.c:1907
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:230
PacketAlert_::tx_id
uint64_t tx_id
Definition: decode.h:285
JsonDNSLogAnswer
JsonBuilder * JsonDNSLogAnswer(void *txptr, uint64_t tx_id)
Definition: output-json-dns.c:284
OutputCtx_
Definition: tm-modules.h:78
app-layer-htp-xff.h
PacketAlert_::action
uint8_t action
Definition: decode.h:282
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
JSON_BODY_LOGGING
#define JSON_BODY_LOGGING
Definition: output-json-alert.c:106
OutputJsonThreadCtx_
Definition: output-json.h:89
detect-reference.h
ALPROTO_SNMP
@ ALPROTO_SNMP
Definition: app-layer-protos.h:53
Signature_::gid
uint32_t gid
Definition: detect.h:584
output-json-dnp3.h
ACTION_REJECT_DST
#define ACTION_REJECT_DST
Definition: action-globals.h:32
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:53
app-layer-htp.h
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:77
JsonAlertLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-alert.c:122
util-debug.h
output-json-flow.h
MODULE_NAME
#define MODULE_NAME
Definition: output-json-alert.c:89
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:268
JsonRFBAddMetadata
bool JsonRFBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-rfb.c:49
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:49
output-json-rfb.h
LOG_JSON_APP_LAYER
#define LOG_JSON_APP_LAYER
Definition: output-json-alert.c:95
ALPROTO_DNP3
@ ALPROTO_DNP3
Definition: app-layer-protos.h:44
app-layer-dnp3.h
output-json.h
FrameGetById
Frame * FrameGetById(Frames *frames, const int64_t id)
Definition: app-layer-frames.c:46
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
MemBufferWriteRaw
#define MemBufferWriteRaw(dst, raw_buffer, raw_buffer_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.h:133
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
EveIKEAddMetadata
bool EveIKEAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-ike.c:66
LOG_JSON_PAYLOAD
#define LOG_JSON_PAYLOAD
Definition: output-json-alert.c:91
PktSrcEnum
PktSrcEnum
Definition: decode.h:50
AlertJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-alert.c:112
SC_ERR_ALERT_PAYLOAD_BUFFER
@ SC_ERR_ALERT_PAYLOAD_BUFFER
Definition: util-error.h:310
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:816
util-print.h
detect-engine-mpm.h
FileContainer_::head
File * head
Definition: util-file.h:111
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
EveFileInfo
void EveFileInfo(JsonBuilder *jb, const File *ff, const bool stored)
Definition: output-json.c:127
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:736
JsonAlertLogThread
struct JsonAlertLogThread_ JsonAlertLogThread
output-json-email-common.h
OutputInitResult_::ok
bool ok
Definition: output.h:50
JsonDNP3LogResponse
void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *dnp3tx)
Definition: output-json-dnp3.c:173
EveHttpLogJSONBodyBase64
void EveHttpLogJSONBodyBase64(JsonBuilder *js, Flow *f, uint64_t tx_id)
Definition: output-json-http.c:436
app-layer-parser.h
JsonAlertLogThread_
Definition: output-json-alert.c:119
TRUE
#define TRUE
Definition: suricata-common.h:33
SC_WARN_ALERT_CONFIG
@ SC_WARN_ALERT_CONFIG
Definition: util-error.h:357
FALSE
#define FALSE
Definition: suricata-common.h:34
Signature_::flags
uint32_t flags
Definition: detect.h:550
JsonAddrInfo_
Definition: output-json.h:49
TcpSegment
Definition: stream-tcp-private.h:75
Packet_
Definition: decode.h:442
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:199
ALPROTO_RDP
@ ALPROTO_RDP
Definition: app-layer-protos.h:61
JSON_STREAM_BUFFER_SIZE
#define JSON_STREAM_BUFFER_SIZE
Definition: output-json-alert.c:108
LOG_JSON_PAYLOAD_BASE64
#define LOG_JSON_PAYLOAD_BASE64
Definition: output-json-alert.c:93
conf.h
SIG_FLAG_HAS_TARGET
#define SIG_FLAG_HAS_TARGET
Definition: detect.h:256
XFF_OVERWRITE
#define XFF_OVERWRITE
Definition: app-layer-htp-xff.h:33
TmEcode
TmEcode
Definition: tm-threads-common.h:81
SIG_FLAG_SRC_IS_TARGET
#define SIG_FLAG_SRC_IS_TARGET
Definition: detect.h:252
EveNFSAddMetadataRPC
bool EveNFSAddMetadataRPC(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-nfs.c:51
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:979
AlertJsonHeader
void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js, uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
Definition: output-json-alert.c:343
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
AlertJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-alert.c:113
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:62
util-proto-name.h
ConfNodeHasChildren
bool ConfNodeHasChildren(const ConfNode *node)
Check if a node has any children.
Definition: conf.c:751
MemBuffer_
Definition: util-buffer.h:27
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:227
LOG_JSON_TAGGED_PACKETS
#define LOG_JSON_TAGGED_PACKETS
Definition: output-json-alert.c:94
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1123
EveEmailAddMetadata
bool EveEmailAddMetadata(const Flow *f, uint32_t tx_id, JsonBuilder *js)
Definition: output-json-email-common.c:367
AlertJsonOutputCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json-alert.c:114
log-pcap.h
PacketAlert_::frame_id
int64_t frame_id
Definition: decode.h:286
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:54
Signature_::class_msg
char * class_msg
Definition: detect.h:612
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:770
PacketAlert_::flags
uint8_t flags
Definition: decode.h:283
ACTION_REJECT_BOTH
#define ACTION_REJECT_BOTH
Definition: action-globals.h:33
File_::flags
uint16_t flags
Definition: util-file.h:76
MemBufferReset
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
PACKET_ALERT_RATE_FILTER_MODIFIED
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:298
File_
Definition: util-file.h:75
OutputInitResult_
Definition: output.h:48
app-layer-frames.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:479
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:644
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
flags
uint8_t flags
Definition: decode-gre.h:0
Packet_::ts
struct timeval ts
Definition: decode.h:485
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:52
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:217
pcap_filename
char pcap_filename[PATH_MAX]
Definition: source-pcap-file-helper.c:117
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:45
AlertJsonOutputCtx_
Definition: output-json-alert.c:110
detect-metadata.h
JsonAlertLogThread_::json_output_ctx
AlertJsonOutputCtx * json_output_ctx
Definition: output-json-alert.c:121
output-json-nfs.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
FILE_STORED
#define FILE_STORED
Definition: util-file.h:56
File_::next
struct File_ * next
Definition: util-file.h:89
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:47
EveAddAppProto
void EveAddAppProto(Flow *f, JsonBuilder *js)
Definition: output-json-flow.c:168
Signature_::rev
uint32_t rev
Definition: detect.h:585
util-classification-config.h
EvePacket
void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length)
Jsonify a packet.
Definition: output-json.c:432
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:287
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
Signature_::prio
int prio
Definition: detect.h:586
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:183
output-json-alert.h
util-optimize.h
threadvars.h
util-validate.h
output-json-dns.h
FlowGetAppProtocol
AppProto FlowGetAppProtocol(const Flow *f)
Definition: flow.c:1123
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
Packet_::root
struct Packet_ * root
Definition: decode.h:627
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:286
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:50
HttpXFFCfg_::flags
uint8_t flags
Definition: app-layer-htp-xff.h:42
Signature_::metadata
DetectMetadataHead * metadata
Definition: detect.h:616
PACKET_ALERT_FLAG_FRAME
#define PACKET_ALERT_FLAG_FRAME
Definition: decode.h:300
AlertJsonOutputCtx
struct AlertJsonOutputCtx_ AlertJsonOutputCtx
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
JsonAlertLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-alert.c:120
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:588
ConfNode_
Definition: conf.h:32
util-logopenfile.h
Signature_::id
uint32_t id
Definition: detect.h:583
STREAM_DUMP_TOCLIENT
#define STREAM_DUMP_TOCLIENT
Definition: stream.h:32
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:467
LOG_JSON_HTTP_BODY_BASE64
#define LOG_JSON_HTTP_BODY_BASE64
Definition: output-json-alert.c:98
output-json-ike.h
detect-parse.h
util-buffer.h
LOG_JSON_PACKET
#define LOG_JSON_PACKET
Definition: output-json-alert.c:92
ALPROTO_MQTT
@ ALPROTO_MQTT
Definition: app-layer-protos.h:56
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:546
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:51
EveFTPDataAddMetadata
void EveFTPDataAddMetadata(const Flow *f, JsonBuilder *jb)
Definition: app-layer-ftp.c:1447
output-json-ssh.h
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:82
JsonDNSLogQuery
JsonBuilder * JsonDNSLogQuery(void *txptr, uint64_t tx_id)
Definition: output-json-dns.c:262
LOG_JSON_HTTP_BODY
#define LOG_JSON_HTTP_BODY
Definition: output-json-alert.c:97
METADATA_DEFAULTS
#define METADATA_DEFAULTS
Definition: output-json-alert.c:102
DNP3State_
Per flow DNP3 state.
Definition: app-layer-dnp3.h:254
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:252
LOG_JSON_FLOW
#define LOG_JSON_FLOW
Definition: output-json-alert.c:96
JsonDNP3LogRequest
void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *dnp3tx)
Definition: output-json-dnp3.c:144
ALPROTO_RFB
@ ALPROTO_RFB
Definition: app-layer-protos.h:55
PacketAlert_
Definition: decode.h:280
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:469
File_::txid
uint64_t txid
Definition: util-file.h:80
HttpXFFGetCfg
void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:202
output-json-smb.h
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
likely
#define likely(expr)
Definition: util-optimize.h:32
HttpXFFGetIPFromTx
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:113
output-json-smtp.h
MemBuffer_::buffer
uint8_t * buffer
Definition: util-buffer.h:28
TcpSession_
Definition: stream-tcp-private.h:274
output-json-http.h
util-misc.h
PKT_HAS_TAG
#define PKT_HAS_TAG
Definition: decode.h:1178
Signature_::msg
char * msg
Definition: detect.h:609
flow.h
DetectEngineSetParseMetadata
void DetectEngineSetParseMetadata(void)
Definition: detect-engine.c:4587
EveSMBAddMetadata
bool EveSMBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
Definition: output-json-smb.c:50
JsonTlsLogJSONExtended
void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState *state)
Definition: output-json-tls.c:356
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LOG_JSON_RULE_METADATA
#define LOG_JSON_RULE_METADATA
Definition: output-json-alert.c:99
XFF_DISABLED
#define XFF_DISABLED
Definition: app-layer-htp-xff.h:29
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:262
PACKET_ALERT_FLAG_STATE_MATCH
#define PACKET_ALERT_FLAG_STATE_MATCH
Definition: decode.h:292
output-json-quic.h
JsonSIPAddMetadata
void JsonSIPAddMetadata(JsonBuilder *js, const Flow *f, uint64_t tx_id)
Definition: output-json-sip.c:52
JsonMQTTAddMetadata
bool JsonMQTTAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
Definition: output-json-mqtt.c:63
SCMutex
#define SCMutex
Definition: threads-debug.h:114
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
debug.h
output.h
Packet_::tunnel_mutex
SCMutex tunnel_mutex
Definition: decode.h:637
JsonAlertLogRegister
void JsonAlertLogRegister(void)
Definition: output-json-alert.c:1080
DNP3Transaction_
DNP3 transaction.
Definition: app-layer-dnp3.h:210
EveAddFlow
void EveAddFlow(Flow *f, JsonBuilder *js)
Definition: output-json-flow.c:189
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:798