suricata
output-json-dns.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Implements JSON DNS logging portion of the engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "conf.h"
28 
29 #include "threadvars.h"
30 
31 #include "util-byte.h"
32 #include "util-debug.h"
33 #include "util-mem.h"
34 #include "app-layer-parser.h"
35 #include "output.h"
36 #include "decode.h"
37 
38 #include "output-json.h"
39 #include "output-json-dns.h"
40 #include "rust.h"
41 
42 #define LOG_QUERIES BIT_U64(0)
43 #define LOG_ANSWERS BIT_U64(1)
44 
45 #define LOG_A BIT_U64(2)
46 #define LOG_NS BIT_U64(3)
47 #define LOG_MD BIT_U64(4)
48 #define LOG_MF BIT_U64(5)
49 #define LOG_CNAME BIT_U64(6)
50 #define LOG_SOA BIT_U64(7)
51 #define LOG_MB BIT_U64(8)
52 #define LOG_MG BIT_U64(9)
53 #define LOG_MR BIT_U64(10)
54 #define LOG_NULL BIT_U64(11)
55 #define LOG_WKS BIT_U64(12)
56 #define LOG_PTR BIT_U64(13)
57 #define LOG_HINFO BIT_U64(14)
58 #define LOG_MINFO BIT_U64(15)
59 #define LOG_MX BIT_U64(16)
60 #define LOG_TXT BIT_U64(17)
61 #define LOG_RP BIT_U64(18)
62 #define LOG_AFSDB BIT_U64(19)
63 #define LOG_X25 BIT_U64(20)
64 #define LOG_ISDN BIT_U64(21)
65 #define LOG_RT BIT_U64(22)
66 #define LOG_NSAP BIT_U64(23)
67 #define LOG_NSAPPTR BIT_U64(24)
68 #define LOG_SIG BIT_U64(25)
69 #define LOG_KEY BIT_U64(26)
70 #define LOG_PX BIT_U64(27)
71 #define LOG_GPOS BIT_U64(28)
72 #define LOG_AAAA BIT_U64(29)
73 #define LOG_LOC BIT_U64(30)
74 #define LOG_NXT BIT_U64(31)
75 #define LOG_SRV BIT_U64(32)
76 #define LOG_ATMA BIT_U64(33)
77 #define LOG_NAPTR BIT_U64(34)
78 #define LOG_KX BIT_U64(35)
79 #define LOG_CERT BIT_U64(36)
80 #define LOG_A6 BIT_U64(37)
81 #define LOG_DNAME BIT_U64(38)
82 #define LOG_OPT BIT_U64(39)
83 #define LOG_APL BIT_U64(40)
84 #define LOG_DS BIT_U64(41)
85 #define LOG_SSHFP BIT_U64(42)
86 #define LOG_IPSECKEY BIT_U64(43)
87 #define LOG_RRSIG BIT_U64(44)
88 #define LOG_NSEC BIT_U64(45)
89 #define LOG_DNSKEY BIT_U64(46)
90 #define LOG_DHCID BIT_U64(47)
91 #define LOG_NSEC3 BIT_U64(48)
92 #define LOG_NSEC3PARAM BIT_U64(49)
93 #define LOG_TLSA BIT_U64(50)
94 #define LOG_HIP BIT_U64(51)
95 #define LOG_CDS BIT_U64(52)
96 #define LOG_CDNSKEY BIT_U64(53)
97 #define LOG_SPF BIT_U64(54)
98 #define LOG_TKEY BIT_U64(55)
99 #define LOG_TSIG BIT_U64(56)
100 #define LOG_MAILA BIT_U64(57)
101 #define LOG_ANY BIT_U64(58)
102 #define LOG_URI BIT_U64(59)
103 
104 #define LOG_FORMAT_GROUPED BIT_U64(60)
105 #define LOG_FORMAT_DETAILED BIT_U64(61)
106 #define LOG_HTTPS BIT_U64(62)
107 
108 #define LOG_FORMAT_ALL (LOG_FORMAT_GROUPED|LOG_FORMAT_DETAILED)
109 #define LOG_ALL_RRTYPES (~(uint64_t)(LOG_QUERIES|LOG_ANSWERS|LOG_FORMAT_DETAILED|LOG_FORMAT_GROUPED))
110 
111 typedef enum {
172 } DnsRRTypes;
173 
174 static struct {
175  const char *config_rrtype;
176  uint64_t flags;
177 } dns_rrtype_fields[] = {
178  // clang-format off
179  { "a", LOG_A },
180  { "ns", LOG_NS },
181  { "md", LOG_MD },
182  { "mf", LOG_MF },
183  { "cname", LOG_CNAME },
184  { "soa", LOG_SOA },
185  { "mb", LOG_MB },
186  { "mg", LOG_MG },
187  { "mr", LOG_MR },
188  { "null", LOG_NULL },
189  { "wks", LOG_WKS },
190  { "ptr", LOG_PTR },
191  { "hinfo", LOG_HINFO },
192  { "minfo", LOG_MINFO },
193  { "mx", LOG_MX },
194  { "txt", LOG_TXT },
195  { "rp", LOG_RP },
196  { "afsdb", LOG_AFSDB },
197  { "x25", LOG_X25 },
198  { "isdn", LOG_ISDN },
199  { "rt", LOG_RT },
200  { "nsap", LOG_NSAP },
201  { "nsapptr", LOG_NSAPPTR },
202  { "sig", LOG_SIG },
203  { "key", LOG_KEY },
204  { "px", LOG_PX },
205  { "gpos", LOG_GPOS },
206  { "aaaa", LOG_AAAA },
207  { "loc", LOG_LOC },
208  { "nxt", LOG_NXT },
209  { "srv", LOG_SRV },
210  { "atma", LOG_ATMA },
211  { "naptr", LOG_NAPTR },
212  { "kx", LOG_KX },
213  { "cert", LOG_CERT },
214  { "a6", LOG_A6 },
215  { "dname", LOG_DNAME },
216  { "opt", LOG_OPT },
217  { "apl", LOG_APL },
218  { "ds", LOG_DS },
219  { "sshfp", LOG_SSHFP },
220  { "ipseckey", LOG_IPSECKEY },
221  { "rrsig", LOG_RRSIG },
222  { "nsec", LOG_NSEC },
223  { "dnskey", LOG_DNSKEY },
224  { "dhcid", LOG_DHCID },
225  { "nsec3", LOG_NSEC3 },
226  { "nsec3param", LOG_NSEC3PARAM },
227  { "tlsa", LOG_TLSA },
228  { "hip", LOG_HIP },
229  { "cds", LOG_CDS },
230  { "cdnskey", LOG_CDNSKEY },
231  { "https", LOG_HTTPS },
232  { "spf", LOG_SPF },
233  { "tkey", LOG_TKEY },
234  { "tsig", LOG_TSIG },
235  { "maila", LOG_MAILA },
236  { "any", LOG_ANY },
237  { "uri", LOG_URI }
238  // clang-format on
239 };
240 
241 typedef struct LogDnsFileCtx_ {
242  uint64_t flags; /** Store mode */
244  uint8_t version;
246 
247 typedef struct LogDnsLogThread_ {
251 
252 bool AlertJsonDns(void *txptr, SCJsonBuilder *js)
253 {
254  return SCDnsLogJson(
256 }
257 
258 bool AlertJsonDoh2(void *txptr, SCJsonBuilder *js)
259 {
260  SCJsonBuilderMark mark = { 0, 0, 0 };
261 
262  SCJbGetMark(js, &mark);
263  // first log HTTP2 part
264  bool r = SCHttp2LogJson(txptr, js);
265  if (!r) {
266  SCJbRestoreMark(js, &mark);
267  }
268  // then log one DNS tx if any, preferring the answer
269  void *tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOCLIENT);
270  if (tx_dns == NULL) {
271  tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOSERVER);
272  }
273  bool r2 = false;
274  if (tx_dns) {
275  SCJbGetMark(js, &mark);
276  r2 = AlertJsonDns(tx_dns, js);
277  if (!r2) {
278  SCJbRestoreMark(js, &mark);
279  }
280  }
281  return r || r2;
282 }
283 
284 static int JsonDoh2Logger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f,
285  void *alstate, void *txptr, uint64_t tx_id)
286 {
287  LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
288  LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
289 
290  void *tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOCLIENT);
291  if (tx_dns == NULL) {
292  tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOSERVER);
293  }
294 
295  /* DOH2 is always logged in flow direction, as its driven by the scope of an
296  * HTTP transation */
297  SCJsonBuilder *jb =
298  CreateEveHeader(p, LOG_DIR_FLOW, tx_dns ? "dns" : "http", NULL, dnslog_ctx->eve_ctx);
299 
300  if (unlikely(jb == NULL)) {
301  return TM_ECODE_OK;
302  }
303 
304  SCJsonBuilderMark mark = { 0, 0, 0 };
305 
306  SCJbGetMark(jb, &mark);
307  // first log HTTP2 part
308  bool r = SCHttp2LogJson(txptr, jb);
309  if (!r) {
310  SCJbRestoreMark(jb, &mark);
311  }
312 
313  bool r2 = false;
314  if (tx_dns) {
315  // mix of JsonDnsLogger
316  if (SCDnsTxIsRequest(tx_dns)) {
317  if (unlikely(dnslog_ctx->flags & LOG_QUERIES) == 0) {
318  goto out;
319  }
320  } else if (SCDnsTxIsResponse(tx_dns)) {
321  if (unlikely(dnslog_ctx->flags & LOG_ANSWERS) == 0) {
322  goto out;
323  }
324  }
325 
326  if (!SCDnsLogEnabled(tx_dns, td->dnslog_ctx->flags)) {
327  goto out;
328  }
329 
330  SCJbGetMark(jb, &mark);
331  // log DOH2 with DNS config
332  r2 = SCDnsLogJson(tx_dns, td->dnslog_ctx->flags, jb);
333  if (!r2) {
334  SCJbRestoreMark(jb, &mark);
335  }
336  }
337 out:
338  if (r || r2) {
339  OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
340  }
341  SCJbFree(jb);
342  return TM_ECODE_OK;
343 }
344 
345 static int JsonDnsLoggerToServer(ThreadVars *tv, void *thread_data,
346  const Packet *p, Flow *f, void *alstate, void *txptr, uint64_t tx_id)
347 {
348  SCEnter();
349 
350  LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
351  LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
352 
353  if (unlikely(dnslog_ctx->flags & LOG_QUERIES) == 0) {
354  return TM_ECODE_OK;
355  }
356 
357  for (uint16_t i = 0; i < 0xffff; i++) {
358  SCJsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
359  if (unlikely(jb == NULL)) {
360  return TM_ECODE_OK;
361  }
362 
363  SCJbOpenObject(jb, "dns");
364  SCJbSetInt(jb, "version", 2);
365  if (!SCDnsLogJsonQuery(txptr, i, td->dnslog_ctx->flags, jb)) {
366  SCJbFree(jb);
367  break;
368  }
369  SCJbClose(jb);
370 
371  OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
372  SCJbFree(jb);
373  }
374 
376 }
377 
378 static int JsonDnsLoggerToClient(ThreadVars *tv, void *thread_data,
379  const Packet *p, Flow *f, void *alstate, void *txptr, uint64_t tx_id)
380 {
381  SCEnter();
382 
383  LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
384  LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
385 
386  if (unlikely(dnslog_ctx->flags & LOG_ANSWERS) == 0) {
387  return TM_ECODE_OK;
388  }
389 
390  if (SCDnsLogAnswerEnabled(txptr, td->dnslog_ctx->flags)) {
391  SCJsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
392  if (unlikely(jb == NULL)) {
393  return TM_ECODE_OK;
394  }
395 
396  SCJbOpenObject(jb, "dns");
397  SCJbSetInt(jb, "version", 2);
398  SCDnsLogJsonAnswer(txptr, td->dnslog_ctx->flags, jb);
399  SCJbClose(jb);
400  OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
401  SCJbFree(jb);
402  }
403 
405 }
406 
407 static int JsonDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *alstate,
408  void *txptr, uint64_t tx_id)
409 {
410  LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
411  LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
412 
413  if (dnslog_ctx->version == DNS_LOG_VERSION_2) {
414  if (SCDnsTxIsRequest(txptr)) {
415  return JsonDnsLoggerToServer(tv, thread_data, p, f, alstate, txptr, tx_id);
416  } else if (SCDnsTxIsResponse(txptr)) {
417  return JsonDnsLoggerToClient(tv, thread_data, p, f, alstate, txptr, tx_id);
418  }
419  } else {
420  if (SCDnsTxIsRequest(txptr)) {
421  if (unlikely(dnslog_ctx->flags & LOG_QUERIES) == 0) {
422  return TM_ECODE_OK;
423  }
424  } else if (SCDnsTxIsResponse(txptr)) {
425  if (unlikely(dnslog_ctx->flags & LOG_ANSWERS) == 0) {
426  return TM_ECODE_OK;
427  }
428  }
429 
430  if (!SCDnsLogEnabled(txptr, td->dnslog_ctx->flags)) {
431  return TM_ECODE_OK;
432  }
433 
434  /* If UDP we can rely on the packet direction. */
436 
437  /* If not UDP we have to query the transaction for direction, which
438  * could be wrong - this is a bit of a hack. */
439  if (PacketIsTCP(p)) {
440  if (SCDnsTxIsRequest(txptr)) {
441  dir = LOG_DIR_FLOW_TOSERVER;
442  } else {
443  dir = LOG_DIR_FLOW_TOCLIENT;
444  }
445  }
446 
447  SCJsonBuilder *jb = CreateEveHeader(p, dir, "dns", NULL, dnslog_ctx->eve_ctx);
448  if (unlikely(jb == NULL)) {
449  return TM_ECODE_OK;
450  }
451 
452  if (SCDnsLogJson(txptr, td->dnslog_ctx->flags, jb)) {
453  OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
454  }
455  SCJbFree(jb);
456  }
457  return TM_ECODE_OK;
458 }
459 
460 static TmEcode LogDnsLogThreadInit(ThreadVars *t, const void *initdata, void **data)
461 {
462  LogDnsLogThread *aft = SCCalloc(1, sizeof(LogDnsLogThread));
463  if (unlikely(aft == NULL))
464  return TM_ECODE_FAILED;
465 
466  if(initdata == NULL)
467  {
468  SCLogDebug("Error getting context for EveLogDNS. \"initdata\" argument NULL");
469  goto error_exit;
470  }
471 
472  /* Use the Output Context (file pointer and mutex) */
473  aft->dnslog_ctx = ((OutputCtx *)initdata)->data;
474  aft->ctx = CreateEveThreadCtx(t, aft->dnslog_ctx->eve_ctx);
475  if (!aft->ctx) {
476  goto error_exit;
477  }
478 
479  *data = (void *)aft;
480  return TM_ECODE_OK;
481 
482 error_exit:
483  SCFree(aft);
484  return TM_ECODE_FAILED;
485 }
486 
487 static TmEcode LogDnsLogThreadDeinit(ThreadVars *t, void *data)
488 {
489  LogDnsLogThread *aft = (LogDnsLogThread *)data;
490  if (aft == NULL) {
491  return TM_ECODE_OK;
492  }
493  FreeEveThreadCtx(aft->ctx);
494 
495  /* clear memory */
496  memset(aft, 0, sizeof(LogDnsLogThread));
497 
498  SCFree(aft);
499  return TM_ECODE_OK;
500 }
501 
502 static void LogDnsLogDeInitCtxSub(OutputCtx *output_ctx)
503 {
504  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
505  LogDnsFileCtx *dnslog_ctx = (LogDnsFileCtx *)output_ctx->data;
506  SCFree(dnslog_ctx);
507  SCFree(output_ctx);
508 }
509 
510 static void JsonDnsLogParseConfig(LogDnsFileCtx *dnslog_ctx, SCConfNode *conf,
511  const char *query_key, const char *answer_key, const char *answer_types_key)
512 {
513  const char *query = SCConfNodeLookupChildValue(conf, query_key);
514  if (query != NULL) {
515  if (SCConfValIsTrue(query)) {
516  dnslog_ctx->flags |= LOG_QUERIES;
517  } else {
518  dnslog_ctx->flags &= ~LOG_QUERIES;
519  }
520  } else {
521  dnslog_ctx->flags |= LOG_QUERIES;
522  }
523 
524  const char *response = SCConfNodeLookupChildValue(conf, answer_key);
525  if (response != NULL) {
526  if (SCConfValIsTrue(response)) {
527  dnslog_ctx->flags |= LOG_ANSWERS;
528  } else {
529  dnslog_ctx->flags &= ~LOG_ANSWERS;
530  }
531  } else {
532  dnslog_ctx->flags |= LOG_ANSWERS;
533  }
534 
535  SCConfNode *custom;
536  if ((custom = SCConfNodeLookupChild(conf, answer_types_key)) != NULL) {
537  dnslog_ctx->flags &= ~LOG_ALL_RRTYPES;
538  SCConfNode *field;
539  TAILQ_FOREACH (field, &custom->head, next) {
540  DnsRRTypes f;
541  for (f = DNS_RRTYPE_A; f < DNS_RRTYPE_MAX; f++) {
542  if (strcasecmp(dns_rrtype_fields[f].config_rrtype, field->val) == 0) {
543  dnslog_ctx->flags |= dns_rrtype_fields[f].flags;
544  break;
545  }
546  }
547  }
548  } else {
549  dnslog_ctx->flags |= LOG_ALL_RRTYPES;
550  }
551 }
552 
553 static uint8_t GetDnsLogVersion(SCConfNode *conf)
554 {
555  if (conf == NULL) {
556  return DNS_LOG_VERSION_DEFAULT;
557  }
558 
559  char *version_string = NULL;
560  const SCConfNode *version_node = SCConfNodeLookupChild(conf, "version");
561  if (version_node != NULL) {
562  version_string = version_node->val;
563  }
564 
565  if (version_string == NULL) {
566  version_string = getenv("SURICATA_EVE_DNS_VERSION");
567  }
568 
569  if (version_string == NULL) {
570  return DNS_LOG_VERSION_DEFAULT;
571  }
572 
573  uint8_t version;
574  if (StringParseUint8(&version, 10, 0, version_string) > 0) {
575  return version;
576  }
577  SCLogWarning("Failed to parse EVE DNS log version of \"%s\"", version_string);
578  return DNS_LOG_VERSION_DEFAULT;
579 }
580 
581 static uint8_t JsonDnsCheckVersion(SCConfNode *conf)
582 {
583  const uint8_t default_version = DNS_LOG_VERSION_DEFAULT;
584  const uint8_t version = GetDnsLogVersion(conf);
585  static bool v1_deprecation_warned = false;
586  static bool v2_deprecation_warned = false;
587 
588  switch (version) {
589  case 3:
590  return DNS_LOG_VERSION_3;
591  case 2:
592  if (!v2_deprecation_warned) {
593  SCLogNotice("DNS EVE v2 logging has been deprecated and will be removed in "
594  "Suricata 9.0");
595  v2_deprecation_warned = true;
596  }
597  return DNS_LOG_VERSION_2;
598  case 1:
599  if (!v1_deprecation_warned) {
600  SCLogWarning("DNS EVE v1 logging has been removed, will use v2");
601  v1_deprecation_warned = true;
602  }
603  return default_version;
604  default:
605  SCLogWarning(
606  "Invalid EVE DNS version %d, will use v%d", version, DNS_LOG_VERSION_DEFAULT);
607  return default_version;
608  }
609 
610  return default_version;
611 }
612 
613 static void JsonDnsLogInitFilters(LogDnsFileCtx *dnslog_ctx, SCConfNode *conf)
614 {
615  dnslog_ctx->flags = ~0ULL;
616 
617  if (conf) {
618  JsonDnsLogParseConfig(dnslog_ctx, conf, "requests", "responses", "types");
619  if (dnslog_ctx->flags & LOG_ANSWERS) {
620  SCConfNode *format;
621  if ((format = SCConfNodeLookupChild(conf, "formats")) != NULL) {
622  uint64_t flags = 0;
623  SCConfNode *field;
624  TAILQ_FOREACH (field, &format->head, next) {
625  if (strcasecmp(field->val, "detailed") == 0) {
627  } else if (strcasecmp(field->val, "grouped") == 0) {
629  } else {
630  SCLogWarning("Invalid JSON DNS log format: %s", field->val);
631  }
632  }
633  if (flags) {
634  dnslog_ctx->flags &= ~LOG_FORMAT_ALL;
635  dnslog_ctx->flags |= flags;
636  } else {
637  SCLogWarning("Empty EVE DNS format array, using defaults");
638  }
639  } else {
640  dnslog_ctx->flags |= LOG_FORMAT_ALL;
641  }
642  }
643  }
644 }
645 
646 static OutputInitResult JsonDnsLogInitCtxSub(SCConfNode *conf, OutputCtx *parent_ctx)
647 {
648  OutputInitResult result = { NULL, false };
649  const char *enabled = SCConfNodeLookupChildValue(conf, "enabled");
650  if (enabled != NULL && !SCConfValIsTrue(enabled)) {
651  result.ok = true;
652  return result;
653  }
654 
655  OutputJsonCtx *ojc = parent_ctx->data;
656 
657  LogDnsFileCtx *dnslog_ctx = SCCalloc(1, sizeof(LogDnsFileCtx));
658  if (unlikely(dnslog_ctx == NULL)) {
659  return result;
660  }
661 
662  dnslog_ctx->eve_ctx = ojc;
663  dnslog_ctx->version = JsonDnsCheckVersion(conf);
664 
665  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
666  if (unlikely(output_ctx == NULL)) {
667  SCFree(dnslog_ctx);
668  return result;
669  }
670 
671  output_ctx->data = dnslog_ctx;
672  output_ctx->DeInit = LogDnsLogDeInitCtxSub;
673 
674  JsonDnsLogInitFilters(dnslog_ctx, conf);
675 
676  SCLogDebug("DNS log sub-module initialized");
677 
680 
681  result.ctx = output_ctx;
682  result.ok = true;
683  return result;
684 }
685 
686 
687 #define MODULE_NAME "JsonDnsLog"
689 {
690  OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", MODULE_NAME, "eve-log.dns",
691  JsonDnsLogInitCtxSub, ALPROTO_DNS, JsonDnsLogger, LogDnsLogThreadInit,
692  LogDnsLogThreadDeinit);
693 }
694 
696 {
697  OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonDoH2Log", "eve-log.doh2",
698  JsonDnsLogInitCtxSub, ALPROTO_DOH2, JsonDoh2Logger, LogDnsLogThreadInit,
699  LogDnsLogThreadDeinit);
700 }
DNS_RRTYPE_PX
@ DNS_RRTYPE_PX
Definition: output-json-dns.c:137
util-byte.h
DNS_RRTYPE_AAAA
@ DNS_RRTYPE_AAAA
Definition: output-json-dns.c:139
DNS_RRTYPE_GPOS
@ DNS_RRTYPE_GPOS
Definition: output-json-dns.c:138
SCOutputJsonLogDirection
SCOutputJsonLogDirection
Definition: output-eve-bindgen.h:31
LOG_MR
#define LOG_MR
Definition: output-json-dns.c:53
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:551
DNS_RRTYPE_TKEY
@ DNS_RRTYPE_TKEY
Definition: output-json-dns.c:166
DNS_RRTYPE_ANY
@ DNS_RRTYPE_ANY
Definition: output-json-dns.c:169
JsonDoh2LogRegister
void JsonDoh2LogRegister(void)
Definition: output-json-dns.c:695
LOG_NULL
#define LOG_NULL
Definition: output-json-dns.c:54
LOG_NSEC3PARAM
#define LOG_NSEC3PARAM
Definition: output-json-dns.c:92
DNS_RRTYPE_OPT
@ DNS_RRTYPE_OPT
Definition: output-json-dns.c:149
LOG_NSEC
#define LOG_NSEC
Definition: output-json-dns.c:88
LOG_RP
#define LOG_RP
Definition: output-json-dns.c:61
LOG_GPOS
#define LOG_GPOS
Definition: output-json-dns.c:71
DNS_RRTYPE_NULL
@ DNS_RRTYPE_NULL
Definition: output-json-dns.c:121
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
MODULE_NAME
#define MODULE_NAME
Definition: output-json-dns.c:687
DNS_RRTYPE_MX
@ DNS_RRTYPE_MX
Definition: output-json-dns.c:126
DNS_RRTYPE_HIP
@ DNS_RRTYPE_HIP
Definition: output-json-dns.c:161
LOG_NXT
#define LOG_NXT
Definition: output-json-dns.c:74
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DNS_RRTYPE_LOC
@ DNS_RRTYPE_LOC
Definition: output-json-dns.c:140
LOG_TLSA
#define LOG_TLSA
Definition: output-json-dns.c:93
DNS_RRTYPE_NS
@ DNS_RRTYPE_NS
Definition: output-json-dns.c:113
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
DNS_RRTYPE_MAX
@ DNS_RRTYPE_MAX
Definition: output-json-dns.c:171
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
DNS_RRTYPE_X25
@ DNS_RRTYPE_X25
Definition: output-json-dns.c:130
CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:850
DnsRRTypes
DnsRRTypes
Definition: output-json-dns.c:111
LOG_TKEY
#define LOG_TKEY
Definition: output-json-dns.c:98
OutputJsonCtx_
Definition: output-json.h:75
Flow_
Flow data structure.
Definition: flow.h:348
DNS_RRTYPE_TSIG
@ DNS_RRTYPE_TSIG
Definition: output-json-dns.c:167
AlertJsonDns
bool AlertJsonDns(void *txptr, SCJsonBuilder *js)
Definition: output-json-dns.c:252
DNS_RRTYPE_HTTPS
@ DNS_RRTYPE_HTTPS
Definition: output-json-dns.c:164
LOG_LOC
#define LOG_LOC
Definition: output-json-dns.c:73
LOG_TSIG
#define LOG_TSIG
Definition: output-json-dns.c:99
LOG_APL
#define LOG_APL
Definition: output-json-dns.c:83
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29
OutputRegisterTxSubModule
void OutputRegisterTxSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Definition: output.c:406
LOG_DNSKEY
#define LOG_DNSKEY
Definition: output-json-dns.c:89
rust.h
DNS_RRTYPE_DHCID
@ DNS_RRTYPE_DHCID
Definition: output-json-dns.c:157
LOG_DNAME
#define LOG_DNAME
Definition: output-json-dns.c:81
LOG_DIR_FLOW_TOSERVER
@ LOG_DIR_FLOW_TOSERVER
Definition: output-eve-bindgen.h:35
LOG_ANSWERS
#define LOG_ANSWERS
Definition: output-json-dns.c:43
LOG_NSEC3
#define LOG_NSEC3
Definition: output-json-dns.c:91
LOG_DS
#define LOG_DS
Definition: output-json-dns.c:84
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:1015
LOG_MAILA
#define LOG_MAILA
Definition: output-json-dns.c:100
LOG_NS
#define LOG_NS
Definition: output-json-dns.c:46
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:824
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
LOG_CERT
#define LOG_CERT
Definition: output-json-dns.c:79
DNS_RRTYPE_SPF
@ DNS_RRTYPE_SPF
Definition: output-json-dns.c:165
DNS_RRTYPE_WKS
@ DNS_RRTYPE_WKS
Definition: output-json-dns.c:122
LogDnsFileCtx_::flags
uint64_t flags
Definition: output-json-dns.c:242
LOG_MD
#define LOG_MD
Definition: output-json-dns.c:47
LOG_SOA
#define LOG_SOA
Definition: output-json-dns.c:50
LOG_NAPTR
#define LOG_NAPTR
Definition: output-json-dns.c:77
LOG_WKS
#define LOG_WKS
Definition: output-json-dns.c:55
LOG_CDS
#define LOG_CDS
Definition: output-json-dns.c:95
OutputCtx_::data
void * data
Definition: tm-modules.h:91
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
OutputCtx_
Definition: tm-modules.h:88
LOG_URI
#define LOG_URI
Definition: output-json-dns.c:102
LOG_SRV
#define LOG_SRV
Definition: output-json-dns.c:75
OutputJsonThreadCtx_
Definition: output-json.h:83
LOG_HINFO
#define LOG_HINFO
Definition: output-json-dns.c:57
DNS_RRTYPE_URI
@ DNS_RRTYPE_URI
Definition: output-json-dns.c:170
LogDnsFileCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-dns.c:243
StringParseUint8
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:370
DNS_RRTYPE_HINFO
@ DNS_RRTYPE_HINFO
Definition: output-json-dns.c:124
DNS_RRTYPE_NSEC
@ DNS_RRTYPE_NSEC
Definition: output-json-dns.c:155
LOG_ATMA
#define LOG_ATMA
Definition: output-json-dns.c:76
LOG_KEY
#define LOG_KEY
Definition: output-json-dns.c:69
LOG_ALL_RRTYPES
#define LOG_ALL_RRTYPES
Definition: output-json-dns.c:109
decode.h
util-debug.h
DNS_RRTYPE_MF
@ DNS_RRTYPE_MF
Definition: output-json-dns.c:115
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
LOG_MINFO
#define LOG_MINFO
Definition: output-json-dns.c:58
LOG_SIG
#define LOG_SIG
Definition: output-json-dns.c:68
DNS_RRTYPE_RP
@ DNS_RRTYPE_RP
Definition: output-json-dns.c:128
SCAppLayerParserRegisterLogger
void SCAppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:491
output-json.h
LOG_KX
#define LOG_KX
Definition: output-json-dns.c:78
LOG_A
#define LOG_A
Definition: output-json-dns.c:45
LOG_MF
#define LOG_MF
Definition: output-json-dns.c:48
DNS_RRTYPE_CDNSKEY
@ DNS_RRTYPE_CDNSKEY
Definition: output-json-dns.c:163
LogDnsLogThread_
Definition: output-json-dns.c:247
DNS_RRTYPE_IPSECKEY
@ DNS_RRTYPE_IPSECKEY
Definition: output-json-dns.c:153
DNS_RRTYPE_KEY
@ DNS_RRTYPE_KEY
Definition: output-json-dns.c:136
SCEnter
#define SCEnter(...)
Definition: util-debug.h:277
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DNS_RRTYPE_NSEC3PARAM
@ DNS_RRTYPE_NSEC3PARAM
Definition: output-json-dns.c:159
LOG_RT
#define LOG_RT
Definition: output-json-dns.c:65
LogDnsLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-dns.c:249
LOG_SSHFP
#define LOG_SSHFP
Definition: output-json-dns.c:85
OutputInitResult_::ok
bool ok
Definition: output.h:48
DNS_RRTYPE_A
@ DNS_RRTYPE_A
Definition: output-json-dns.c:112
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:255
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-eve-bindgen.h:33
DNS_RRTYPE_DNAME
@ DNS_RRTYPE_DNAME
Definition: output-json-dns.c:148
app-layer-parser.h
DNS_RRTYPE_RRSIG
@ DNS_RRTYPE_RRSIG
Definition: output-json-dns.c:154
DNS_RRTYPE_DS
@ DNS_RRTYPE_DS
Definition: output-json-dns.c:151
LOG_RRSIG
#define LOG_RRSIG
Definition: output-json-dns.c:87
LOG_MG
#define LOG_MG
Definition: output-json-dns.c:52
DNS_RRTYPE_MAILA
@ DNS_RRTYPE_MAILA
Definition: output-json-dns.c:168
DNS_RRTYPE_TXT
@ DNS_RRTYPE_TXT
Definition: output-json-dns.c:127
Packet_
Definition: decode.h:501
DNS_RRTYPE_AFSDB
@ DNS_RRTYPE_AFSDB
Definition: output-json-dns.c:129
DNS_RRTYPE_ATMA
@ DNS_RRTYPE_ATMA
Definition: output-json-dns.c:143
DNS_RRTYPE_KX
@ DNS_RRTYPE_KX
Definition: output-json-dns.c:145
DNS_RRTYPE_PTR
@ DNS_RRTYPE_PTR
Definition: output-json-dns.c:123
conf.h
DNS_RRTYPE_NSAP
@ DNS_RRTYPE_NSAP
Definition: output-json-dns.c:133
LOG_ANY
#define LOG_ANY
Definition: output-json-dns.c:101
TmEcode
TmEcode
Definition: tm-threads-common.h:80
ALPROTO_DOH2
@ ALPROTO_DOH2
Definition: app-layer-protos.h:66
LOG_MB
#define LOG_MB
Definition: output-json-dns.c:51
LogDnsFileCtx_
Definition: output-json-dns.c:241
LOG_PTR
#define LOG_PTR
Definition: output-json-dns.c:56
DNS_RRTYPE_ISDN
@ DNS_RRTYPE_ISDN
Definition: output-json-dns.c:131
DNS_RRTYPE_TLSA
@ DNS_RRTYPE_TLSA
Definition: output-json-dns.c:160
DNS_RRTYPE_NSEC3
@ DNS_RRTYPE_NSEC3
Definition: output-json-dns.c:158
LOG_HTTPS
#define LOG_HTTPS
Definition: output-json-dns.c:106
DNS_RRTYPE_A6
@ DNS_RRTYPE_A6
Definition: output-json-dns.c:147
DNS_RRTYPE_CERT
@ DNS_RRTYPE_CERT
Definition: output-json-dns.c:146
LOG_HIP
#define LOG_HIP
Definition: output-json-dns.c:94
util-mem.h
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:796
LOG_NSAP
#define LOG_NSAP
Definition: output-json-dns.c:66
LOG_AAAA
#define LOG_AAAA
Definition: output-json-dns.c:72
LOG_DHCID
#define LOG_DHCID
Definition: output-json-dns.c:90
OutputInitResult_
Definition: output.h:46
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
DNS_RRTYPE_SIG
@ DNS_RRTYPE_SIG
Definition: output-json-dns.c:135
DNS_RRTYPE_NXT
@ DNS_RRTYPE_NXT
Definition: output-json-dns.c:141
LOG_CNAME
#define LOG_CNAME
Definition: output-json-dns.c:49
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:94
version
uint8_t version
Definition: decode-gre.h:1
LogDnsFileCtx
struct LogDnsFileCtx_ LogDnsFileCtx
LOG_QUERIES
#define LOG_QUERIES
Definition: output-json-dns.c:42
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
LOG_FORMAT_GROUPED
#define LOG_FORMAT_GROUPED
Definition: output-json-dns.c:104
LogDnsLogThread
struct LogDnsLogThread_ LogDnsLogThread
threadvars.h
output-json-dns.h
LOG_NSAPPTR
#define LOG_NSAPPTR
Definition: output-json-dns.c:67
LOGGER_JSON_TX
@ LOGGER_JSON_TX
Definition: suricata-common.h:485
DNS_RRTYPE_DNSKEY
@ DNS_RRTYPE_DNSKEY
Definition: output-json-dns.c:156
JsonDnsLogRegister
void JsonDnsLogRegister(void)
Definition: output-json-dns.c:688
DNS_RRTYPE_MG
@ DNS_RRTYPE_MG
Definition: output-json-dns.c:119
LOG_CDNSKEY
#define LOG_CDNSKEY
Definition: output-json-dns.c:96
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DNS_RRTYPE_MR
@ DNS_RRTYPE_MR
Definition: output-json-dns.c:120
LOG_ISDN
#define LOG_ISDN
Definition: output-json-dns.c:64
LOG_OPT
#define LOG_OPT
Definition: output-json-dns.c:82
DNS_RRTYPE_SOA
@ DNS_RRTYPE_SOA
Definition: output-json-dns.c:117
DNS_RRTYPE_RT
@ DNS_RRTYPE_RT
Definition: output-json-dns.c:132
LOG_X25
#define LOG_X25
Definition: output-json-dns.c:63
LOG_MX
#define LOG_MX
Definition: output-json-dns.c:59
DNS_RRTYPE_APL
@ DNS_RRTYPE_APL
Definition: output-json-dns.c:150
DNS_RRTYPE_SSHFP
@ DNS_RRTYPE_SSHFP
Definition: output-json-dns.c:152
LOG_FORMAT_DETAILED
#define LOG_FORMAT_DETAILED
Definition: output-json-dns.c:105
DNS_RRTYPE_NSAPPTR
@ DNS_RRTYPE_NSAPPTR
Definition: output-json-dns.c:134
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-eve-bindgen.h:32
DNS_RRTYPE_MB
@ DNS_RRTYPE_MB
Definition: output-json-dns.c:118
LOG_DIR_FLOW_TOCLIENT
@ LOG_DIR_FLOW_TOCLIENT
Definition: output-eve-bindgen.h:34
DNS_RRTYPE_CDS
@ DNS_RRTYPE_CDS
Definition: output-json-dns.c:162
LOG_FORMAT_ALL
#define LOG_FORMAT_ALL
Definition: output-json-dns.c:108
DetectGetInnerTx
void * DetectGetInnerTx(void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags)
Definition: detect.c:1149
LOG_TXT
#define LOG_TXT
Definition: output-json-dns.c:60
flags
uint64_t flags
Definition: output-json-dns.c:176
LOG_IPSECKEY
#define LOG_IPSECKEY
Definition: output-json-dns.c:86
DNS_RRTYPE_MD
@ DNS_RRTYPE_MD
Definition: output-json-dns.c:114
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:243
DNS_RRTYPE_NAPTR
@ DNS_RRTYPE_NAPTR
Definition: output-json-dns.c:144
DNS_RRTYPE_SRV
@ DNS_RRTYPE_SRV
Definition: output-json-dns.c:142
DNS_RRTYPE_MINFO
@ DNS_RRTYPE_MINFO
Definition: output-json-dns.c:125
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LogDnsLogThread_::dnslog_ctx
LogDnsFileCtx * dnslog_ctx
Definition: output-json-dns.c:248
LOG_A6
#define LOG_A6
Definition: output-json-dns.c:80
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:281
SCConfNode_
Definition: conf.h:37
AlertJsonDoh2
bool AlertJsonDoh2(void *txptr, SCJsonBuilder *js)
Definition: output-json-dns.c:258
LogDnsFileCtx_::version
uint8_t version
Definition: output-json-dns.c:244
SCConfNode_::val
char * val
Definition: conf.h:39
output.h
DNS_RRTYPE_CNAME
@ DNS_RRTYPE_CNAME
Definition: output-json-dns.c:116
LOG_PX
#define LOG_PX
Definition: output-json-dns.c:70
LOG_SPF
#define LOG_SPF
Definition: output-json-dns.c:97
config_rrtype
const char * config_rrtype
Definition: output-json-dns.c:175
LOG_AFSDB
#define LOG_AFSDB
Definition: output-json-dns.c:62