57 #define LOG_QUERIES BIT_U64(0)
58 #define LOG_ANSWERS BIT_U64(1)
60 #define LOG_A BIT_U64(2)
61 #define LOG_NS BIT_U64(3)
62 #define LOG_MD BIT_U64(4)
63 #define LOG_MF BIT_U64(5)
64 #define LOG_CNAME BIT_U64(6)
65 #define LOG_SOA BIT_U64(7)
66 #define LOG_MB BIT_U64(8)
67 #define LOG_MG BIT_U64(9)
68 #define LOG_MR BIT_U64(10)
69 #define LOG_NULL BIT_U64(11)
70 #define LOG_WKS BIT_U64(12)
71 #define LOG_PTR BIT_U64(13)
72 #define LOG_HINFO BIT_U64(14)
73 #define LOG_MINFO BIT_U64(15)
74 #define LOG_MX BIT_U64(16)
75 #define LOG_TXT BIT_U64(17)
76 #define LOG_RP BIT_U64(18)
77 #define LOG_AFSDB BIT_U64(19)
78 #define LOG_X25 BIT_U64(20)
79 #define LOG_ISDN BIT_U64(21)
80 #define LOG_RT BIT_U64(22)
81 #define LOG_NSAP BIT_U64(23)
82 #define LOG_NSAPPTR BIT_U64(24)
83 #define LOG_SIG BIT_U64(25)
84 #define LOG_KEY BIT_U64(26)
85 #define LOG_PX BIT_U64(27)
86 #define LOG_GPOS BIT_U64(28)
87 #define LOG_AAAA BIT_U64(29)
88 #define LOG_LOC BIT_U64(30)
89 #define LOG_NXT BIT_U64(31)
90 #define LOG_SRV BIT_U64(32)
91 #define LOG_ATMA BIT_U64(33)
92 #define LOG_NAPTR BIT_U64(34)
93 #define LOG_KX BIT_U64(35)
94 #define LOG_CERT BIT_U64(36)
95 #define LOG_A6 BIT_U64(37)
96 #define LOG_DNAME BIT_U64(38)
97 #define LOG_OPT BIT_U64(39)
98 #define LOG_APL BIT_U64(40)
99 #define LOG_DS BIT_U64(41)
100 #define LOG_SSHFP BIT_U64(42)
101 #define LOG_IPSECKEY BIT_U64(43)
102 #define LOG_RRSIG BIT_U64(44)
103 #define LOG_NSEC BIT_U64(45)
104 #define LOG_DNSKEY BIT_U64(46)
105 #define LOG_DHCID BIT_U64(47)
106 #define LOG_NSEC3 BIT_U64(48)
107 #define LOG_NSEC3PARAM BIT_U64(49)
108 #define LOG_TLSA BIT_U64(50)
109 #define LOG_HIP BIT_U64(51)
110 #define LOG_CDS BIT_U64(52)
111 #define LOG_CDNSKEY BIT_U64(53)
112 #define LOG_SPF BIT_U64(54)
113 #define LOG_TKEY BIT_U64(55)
114 #define LOG_TSIG BIT_U64(56)
115 #define LOG_MAILA BIT_U64(57)
116 #define LOG_ANY BIT_U64(58)
117 #define LOG_URI BIT_U64(59)
119 #define LOG_FORMAT_GROUPED BIT_U64(60)
120 #define LOG_FORMAT_DETAILED BIT_U64(61)
121 #define LOG_HTTPS BIT_U64(62)
123 #define LOG_FORMAT_ALL (LOG_FORMAT_GROUPED|LOG_FORMAT_DETAILED)
124 #define LOG_ALL_RRTYPES (~(uint64_t)(LOG_QUERIES|LOG_ANSWERS|LOG_FORMAT_DETAILED|LOG_FORMAT_GROUPED))
192 } dns_rrtype_fields[] = {
268 JsonBuilder *queryjb = jb_new_array();
269 if (queryjb == NULL) {
272 bool has_query =
false;
274 for (uint16_t i = 0; i < UINT16_MAX; i++) {
275 JsonBuilder *js = jb_new_object();
282 jb_append_object(queryjb, js);
300 JsonBuilder *js = jb_new_object();
307 static int JsonDnsLoggerToServer(
ThreadVars *
tv,
void *thread_data,
308 const Packet *p,
Flow *f,
void *alstate,
void *txptr, uint64_t tx_id)
319 for (uint16_t i = 0; i < 0xffff; i++) {
325 jb_open_object(jb,
"dns");
339 static int JsonDnsLoggerToClient(
ThreadVars *
tv,
void *thread_data,
340 const Packet *p,
Flow *f,
void *alstate,
void *txptr, uint64_t tx_id)
357 jb_open_object(jb,
"dns");
368 void *txptr, uint64_t tx_id)
370 if (rs_dns_tx_is_request(txptr)) {
371 return JsonDnsLoggerToServer(
tv, thread_data, p, f, alstate, txptr, tx_id);
372 }
else if (rs_dns_tx_is_response(txptr)) {
373 return JsonDnsLoggerToClient(
tv, thread_data, p, f, alstate, txptr, tx_id);
378 static TmEcode LogDnsLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
386 SCLogDebug(
"Error getting context for EveLogDNS. \"initdata\" argument NULL");
420 static void LogDnsLogDeInitCtxSub(
OutputCtx *output_ctx)
422 SCLogDebug(
"cleaning up sub output_ctx %p", output_ctx);
429 const char *query_key,
const char *answer_key,
430 const char *answer_types_key)
444 if (response != NULL) {
462 dnslog_ctx->
flags |= dns_rrtype_fields[f].flags;
472 static void JsonDnsCheckVersion(
ConfNode *conf)
478 static bool v1_deprecation_warned =
false;
480 if (has_version != NULL) {
481 bool invalid =
false;
482 intmax_t config_version;
484 switch(config_version) {
488 if (!v1_deprecation_warned) {
489 SCLogError(
"DNS EVE v1 logging has been removed, will use v2");
490 v1_deprecation_warned =
true;
501 SCLogWarning(
"Invalid EVE DNS version \"%s\", will use v2", has_version->
val);
508 dnslog_ctx->
flags = ~0ULL;
511 JsonDnsLogParseConfig(dnslog_ctx, conf,
"requests",
"responses",
"types");
518 if (strcasecmp(field->
val,
"detailed") == 0) {
520 }
else if (strcasecmp(field->
val,
"grouped") == 0) {
542 JsonDnsCheckVersion(conf);
560 output_ctx->
data = dnslog_ctx;
561 output_ctx->
DeInit = LogDnsLogDeInitCtxSub;
563 JsonDnsLogInitFilters(dnslog_ctx, conf);
570 result.
ctx = output_ctx;
576 #define MODULE_NAME "JsonDnsLog"
580 JsonDnsLogInitCtxSub,
ALPROTO_DNS, JsonDnsLogger, LogDnsLogThreadInit,
581 LogDnsLogThreadDeinit, NULL);