44 #define LOG_QUERIES BIT_U64(0)
45 #define LOG_ANSWERS BIT_U64(1)
47 #define LOG_A BIT_U64(2)
48 #define LOG_NS BIT_U64(3)
49 #define LOG_MD BIT_U64(4)
50 #define LOG_MF BIT_U64(5)
51 #define LOG_CNAME BIT_U64(6)
52 #define LOG_SOA BIT_U64(7)
53 #define LOG_MB BIT_U64(8)
54 #define LOG_MG BIT_U64(9)
55 #define LOG_MR BIT_U64(10)
56 #define LOG_NULL BIT_U64(11)
57 #define LOG_WKS BIT_U64(12)
58 #define LOG_PTR BIT_U64(13)
59 #define LOG_HINFO BIT_U64(14)
60 #define LOG_MINFO BIT_U64(15)
61 #define LOG_MX BIT_U64(16)
62 #define LOG_TXT BIT_U64(17)
63 #define LOG_RP BIT_U64(18)
64 #define LOG_AFSDB BIT_U64(19)
65 #define LOG_X25 BIT_U64(20)
66 #define LOG_ISDN BIT_U64(21)
67 #define LOG_RT BIT_U64(22)
68 #define LOG_NSAP BIT_U64(23)
69 #define LOG_NSAPPTR BIT_U64(24)
70 #define LOG_SIG BIT_U64(25)
71 #define LOG_KEY BIT_U64(26)
72 #define LOG_PX BIT_U64(27)
73 #define LOG_GPOS BIT_U64(28)
74 #define LOG_AAAA BIT_U64(29)
75 #define LOG_LOC BIT_U64(30)
76 #define LOG_NXT BIT_U64(31)
77 #define LOG_SRV BIT_U64(32)
78 #define LOG_ATMA BIT_U64(33)
79 #define LOG_NAPTR BIT_U64(34)
80 #define LOG_KX BIT_U64(35)
81 #define LOG_CERT BIT_U64(36)
82 #define LOG_A6 BIT_U64(37)
83 #define LOG_DNAME BIT_U64(38)
84 #define LOG_OPT BIT_U64(39)
85 #define LOG_APL BIT_U64(40)
86 #define LOG_DS BIT_U64(41)
87 #define LOG_SSHFP BIT_U64(42)
88 #define LOG_IPSECKEY BIT_U64(43)
89 #define LOG_RRSIG BIT_U64(44)
90 #define LOG_NSEC BIT_U64(45)
91 #define LOG_DNSKEY BIT_U64(46)
92 #define LOG_DHCID BIT_U64(47)
93 #define LOG_NSEC3 BIT_U64(48)
94 #define LOG_NSEC3PARAM BIT_U64(49)
95 #define LOG_TLSA BIT_U64(50)
96 #define LOG_HIP BIT_U64(51)
97 #define LOG_CDS BIT_U64(52)
98 #define LOG_CDNSKEY BIT_U64(53)
99 #define LOG_SPF BIT_U64(54)
100 #define LOG_TKEY BIT_U64(55)
101 #define LOG_TSIG BIT_U64(56)
102 #define LOG_MAILA BIT_U64(57)
103 #define LOG_ANY BIT_U64(58)
104 #define LOG_URI BIT_U64(59)
106 #define LOG_FORMAT_GROUPED BIT_U64(60)
107 #define LOG_FORMAT_DETAILED BIT_U64(61)
108 #define LOG_HTTPS BIT_U64(62)
110 #define LOG_FORMAT_ALL (LOG_FORMAT_GROUPED|LOG_FORMAT_DETAILED)
111 #define LOG_ALL_RRTYPES (~(uint64_t)(LOG_QUERIES|LOG_ANSWERS|LOG_FORMAT_DETAILED|LOG_FORMAT_GROUPED))
179 } dns_rrtype_fields[] = {
253 static JsonBuilder *JsonDNSLogQuery(
void *txptr)
255 JsonBuilder *queryjb = jb_new_array();
256 if (queryjb == NULL) {
259 bool has_query =
false;
261 for (uint16_t i = 0; i < UINT16_MAX; i++) {
262 JsonBuilder *js = jb_new_object();
269 jb_append_object(queryjb, js);
282 static JsonBuilder *JsonDNSLogAnswer(
void *txptr)
287 JsonBuilder *js = jb_new_object();
297 jb_open_object(js,
"dns");
298 JsonBuilder *qjs = JsonDNSLogQuery(txptr);
300 jb_set_object(js,
"query", qjs);
304 JsonBuilder *ajs = JsonDNSLogAnswer(txptr);
306 jb_set_object(js,
"answer", ajs);
314 static int JsonDnsLoggerToServer(
ThreadVars *
tv,
void *thread_data,
315 const Packet *p,
Flow *f,
void *alstate,
void *txptr, uint64_t tx_id)
326 for (uint16_t i = 0; i < 0xffff; i++) {
332 jb_open_object(jb,
"dns");
346 static int JsonDnsLoggerToClient(
ThreadVars *
tv,
void *thread_data,
347 const Packet *p,
Flow *f,
void *alstate,
void *txptr, uint64_t tx_id)
364 jb_open_object(jb,
"dns");
375 void *txptr, uint64_t tx_id)
377 if (rs_dns_tx_is_request(txptr)) {
378 return JsonDnsLoggerToServer(
tv, thread_data, p, f, alstate, txptr, tx_id);
379 }
else if (rs_dns_tx_is_response(txptr)) {
380 return JsonDnsLoggerToClient(
tv, thread_data, p, f, alstate, txptr, tx_id);
385 static TmEcode LogDnsLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
393 SCLogDebug(
"Error getting context for EveLogDNS. \"initdata\" argument NULL");
427 static void LogDnsLogDeInitCtxSub(
OutputCtx *output_ctx)
429 SCLogDebug(
"cleaning up sub output_ctx %p", output_ctx);
436 const char *query_key,
const char *answer_key,
437 const char *answer_types_key)
451 if (response != NULL) {
469 dnslog_ctx->
flags |= dns_rrtype_fields[f].flags;
479 static void JsonDnsCheckVersion(
ConfNode *conf)
485 static bool v1_deprecation_warned =
false;
487 if (has_version != NULL) {
488 bool invalid =
false;
489 intmax_t config_version;
491 switch(config_version) {
495 if (!v1_deprecation_warned) {
496 SCLogWarning(
"DNS EVE v1 logging has been removed, will use v2");
497 v1_deprecation_warned =
true;
508 SCLogWarning(
"Invalid EVE DNS version \"%s\", will use v2", has_version->
val);
515 dnslog_ctx->
flags = ~0ULL;
518 JsonDnsLogParseConfig(dnslog_ctx, conf,
"requests",
"responses",
"types");
525 if (strcasecmp(field->
val,
"detailed") == 0) {
527 }
else if (strcasecmp(field->
val,
"grouped") == 0) {
537 SCLogWarning(
"Empty EVE DNS format array, using defaults");
557 JsonDnsCheckVersion(conf);
574 output_ctx->
data = dnslog_ctx;
575 output_ctx->
DeInit = LogDnsLogDeInitCtxSub;
577 JsonDnsLogInitFilters(dnslog_ctx, conf);
584 result.
ctx = output_ctx;
590 #define MODULE_NAME "JsonDnsLog"
594 JsonDnsLogInitCtxSub,
ALPROTO_DNS, JsonDnsLogger, LogDnsLogThreadInit,
595 LogDnsLogThreadDeinit, NULL);