suricata
output-json-dns.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Implements JSON DNS logging portion of the engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "conf.h"
28 
29 #include "threadvars.h"
30 
31 #include "util-byte.h"
32 #include "util-debug.h"
33 #include "util-mem.h"
34 #include "app-layer-parser.h"
35 #include "output.h"
36 
37 #include "output-json.h"
38 #include "output-json-dns.h"
39 #include "rust.h"
40 
41 #define LOG_QUERIES BIT_U64(0)
42 #define LOG_ANSWERS BIT_U64(1)
43 
44 #define LOG_A BIT_U64(2)
45 #define LOG_NS BIT_U64(3)
46 #define LOG_MD BIT_U64(4)
47 #define LOG_MF BIT_U64(5)
48 #define LOG_CNAME BIT_U64(6)
49 #define LOG_SOA BIT_U64(7)
50 #define LOG_MB BIT_U64(8)
51 #define LOG_MG BIT_U64(9)
52 #define LOG_MR BIT_U64(10)
53 #define LOG_NULL BIT_U64(11)
54 #define LOG_WKS BIT_U64(12)
55 #define LOG_PTR BIT_U64(13)
56 #define LOG_HINFO BIT_U64(14)
57 #define LOG_MINFO BIT_U64(15)
58 #define LOG_MX BIT_U64(16)
59 #define LOG_TXT BIT_U64(17)
60 #define LOG_RP BIT_U64(18)
61 #define LOG_AFSDB BIT_U64(19)
62 #define LOG_X25 BIT_U64(20)
63 #define LOG_ISDN BIT_U64(21)
64 #define LOG_RT BIT_U64(22)
65 #define LOG_NSAP BIT_U64(23)
66 #define LOG_NSAPPTR BIT_U64(24)
67 #define LOG_SIG BIT_U64(25)
68 #define LOG_KEY BIT_U64(26)
69 #define LOG_PX BIT_U64(27)
70 #define LOG_GPOS BIT_U64(28)
71 #define LOG_AAAA BIT_U64(29)
72 #define LOG_LOC BIT_U64(30)
73 #define LOG_NXT BIT_U64(31)
74 #define LOG_SRV BIT_U64(32)
75 #define LOG_ATMA BIT_U64(33)
76 #define LOG_NAPTR BIT_U64(34)
77 #define LOG_KX BIT_U64(35)
78 #define LOG_CERT BIT_U64(36)
79 #define LOG_A6 BIT_U64(37)
80 #define LOG_DNAME BIT_U64(38)
81 #define LOG_OPT BIT_U64(39)
82 #define LOG_APL BIT_U64(40)
83 #define LOG_DS BIT_U64(41)
84 #define LOG_SSHFP BIT_U64(42)
85 #define LOG_IPSECKEY BIT_U64(43)
86 #define LOG_RRSIG BIT_U64(44)
87 #define LOG_NSEC BIT_U64(45)
88 #define LOG_DNSKEY BIT_U64(46)
89 #define LOG_DHCID BIT_U64(47)
90 #define LOG_NSEC3 BIT_U64(48)
91 #define LOG_NSEC3PARAM BIT_U64(49)
92 #define LOG_TLSA BIT_U64(50)
93 #define LOG_HIP BIT_U64(51)
94 #define LOG_CDS BIT_U64(52)
95 #define LOG_CDNSKEY BIT_U64(53)
96 #define LOG_SPF BIT_U64(54)
97 #define LOG_TKEY BIT_U64(55)
98 #define LOG_TSIG BIT_U64(56)
99 #define LOG_MAILA BIT_U64(57)
100 #define LOG_ANY BIT_U64(58)
101 #define LOG_URI BIT_U64(59)
102 
103 #define LOG_FORMAT_GROUPED BIT_U64(60)
104 #define LOG_FORMAT_DETAILED BIT_U64(61)
105 #define LOG_HTTPS BIT_U64(62)
106 
107 #define LOG_FORMAT_ALL (LOG_FORMAT_GROUPED|LOG_FORMAT_DETAILED)
108 #define LOG_ALL_RRTYPES (~(uint64_t)(LOG_QUERIES|LOG_ANSWERS|LOG_FORMAT_DETAILED|LOG_FORMAT_GROUPED))
109 
110 typedef enum {
171 } DnsRRTypes;
172 
173 static struct {
174  const char *config_rrtype;
175  uint64_t flags;
176 } dns_rrtype_fields[] = {
177  // clang-format off
178  { "a", LOG_A },
179  { "ns", LOG_NS },
180  { "md", LOG_MD },
181  { "mf", LOG_MF },
182  { "cname", LOG_CNAME },
183  { "soa", LOG_SOA },
184  { "mb", LOG_MB },
185  { "mg", LOG_MG },
186  { "mr", LOG_MR },
187  { "null", LOG_NULL },
188  { "wks", LOG_WKS },
189  { "ptr", LOG_PTR },
190  { "hinfo", LOG_HINFO },
191  { "minfo", LOG_MINFO },
192  { "mx", LOG_MX },
193  { "txt", LOG_TXT },
194  { "rp", LOG_RP },
195  { "afsdb", LOG_AFSDB },
196  { "x25", LOG_X25 },
197  { "isdn", LOG_ISDN },
198  { "rt", LOG_RT },
199  { "nsap", LOG_NSAP },
200  { "nsapptr", LOG_NSAPPTR },
201  { "sig", LOG_SIG },
202  { "key", LOG_KEY },
203  { "px", LOG_PX },
204  { "gpos", LOG_GPOS },
205  { "aaaa", LOG_AAAA },
206  { "loc", LOG_LOC },
207  { "nxt", LOG_NXT },
208  { "srv", LOG_SRV },
209  { "atma", LOG_ATMA },
210  { "naptr", LOG_NAPTR },
211  { "kx", LOG_KX },
212  { "cert", LOG_CERT },
213  { "a6", LOG_A6 },
214  { "dname", LOG_DNAME },
215  { "opt", LOG_OPT },
216  { "apl", LOG_APL },
217  { "ds", LOG_DS },
218  { "sshfp", LOG_SSHFP },
219  { "ipseckey", LOG_IPSECKEY },
220  { "rrsig", LOG_RRSIG },
221  { "nsec", LOG_NSEC },
222  { "dnskey", LOG_DNSKEY },
223  { "dhcid", LOG_DHCID },
224  { "nsec3", LOG_NSEC3 },
225  { "nsec3param", LOG_NSEC3PARAM },
226  { "tlsa", LOG_TLSA },
227  { "hip", LOG_HIP },
228  { "cds", LOG_CDS },
229  { "cdnskey", LOG_CDNSKEY },
230  { "https", LOG_HTTPS },
231  { "spf", LOG_SPF },
232  { "tkey", LOG_TKEY },
233  { "tsig", LOG_TSIG },
234  { "maila", LOG_MAILA },
235  { "any", LOG_ANY },
236  { "uri", LOG_URI }
237  // clang-format on
238 };
239 
240 typedef struct LogDnsFileCtx_ {
241  uint64_t flags; /** Store mode */
243  uint8_t version;
245 
246 typedef struct LogDnsLogThread_ {
250 
251 bool AlertJsonDns(void *txptr, JsonBuilder *js)
252 {
253  return SCDnsLogJson(
255 }
256 
257 bool AlertJsonDoh2(void *txptr, JsonBuilder *js)
258 {
259  JsonBuilderMark mark = { 0, 0, 0 };
260 
261  jb_get_mark(js, &mark);
262  // first log HTTP2 part
263  bool r = rs_http2_log_json(txptr, js);
264  if (!r) {
265  jb_restore_mark(js, &mark);
266  }
267  // then log one DNS tx if any, preferring the answer
268  void *tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOCLIENT);
269  if (tx_dns == NULL) {
270  tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOSERVER);
271  }
272  bool r2 = false;
273  if (tx_dns) {
274  jb_get_mark(js, &mark);
275  r2 = AlertJsonDns(tx_dns, js);
276  if (!r2) {
277  jb_restore_mark(js, &mark);
278  }
279  }
280  return r || r2;
281 }
282 
283 static int JsonDoh2Logger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f,
284  void *alstate, void *txptr, uint64_t tx_id)
285 {
286  LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
287  LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
288 
289  JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
290 
291  if (unlikely(jb == NULL)) {
292  return TM_ECODE_OK;
293  }
294 
295  JsonBuilderMark mark = { 0, 0, 0 };
296 
297  jb_get_mark(jb, &mark);
298  // first log HTTP2 part
299  bool r = rs_http2_log_json(txptr, jb);
300  if (!r) {
301  jb_restore_mark(jb, &mark);
302  }
303 
304  void *tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOCLIENT);
305  if (tx_dns == NULL) {
306  tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOSERVER);
307  }
308  bool r2 = false;
309  if (tx_dns) {
310  // mix of JsonDnsLogger
311  if (SCDnsTxIsRequest(tx_dns)) {
312  if (unlikely(dnslog_ctx->flags & LOG_QUERIES) == 0) {
313  goto out;
314  }
315  } else if (SCDnsTxIsResponse(tx_dns)) {
316  if (unlikely(dnslog_ctx->flags & LOG_ANSWERS) == 0) {
317  goto out;
318  }
319  }
320 
321  if (!SCDnsLogEnabled(tx_dns, td->dnslog_ctx->flags)) {
322  goto out;
323  }
324 
325  jb_get_mark(jb, &mark);
326  // log DOH2 with DNS config
327  r2 = SCDnsLogJson(tx_dns, td->dnslog_ctx->flags, jb);
328  if (!r2) {
329  jb_restore_mark(jb, &mark);
330  }
331  }
332 out:
333  if (r || r2) {
334  OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
335  }
336  jb_free(jb);
337  return TM_ECODE_OK;
338 }
339 
340 static int JsonDnsLoggerToServer(ThreadVars *tv, void *thread_data,
341  const Packet *p, Flow *f, void *alstate, void *txptr, uint64_t tx_id)
342 {
343  SCEnter();
344 
345  LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
346  LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
347 
348  if (unlikely(dnslog_ctx->flags & LOG_QUERIES) == 0) {
349  return TM_ECODE_OK;
350  }
351 
352  for (uint16_t i = 0; i < 0xffff; i++) {
353  JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
354  if (unlikely(jb == NULL)) {
355  return TM_ECODE_OK;
356  }
357 
358  jb_open_object(jb, "dns");
359  jb_set_int(jb, "version", 2);
360  if (!SCDnsLogJsonQuery(txptr, i, td->dnslog_ctx->flags, jb)) {
361  jb_free(jb);
362  break;
363  }
364  jb_close(jb);
365 
366  OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
367  jb_free(jb);
368  }
369 
371 }
372 
373 static int JsonDnsLoggerToClient(ThreadVars *tv, void *thread_data,
374  const Packet *p, Flow *f, void *alstate, void *txptr, uint64_t tx_id)
375 {
376  SCEnter();
377 
378  LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
379  LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
380 
381  if (unlikely(dnslog_ctx->flags & LOG_ANSWERS) == 0) {
382  return TM_ECODE_OK;
383  }
384 
385  if (SCDnsLogAnswerEnabled(txptr, td->dnslog_ctx->flags)) {
386  JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
387  if (unlikely(jb == NULL)) {
388  return TM_ECODE_OK;
389  }
390 
391  jb_open_object(jb, "dns");
392  jb_set_int(jb, "version", 2);
393  SCDnsLogJsonAnswer(txptr, td->dnslog_ctx->flags, jb);
394  jb_close(jb);
395  OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
396  jb_free(jb);
397  }
398 
400 }
401 
402 static int JsonDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *alstate,
403  void *txptr, uint64_t tx_id)
404 {
405  LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
406  LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
407 
408  if (dnslog_ctx->version == DNS_LOG_VERSION_2) {
409  if (SCDnsTxIsRequest(txptr)) {
410  return JsonDnsLoggerToServer(tv, thread_data, p, f, alstate, txptr, tx_id);
411  } else if (SCDnsTxIsResponse(txptr)) {
412  return JsonDnsLoggerToClient(tv, thread_data, p, f, alstate, txptr, tx_id);
413  }
414  } else {
415  if (SCDnsTxIsRequest(txptr)) {
416  if (unlikely(dnslog_ctx->flags & LOG_QUERIES) == 0) {
417  return TM_ECODE_OK;
418  }
419  } else if (SCDnsTxIsResponse(txptr)) {
420  if (unlikely(dnslog_ctx->flags & LOG_ANSWERS) == 0) {
421  return TM_ECODE_OK;
422  }
423  }
424 
425  if (!SCDnsLogEnabled(txptr, td->dnslog_ctx->flags)) {
426  return TM_ECODE_OK;
427  }
428 
429  JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
430  if (unlikely(jb == NULL)) {
431  return TM_ECODE_OK;
432  }
433 
434  if (SCDnsLogJson(txptr, td->dnslog_ctx->flags, jb)) {
435  OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
436  }
437  jb_free(jb);
438  }
439  return TM_ECODE_OK;
440 }
441 
442 static TmEcode LogDnsLogThreadInit(ThreadVars *t, const void *initdata, void **data)
443 {
444  LogDnsLogThread *aft = SCCalloc(1, sizeof(LogDnsLogThread));
445  if (unlikely(aft == NULL))
446  return TM_ECODE_FAILED;
447 
448  if(initdata == NULL)
449  {
450  SCLogDebug("Error getting context for EveLogDNS. \"initdata\" argument NULL");
451  goto error_exit;
452  }
453 
454  /* Use the Output Context (file pointer and mutex) */
455  aft->dnslog_ctx = ((OutputCtx *)initdata)->data;
456  aft->ctx = CreateEveThreadCtx(t, aft->dnslog_ctx->eve_ctx);
457  if (!aft->ctx) {
458  goto error_exit;
459  }
460 
461  *data = (void *)aft;
462  return TM_ECODE_OK;
463 
464 error_exit:
465  SCFree(aft);
466  return TM_ECODE_FAILED;
467 }
468 
469 static TmEcode LogDnsLogThreadDeinit(ThreadVars *t, void *data)
470 {
471  LogDnsLogThread *aft = (LogDnsLogThread *)data;
472  if (aft == NULL) {
473  return TM_ECODE_OK;
474  }
475  FreeEveThreadCtx(aft->ctx);
476 
477  /* clear memory */
478  memset(aft, 0, sizeof(LogDnsLogThread));
479 
480  SCFree(aft);
481  return TM_ECODE_OK;
482 }
483 
484 static void LogDnsLogDeInitCtxSub(OutputCtx *output_ctx)
485 {
486  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
487  LogDnsFileCtx *dnslog_ctx = (LogDnsFileCtx *)output_ctx->data;
488  SCFree(dnslog_ctx);
489  SCFree(output_ctx);
490 }
491 
492 static void JsonDnsLogParseConfig(LogDnsFileCtx *dnslog_ctx, ConfNode *conf,
493  const char *query_key, const char *answer_key,
494  const char *answer_types_key)
495 {
496  const char *query = ConfNodeLookupChildValue(conf, query_key);
497  if (query != NULL) {
498  if (ConfValIsTrue(query)) {
499  dnslog_ctx->flags |= LOG_QUERIES;
500  } else {
501  dnslog_ctx->flags &= ~LOG_QUERIES;
502  }
503  } else {
504  dnslog_ctx->flags |= LOG_QUERIES;
505  }
506 
507  const char *response = ConfNodeLookupChildValue(conf, answer_key);
508  if (response != NULL) {
509  if (ConfValIsTrue(response)) {
510  dnslog_ctx->flags |= LOG_ANSWERS;
511  } else {
512  dnslog_ctx->flags &= ~LOG_ANSWERS;
513  }
514  } else {
515  dnslog_ctx->flags |= LOG_ANSWERS;
516  }
517 
518  ConfNode *custom;
519  if ((custom = ConfNodeLookupChild(conf, answer_types_key)) != NULL) {
520  dnslog_ctx->flags &= ~LOG_ALL_RRTYPES;
521  ConfNode *field;
522  TAILQ_FOREACH (field, &custom->head, next) {
523  DnsRRTypes f;
524  for (f = DNS_RRTYPE_A; f < DNS_RRTYPE_MAX; f++) {
525  if (strcasecmp(dns_rrtype_fields[f].config_rrtype, field->val) == 0) {
526  dnslog_ctx->flags |= dns_rrtype_fields[f].flags;
527  break;
528  }
529  }
530  }
531  } else {
532  dnslog_ctx->flags |= LOG_ALL_RRTYPES;
533  }
534 }
535 
536 static uint8_t GetDnsLogVersion(ConfNode *conf)
537 {
538  if (conf == NULL) {
539  return DNS_LOG_VERSION_DEFAULT;
540  }
541 
542  char *version_string = NULL;
543  const ConfNode *version_node = ConfNodeLookupChild(conf, "version");
544  if (version_node != NULL) {
545  version_string = version_node->val;
546  }
547 
548  if (version_string == NULL) {
549  version_string = getenv("SURICATA_EVE_DNS_VERSION");
550  }
551 
552  if (version_string == NULL) {
553  return DNS_LOG_VERSION_DEFAULT;
554  }
555 
556  uint8_t version;
557  if (StringParseUint8(&version, 10, 0, version_string) >= 0) {
558  return version;
559  }
560  SCLogWarning("Failed to parse EVE DNS log version of \"%s\"", version_string);
561  return DNS_LOG_VERSION_DEFAULT;
562 }
563 
564 static uint8_t JsonDnsCheckVersion(ConfNode *conf)
565 {
566  const uint8_t default_version = DNS_LOG_VERSION_DEFAULT;
567  const uint8_t version = GetDnsLogVersion(conf);
568  static bool v1_deprecation_warned = false;
569  static bool v2_deprecation_warned = false;
570 
571  switch (version) {
572  case 3:
573  return DNS_LOG_VERSION_3;
574  case 2:
575  if (!v2_deprecation_warned) {
576  SCLogNotice("DNS EVE v2 logging has been deprecated and will be removed in "
577  "Suricata 9.0");
578  v2_deprecation_warned = true;
579  }
580  return DNS_LOG_VERSION_2;
581  case 1:
582  if (!v1_deprecation_warned) {
583  SCLogWarning("DNS EVE v1 logging has been removed, will use v2");
584  v1_deprecation_warned = true;
585  }
586  return default_version;
587  default:
588  SCLogWarning(
589  "Invalid EVE DNS version %d, will use v%d", version, DNS_LOG_VERSION_DEFAULT);
590  return default_version;
591  }
592 
593  return default_version;
594 }
595 
596 static void JsonDnsLogInitFilters(LogDnsFileCtx *dnslog_ctx, ConfNode *conf)
597 {
598  dnslog_ctx->flags = ~0ULL;
599 
600  if (conf) {
601  JsonDnsLogParseConfig(dnslog_ctx, conf, "requests", "responses", "types");
602  if (dnslog_ctx->flags & LOG_ANSWERS) {
603  ConfNode *format;
604  if ((format = ConfNodeLookupChild(conf, "formats")) != NULL) {
605  uint64_t flags = 0;
606  ConfNode *field;
607  TAILQ_FOREACH (field, &format->head, next) {
608  if (strcasecmp(field->val, "detailed") == 0) {
610  } else if (strcasecmp(field->val, "grouped") == 0) {
612  } else {
613  SCLogWarning("Invalid JSON DNS log format: %s", field->val);
614  }
615  }
616  if (flags) {
617  dnslog_ctx->flags &= ~LOG_FORMAT_ALL;
618  dnslog_ctx->flags |= flags;
619  } else {
620  SCLogWarning("Empty EVE DNS format array, using defaults");
621  }
622  } else {
623  dnslog_ctx->flags |= LOG_FORMAT_ALL;
624  }
625  }
626  }
627 }
628 
629 static OutputInitResult JsonDnsLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
630 {
631  OutputInitResult result = { NULL, false };
632  const char *enabled = ConfNodeLookupChildValue(conf, "enabled");
633  if (enabled != NULL && !ConfValIsTrue(enabled)) {
634  result.ok = true;
635  return result;
636  }
637 
638  OutputJsonCtx *ojc = parent_ctx->data;
639 
640  LogDnsFileCtx *dnslog_ctx = SCCalloc(1, sizeof(LogDnsFileCtx));
641  if (unlikely(dnslog_ctx == NULL)) {
642  return result;
643  }
644 
645  dnslog_ctx->eve_ctx = ojc;
646  dnslog_ctx->version = JsonDnsCheckVersion(conf);
647 
648  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
649  if (unlikely(output_ctx == NULL)) {
650  SCFree(dnslog_ctx);
651  return result;
652  }
653 
654  output_ctx->data = dnslog_ctx;
655  output_ctx->DeInit = LogDnsLogDeInitCtxSub;
656 
657  JsonDnsLogInitFilters(dnslog_ctx, conf);
658 
659  SCLogDebug("DNS log sub-module initialized");
660 
663 
664  result.ctx = output_ctx;
665  result.ok = true;
666  return result;
667 }
668 
669 
670 #define MODULE_NAME "JsonDnsLog"
672 {
673  OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", MODULE_NAME, "eve-log.dns",
674  JsonDnsLogInitCtxSub, ALPROTO_DNS, JsonDnsLogger, LogDnsLogThreadInit,
675  LogDnsLogThreadDeinit);
676 }
677 
679 {
680  OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonDoH2Log", "eve-log.doh2",
681  JsonDnsLogInitCtxSub, ALPROTO_DOH2, JsonDoh2Logger, LogDnsLogThreadInit,
682  LogDnsLogThreadDeinit);
683 }
DNS_RRTYPE_PX
@ DNS_RRTYPE_PX
Definition: output-json-dns.c:136
util-byte.h
DNS_RRTYPE_AAAA
@ DNS_RRTYPE_AAAA
Definition: output-json-dns.c:138
DNS_RRTYPE_GPOS
@ DNS_RRTYPE_GPOS
Definition: output-json-dns.c:137
LOG_MR
#define LOG_MR
Definition: output-json-dns.c:52
DNS_RRTYPE_TKEY
@ DNS_RRTYPE_TKEY
Definition: output-json-dns.c:165
DNS_RRTYPE_ANY
@ DNS_RRTYPE_ANY
Definition: output-json-dns.c:168
JsonDoh2LogRegister
void JsonDoh2LogRegister(void)
Definition: output-json-dns.c:678
LOG_NULL
#define LOG_NULL
Definition: output-json-dns.c:53
LOG_NSEC3PARAM
#define LOG_NSEC3PARAM
Definition: output-json-dns.c:91
DNS_RRTYPE_OPT
@ DNS_RRTYPE_OPT
Definition: output-json-dns.c:148
LOG_NSEC
#define LOG_NSEC
Definition: output-json-dns.c:87
LOG_RP
#define LOG_RP
Definition: output-json-dns.c:60
LOG_GPOS
#define LOG_GPOS
Definition: output-json-dns.c:70
DNS_RRTYPE_NULL
@ DNS_RRTYPE_NULL
Definition: output-json-dns.c:120
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
MODULE_NAME
#define MODULE_NAME
Definition: output-json-dns.c:670
AlertJsonDoh2
bool AlertJsonDoh2(void *txptr, JsonBuilder *js)
Definition: output-json-dns.c:257
DNS_RRTYPE_MX
@ DNS_RRTYPE_MX
Definition: output-json-dns.c:125
ConfNode_::val
char * val
Definition: conf.h:34
DNS_RRTYPE_HIP
@ DNS_RRTYPE_HIP
Definition: output-json-dns.c:160
LOG_NXT
#define LOG_NXT
Definition: output-json-dns.c:73
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DNS_RRTYPE_LOC
@ DNS_RRTYPE_LOC
Definition: output-json-dns.c:139
LOG_TLSA
#define LOG_TLSA
Definition: output-json-dns.c:92
DNS_RRTYPE_NS
@ DNS_RRTYPE_NS
Definition: output-json-dns.c:112
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
DNS_RRTYPE_MAX
@ DNS_RRTYPE_MAX
Definition: output-json-dns.c:170
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
DNS_RRTYPE_X25
@ DNS_RRTYPE_X25
Definition: output-json-dns.c:129
DnsRRTypes
DnsRRTypes
Definition: output-json-dns.c:110
LOG_TKEY
#define LOG_TKEY
Definition: output-json-dns.c:97
OutputJsonCtx_
Definition: output-json.h:81
Flow_
Flow data structure.
Definition: flow.h:356
DNS_RRTYPE_TSIG
@ DNS_RRTYPE_TSIG
Definition: output-json-dns.c:166
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:958
DNS_RRTYPE_HTTPS
@ DNS_RRTYPE_HTTPS
Definition: output-json-dns.c:163
LOG_LOC
#define LOG_LOC
Definition: output-json-dns.c:72
LOG_TSIG
#define LOG_TSIG
Definition: output-json-dns.c:98
LOG_APL
#define LOG_APL
Definition: output-json-dns.c:82
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29
OutputRegisterTxSubModule
void OutputRegisterTxSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Definition: output.c:377
LOG_DNSKEY
#define LOG_DNSKEY
Definition: output-json-dns.c:88
rust.h
DNS_RRTYPE_DHCID
@ DNS_RRTYPE_DHCID
Definition: output-json-dns.c:156
LOG_DNAME
#define LOG_DNAME
Definition: output-json-dns.c:80
LOG_ANSWERS
#define LOG_ANSWERS
Definition: output-json-dns.c:42
LOG_NSEC3
#define LOG_NSEC3
Definition: output-json-dns.c:90
LOG_DS
#define LOG_DS
Definition: output-json-dns.c:83
LOG_MAILA
#define LOG_MAILA
Definition: output-json-dns.c:99
LOG_NS
#define LOG_NS
Definition: output-json-dns.c:45
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
LOG_CERT
#define LOG_CERT
Definition: output-json-dns.c:78
DNS_RRTYPE_SPF
@ DNS_RRTYPE_SPF
Definition: output-json-dns.c:164
DNS_RRTYPE_WKS
@ DNS_RRTYPE_WKS
Definition: output-json-dns.c:121
LogDnsFileCtx_::flags
uint64_t flags
Definition: output-json-dns.c:241
LOG_MD
#define LOG_MD
Definition: output-json-dns.c:46
LOG_SOA
#define LOG_SOA
Definition: output-json-dns.c:49
LOG_NAPTR
#define LOG_NAPTR
Definition: output-json-dns.c:76
LOG_WKS
#define LOG_WKS
Definition: output-json-dns.c:54
LOG_CDS
#define LOG_CDS
Definition: output-json-dns.c:94
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:536
OutputCtx_::data
void * data
Definition: tm-modules.h:87
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
OutputCtx_
Definition: tm-modules.h:84
LOG_URI
#define LOG_URI
Definition: output-json-dns.c:101
LOG_SRV
#define LOG_SRV
Definition: output-json-dns.c:74
OutputJsonThreadCtx_
Definition: output-json.h:89
LOG_HINFO
#define LOG_HINFO
Definition: output-json-dns.c:56
DNS_RRTYPE_URI
@ DNS_RRTYPE_URI
Definition: output-json-dns.c:169
LogDnsFileCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-dns.c:242
StringParseUint8
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:361
DNS_RRTYPE_HINFO
@ DNS_RRTYPE_HINFO
Definition: output-json-dns.c:123
DNS_RRTYPE_NSEC
@ DNS_RRTYPE_NSEC
Definition: output-json-dns.c:154
LOG_ATMA
#define LOG_ATMA
Definition: output-json-dns.c:75
LOG_KEY
#define LOG_KEY
Definition: output-json-dns.c:68
LOG_ALL_RRTYPES
#define LOG_ALL_RRTYPES
Definition: output-json-dns.c:108
util-debug.h
DNS_RRTYPE_MF
@ DNS_RRTYPE_MF
Definition: output-json-dns.c:114
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
LOG_MINFO
#define LOG_MINFO
Definition: output-json-dns.c:57
LOG_SIG
#define LOG_SIG
Definition: output-json-dns.c:67
DNS_RRTYPE_RP
@ DNS_RRTYPE_RP
Definition: output-json-dns.c:127
output-json.h
LOG_KX
#define LOG_KX
Definition: output-json-dns.c:77
LOG_A
#define LOG_A
Definition: output-json-dns.c:44
LOG_MF
#define LOG_MF
Definition: output-json-dns.c:47
DNS_RRTYPE_CDNSKEY
@ DNS_RRTYPE_CDNSKEY
Definition: output-json-dns.c:162
LogDnsLogThread_
Definition: output-json-dns.c:246
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:457
DNS_RRTYPE_IPSECKEY
@ DNS_RRTYPE_IPSECKEY
Definition: output-json-dns.c:152
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:806
DNS_RRTYPE_KEY
@ DNS_RRTYPE_KEY
Definition: output-json-dns.c:135
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DNS_RRTYPE_NSEC3PARAM
@ DNS_RRTYPE_NSEC3PARAM
Definition: output-json-dns.c:158
LOG_RT
#define LOG_RT
Definition: output-json-dns.c:64
LogDnsLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-dns.c:248
LOG_SSHFP
#define LOG_SSHFP
Definition: output-json-dns.c:84
OutputInitResult_::ok
bool ok
Definition: output.h:48
DNS_RRTYPE_A
@ DNS_RRTYPE_A
Definition: output-json-dns.c:111
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
DNS_RRTYPE_DNAME
@ DNS_RRTYPE_DNAME
Definition: output-json-dns.c:147
app-layer-parser.h
DNS_RRTYPE_RRSIG
@ DNS_RRTYPE_RRSIG
Definition: output-json-dns.c:153
DNS_RRTYPE_DS
@ DNS_RRTYPE_DS
Definition: output-json-dns.c:150
LOG_RRSIG
#define LOG_RRSIG
Definition: output-json-dns.c:86
LOG_MG
#define LOG_MG
Definition: output-json-dns.c:51
DNS_RRTYPE_MAILA
@ DNS_RRTYPE_MAILA
Definition: output-json-dns.c:167
DNS_RRTYPE_TXT
@ DNS_RRTYPE_TXT
Definition: output-json-dns.c:126
Packet_
Definition: decode.h:475
DNS_RRTYPE_AFSDB
@ DNS_RRTYPE_AFSDB
Definition: output-json-dns.c:128
DNS_RRTYPE_ATMA
@ DNS_RRTYPE_ATMA
Definition: output-json-dns.c:142
DNS_RRTYPE_KX
@ DNS_RRTYPE_KX
Definition: output-json-dns.c:144
DNS_RRTYPE_PTR
@ DNS_RRTYPE_PTR
Definition: output-json-dns.c:122
conf.h
DNS_RRTYPE_NSAP
@ DNS_RRTYPE_NSAP
Definition: output-json-dns.c:132
LOG_ANY
#define LOG_ANY
Definition: output-json-dns.c:100
TmEcode
TmEcode
Definition: tm-threads-common.h:79
ALPROTO_DOH2
@ ALPROTO_DOH2
Definition: app-layer-protos.h:61
LOG_MB
#define LOG_MB
Definition: output-json-dns.c:50
LogDnsFileCtx_
Definition: output-json-dns.c:240
LOG_PTR
#define LOG_PTR
Definition: output-json-dns.c:55
DNS_RRTYPE_ISDN
@ DNS_RRTYPE_ISDN
Definition: output-json-dns.c:130
DNS_RRTYPE_TLSA
@ DNS_RRTYPE_TLSA
Definition: output-json-dns.c:159
DNS_RRTYPE_NSEC3
@ DNS_RRTYPE_NSEC3
Definition: output-json-dns.c:157
LOG_HTTPS
#define LOG_HTTPS
Definition: output-json-dns.c:105
DNS_RRTYPE_A6
@ DNS_RRTYPE_A6
Definition: output-json-dns.c:146
DNS_RRTYPE_CERT
@ DNS_RRTYPE_CERT
Definition: output-json-dns.c:145
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:781
LOG_HIP
#define LOG_HIP
Definition: output-json-dns.c:93
util-mem.h
LOG_NSAP
#define LOG_NSAP
Definition: output-json-dns.c:65
LOG_AAAA
#define LOG_AAAA
Definition: output-json-dns.c:71
LOG_DHCID
#define LOG_DHCID
Definition: output-json-dns.c:89
OutputInitResult_
Definition: output.h:46
Packet_::flow
struct Flow_ * flow
Definition: decode.h:514
DNS_RRTYPE_SIG
@ DNS_RRTYPE_SIG
Definition: output-json-dns.c:134
AlertJsonDns
bool AlertJsonDns(void *txptr, JsonBuilder *js)
Definition: output-json-dns.c:251
DNS_RRTYPE_NXT
@ DNS_RRTYPE_NXT
Definition: output-json-dns.c:140
LOG_CNAME
#define LOG_CNAME
Definition: output-json-dns.c:48
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:90
version
uint8_t version
Definition: decode-gre.h:1
LogDnsFileCtx
struct LogDnsFileCtx_ LogDnsFileCtx
LOG_QUERIES
#define LOG_QUERIES
Definition: output-json-dns.c:41
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
LOG_FORMAT_GROUPED
#define LOG_FORMAT_GROUPED
Definition: output-json-dns.c:103
LogDnsLogThread
struct LogDnsLogThread_ LogDnsLogThread
threadvars.h
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-json.h:38
output-json-dns.h
LOG_NSAPPTR
#define LOG_NSAPPTR
Definition: output-json-dns.c:66
LOGGER_JSON_TX
@ LOGGER_JSON_TX
Definition: suricata-common.h:468
DNS_RRTYPE_DNSKEY
@ DNS_RRTYPE_DNSKEY
Definition: output-json-dns.c:155
JsonDnsLogRegister
void JsonDnsLogRegister(void)
Definition: output-json-dns.c:671
DNS_RRTYPE_MG
@ DNS_RRTYPE_MG
Definition: output-json-dns.c:118
LOG_CDNSKEY
#define LOG_CDNSKEY
Definition: output-json-dns.c:95
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DNS_RRTYPE_MR
@ DNS_RRTYPE_MR
Definition: output-json-dns.c:119
ConfNode_
Definition: conf.h:32
LOG_ISDN
#define LOG_ISDN
Definition: output-json-dns.c:63
LOG_OPT
#define LOG_OPT
Definition: output-json-dns.c:81
DNS_RRTYPE_SOA
@ DNS_RRTYPE_SOA
Definition: output-json-dns.c:116
DNS_RRTYPE_RT
@ DNS_RRTYPE_RT
Definition: output-json-dns.c:131
LOG_X25
#define LOG_X25
Definition: output-json-dns.c:62
LOG_MX
#define LOG_MX
Definition: output-json-dns.c:58
DNS_RRTYPE_APL
@ DNS_RRTYPE_APL
Definition: output-json-dns.c:149
DNS_RRTYPE_SSHFP
@ DNS_RRTYPE_SSHFP
Definition: output-json-dns.c:151
LOG_FORMAT_DETAILED
#define LOG_FORMAT_DETAILED
Definition: output-json-dns.c:104
DNS_RRTYPE_NSAPPTR
@ DNS_RRTYPE_NSAPPTR
Definition: output-json-dns.c:133
DNS_RRTYPE_MB
@ DNS_RRTYPE_MB
Definition: output-json-dns.c:117
DNS_RRTYPE_CDS
@ DNS_RRTYPE_CDS
Definition: output-json-dns.c:161
LOG_FORMAT_ALL
#define LOG_FORMAT_ALL
Definition: output-json-dns.c:107
DetectGetInnerTx
void * DetectGetInnerTx(void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags)
Definition: detect.c:1074
LOG_TXT
#define LOG_TXT
Definition: output-json-dns.c:59
flags
uint64_t flags
Definition: output-json-dns.c:175
LOG_IPSECKEY
#define LOG_IPSECKEY
Definition: output-json-dns.c:85
DNS_RRTYPE_MD
@ DNS_RRTYPE_MD
Definition: output-json-dns.c:113
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:237
DNS_RRTYPE_NAPTR
@ DNS_RRTYPE_NAPTR
Definition: output-json-dns.c:143
DNS_RRTYPE_SRV
@ DNS_RRTYPE_SRV
Definition: output-json-dns.c:141
DNS_RRTYPE_MINFO
@ DNS_RRTYPE_MINFO
Definition: output-json-dns.c:124
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LogDnsLogThread_::dnslog_ctx
LogDnsFileCtx * dnslog_ctx
Definition: output-json-dns.c:247
LOG_A6
#define LOG_A6
Definition: output-json-dns.c:79
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
LogDnsFileCtx_::version
uint8_t version
Definition: output-json-dns.c:243
output.h
DNS_RRTYPE_CNAME
@ DNS_RRTYPE_CNAME
Definition: output-json-dns.c:115
LOG_PX
#define LOG_PX
Definition: output-json-dns.c:69
LOG_SPF
#define LOG_SPF
Definition: output-json-dns.c:96
config_rrtype
const char * config_rrtype
Definition: output-json-dns.c:174
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:809
LOG_AFSDB
#define LOG_AFSDB
Definition: output-json-dns.c:61