Go to the documentation of this file.
59 #define MODULE_NAME "JsonAnomalyLog"
61 #define ANOMALY_EVENT_TYPE "anomaly"
62 #define LOG_JSON_DECODE_TYPE BIT_U16(0)
63 #define LOG_JSON_STREAM_TYPE BIT_U16(1)
64 #define LOG_JSON_APPLAYER_TYPE BIT_U16(2)
65 #define LOG_JSON_PACKETHDR BIT_U16(3)
67 #define LOG_JSON_PACKET_TYPE (LOG_JSON_DECODE_TYPE | LOG_JSON_STREAM_TYPE)
68 #define ANOMALY_DEFAULTS LOG_JSON_APPLAYER_TYPE
70 #define TX_ID_UNUSED UINT64_MAX
86 #define MAX_ANOMALY_LOGGERS 1
87 static int anomaly_loggers = 0;
88 static bool OutputAnomalyLoggerEnable(
void)
97 static void OutputAnomalyLoggerDisable(
void)
110 for (
int i = 0; i < p->
events.
cnt; i++) {
113 if (is_decode && !log_decode)
115 if (!is_decode && !log_stream)
133 jb_set_string(js,
"event", event);
136 jb_set_uint(js,
"code", event_code);
159 SCLogDebug(
"decoder_events %p event_count %d (last logged %d) %s",
160 decoder_events, decoder_events->
cnt,
180 jb_set_string(js,
"app_proto", alprotoname);
182 const char *event_name = NULL;
183 uint8_t event_code = decoder_events->
events[i];
184 AppLayerEventType event_type;
190 event_code, &event_name, &event_type);
194 jb_set_string(js,
"event", event_name);
197 jb_set_uint(js,
"code", event_code);
200 jb_set_string(js,
"layer", layer);
215 Flow *f,
void *state,
void *tx, uint64_t tx_id)
225 SCLogDebug(
"state %p, tx: %p, tx_id: %"PRIu64, state, tx, tx_id);
226 AnomalyAppLayerDecoderEventJson(
tv, aft, p, decoder_events,
false,
"proto_parser", tx_id);
231 static inline bool AnomalyHasParserEvents(
const Packet *p)
237 static inline bool AnomalyHasPacketAppLayerEvents(
const Packet *p)
249 rc = AnomalyDecodeEventJson(
tv, aft, p);
256 if (rc ==
TM_ECODE_OK && AnomalyHasPacketAppLayerEvents(p)) {
257 rc = AnomalyAppLayerDecoderEventJson(
262 if (rc ==
TM_ECODE_OK && AnomalyHasParserEvents(p)) {
266 rc = AnomalyAppLayerDecoderEventJson(
278 return AnomalyJson(
tv, aft, p);
281 static bool JsonAnomalyLogCondition(
ThreadVars *
tv,
void *thread_data,
const Packet *p)
285 AnomalyHasParserEvents(p);
288 static TmEcode JsonAnomalyLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
295 if (initdata == NULL) {
296 SCLogDebug(
"Error getting context for EveLogAnomaly. \"initdata\" argument NULL");
333 static void JsonAnomalyLogDeInitCtxSubHelper(
OutputCtx *output_ctx)
335 SCLogDebug(
"cleaning up sub output_ctx %p", output_ctx);
339 if (json_output_ctx != NULL) {
345 static void JsonAnomalyLogDeInitCtxSub(
OutputCtx *output_ctx)
347 OutputAnomalyLoggerDisable();
349 JsonAnomalyLogDeInitCtxSubHelper(output_ctx);
352 static void SetFlag(
const ConfNode *conf,
const char *name, uint16_t flag, uint16_t *out_flags)
356 if (setting != NULL) {
368 static bool warn_no_flags =
false;
369 static bool warn_no_packet =
false;
374 if (typeconf != NULL) {
382 SCLogWarning(
"Anomaly logging configured to include packet headers, however decode "
383 "type logging has not been selected. Packet headers will not be logged.");
384 warn_no_packet =
true;
388 if (
flags == 0 && !warn_no_flags) {
389 SCLogWarning(
"Anomaly logging has been configured; however, no logging types "
390 "have been selected. Select one or more logging types.");
391 warn_no_flags =
true;
407 if (
unlikely(json_output_ctx == NULL)) {
411 JsonAnomalyLogConf(json_output_ctx, conf);
412 json_output_ctx->
eve_ctx = ajt;
414 output_ctx->
data = json_output_ctx;
415 output_ctx->
DeInit = JsonAnomalyLogDeInitCtxSubHelper;
417 result.
ctx = output_ctx;
435 if (!OutputAnomalyLoggerEnable()) {
444 result.
ctx->
DeInit = JsonAnomalyLogDeInitCtxSub;
453 JsonAnomalyLogInitCtxSub, JsonAnomalyLogger, JsonAnomalyLogCondition,
454 JsonAnomalyLogThreadInit, JsonAnomalyLogThreadDeinit);
458 JsonAnomalyLogThreadInit, JsonAnomalyLogThreadDeinit);
void EvePacket(const Packet *p, JsonBuilder *js, uint32_t max_length)
Jsonify a packet.
#define LOG_JSON_PACKET_TYPE
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Register a packet output sub-module.
uint8_t events[PACKET_ENGINE_EVENT_MAX]
AppLayerDecoderEvents * AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx)
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
#define MAX_ANOMALY_LOGGERS
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *js, OutputJsonThreadCtx *ctx)
uint8_t event_last_logged
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
void OutputRegisterTxSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
#define LOG_JSON_APPLAYER_TYPE
OutputJsonThreadCtx * ctx
Data structure to store app layer decoder events.
AppLayerDecoderEvents * app_layer_events
PacketEngineEvents events
int ConfValIsTrue(const char *val)
Check if a value is true.
#define ANOMALY_EVENT_TYPE
AppLayerParserState * alparser
#define LOG_JSON_PACKETHDR
void JsonAnomalyLogRegister(void)
#define JB_SET_STRING(jb, key, val)
int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
const struct DecodeEvents_ DEvents[]
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Per thread variable structure.
#define SCLogWarning(...)
Macro used to log WARNING messages.
JsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
struct JsonAnomalyLogThread_ JsonAnomalyLogThread
#define LOG_JSON_STREAM_TYPE
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
void(* DeInit)(struct OutputCtx_ *)
AnomalyJsonOutputCtx * json_output_ctx
#define LOG_JSON_DECODE_TYPE
#define SCLogError(...)
Macro used to log ERROR messages.
AppLayerDecoderEvents * AppLayerParserGetDecoderEvents(AppLayerParserState *pstate)
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
int AppLayerGetEventInfoById(uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
AppProto alproto
application level protocol
bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
#define DEBUG_VALIDATE_BUG_ON(exp)
struct AnomalyJsonOutputCtx_ AnomalyJsonOutputCtx
#define EVENT_IS_DECODER_PACKET_ERROR(e)
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.