suricata
output-json-dns.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Implements JSON DNS logging portion of the engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "conf.h"
28 
29 #include "threadvars.h"
30 
31 #include "util-byte.h"
32 #include "util-debug.h"
33 #include "util-mem.h"
34 #include "app-layer-parser.h"
35 #include "output.h"
36 #include "decode.h"
37 
38 #include "output-json.h"
39 #include "output-json-dns.h"
40 #include "rust.h"
41 
42 #define LOG_QUERIES BIT_U64(0)
43 #define LOG_ANSWERS BIT_U64(1)
44 
45 #define LOG_A BIT_U64(2)
46 #define LOG_NS BIT_U64(3)
47 #define LOG_MD BIT_U64(4)
48 #define LOG_MF BIT_U64(5)
49 #define LOG_CNAME BIT_U64(6)
50 #define LOG_SOA BIT_U64(7)
51 #define LOG_MB BIT_U64(8)
52 #define LOG_MG BIT_U64(9)
53 #define LOG_MR BIT_U64(10)
54 #define LOG_NULL BIT_U64(11)
55 #define LOG_WKS BIT_U64(12)
56 #define LOG_PTR BIT_U64(13)
57 #define LOG_HINFO BIT_U64(14)
58 #define LOG_MINFO BIT_U64(15)
59 #define LOG_MX BIT_U64(16)
60 #define LOG_TXT BIT_U64(17)
61 #define LOG_RP BIT_U64(18)
62 #define LOG_AFSDB BIT_U64(19)
63 #define LOG_X25 BIT_U64(20)
64 #define LOG_ISDN BIT_U64(21)
65 #define LOG_RT BIT_U64(22)
66 #define LOG_NSAP BIT_U64(23)
67 #define LOG_NSAPPTR BIT_U64(24)
68 #define LOG_SIG BIT_U64(25)
69 #define LOG_KEY BIT_U64(26)
70 #define LOG_PX BIT_U64(27)
71 #define LOG_GPOS BIT_U64(28)
72 #define LOG_AAAA BIT_U64(29)
73 #define LOG_LOC BIT_U64(30)
74 #define LOG_NXT BIT_U64(31)
75 #define LOG_SRV BIT_U64(32)
76 #define LOG_ATMA BIT_U64(33)
77 #define LOG_NAPTR BIT_U64(34)
78 #define LOG_KX BIT_U64(35)
79 #define LOG_CERT BIT_U64(36)
80 #define LOG_A6 BIT_U64(37)
81 #define LOG_DNAME BIT_U64(38)
82 #define LOG_OPT BIT_U64(39)
83 #define LOG_APL BIT_U64(40)
84 #define LOG_DS BIT_U64(41)
85 #define LOG_SSHFP BIT_U64(42)
86 #define LOG_IPSECKEY BIT_U64(43)
87 #define LOG_RRSIG BIT_U64(44)
88 #define LOG_NSEC BIT_U64(45)
89 #define LOG_DNSKEY BIT_U64(46)
90 #define LOG_DHCID BIT_U64(47)
91 #define LOG_NSEC3 BIT_U64(48)
92 #define LOG_NSEC3PARAM BIT_U64(49)
93 #define LOG_TLSA BIT_U64(50)
94 #define LOG_HIP BIT_U64(51)
95 #define LOG_CDS BIT_U64(52)
96 #define LOG_CDNSKEY BIT_U64(53)
97 #define LOG_SPF BIT_U64(54)
98 #define LOG_TKEY BIT_U64(55)
99 #define LOG_TSIG BIT_U64(56)
100 #define LOG_MAILA BIT_U64(57)
101 #define LOG_ANY BIT_U64(58)
102 #define LOG_URI BIT_U64(59)
103 
104 #define LOG_FORMAT_GROUPED BIT_U64(60)
105 #define LOG_FORMAT_DETAILED BIT_U64(61)
106 #define LOG_HTTPS BIT_U64(62)
107 
108 #define LOG_FORMAT_ALL (LOG_FORMAT_GROUPED|LOG_FORMAT_DETAILED)
109 #define LOG_ALL_RRTYPES (~(uint64_t)(LOG_QUERIES|LOG_ANSWERS|LOG_FORMAT_DETAILED|LOG_FORMAT_GROUPED))
110 
111 typedef enum {
172 } DnsRRTypes;
173 
174 static struct {
175  const char *config_rrtype;
176  uint64_t flags;
177 } dns_rrtype_fields[] = {
178  // clang-format off
179  { "a", LOG_A },
180  { "ns", LOG_NS },
181  { "md", LOG_MD },
182  { "mf", LOG_MF },
183  { "cname", LOG_CNAME },
184  { "soa", LOG_SOA },
185  { "mb", LOG_MB },
186  { "mg", LOG_MG },
187  { "mr", LOG_MR },
188  { "null", LOG_NULL },
189  { "wks", LOG_WKS },
190  { "ptr", LOG_PTR },
191  { "hinfo", LOG_HINFO },
192  { "minfo", LOG_MINFO },
193  { "mx", LOG_MX },
194  { "txt", LOG_TXT },
195  { "rp", LOG_RP },
196  { "afsdb", LOG_AFSDB },
197  { "x25", LOG_X25 },
198  { "isdn", LOG_ISDN },
199  { "rt", LOG_RT },
200  { "nsap", LOG_NSAP },
201  { "nsapptr", LOG_NSAPPTR },
202  { "sig", LOG_SIG },
203  { "key", LOG_KEY },
204  { "px", LOG_PX },
205  { "gpos", LOG_GPOS },
206  { "aaaa", LOG_AAAA },
207  { "loc", LOG_LOC },
208  { "nxt", LOG_NXT },
209  { "srv", LOG_SRV },
210  { "atma", LOG_ATMA },
211  { "naptr", LOG_NAPTR },
212  { "kx", LOG_KX },
213  { "cert", LOG_CERT },
214  { "a6", LOG_A6 },
215  { "dname", LOG_DNAME },
216  { "opt", LOG_OPT },
217  { "apl", LOG_APL },
218  { "ds", LOG_DS },
219  { "sshfp", LOG_SSHFP },
220  { "ipseckey", LOG_IPSECKEY },
221  { "rrsig", LOG_RRSIG },
222  { "nsec", LOG_NSEC },
223  { "dnskey", LOG_DNSKEY },
224  { "dhcid", LOG_DHCID },
225  { "nsec3", LOG_NSEC3 },
226  { "nsec3param", LOG_NSEC3PARAM },
227  { "tlsa", LOG_TLSA },
228  { "hip", LOG_HIP },
229  { "cds", LOG_CDS },
230  { "cdnskey", LOG_CDNSKEY },
231  { "https", LOG_HTTPS },
232  { "spf", LOG_SPF },
233  { "tkey", LOG_TKEY },
234  { "tsig", LOG_TSIG },
235  { "maila", LOG_MAILA },
236  { "any", LOG_ANY },
237  { "uri", LOG_URI }
238  // clang-format on
239 };
240 
241 typedef struct LogDnsFileCtx_ {
242  uint64_t flags; /** Store mode */
244  uint8_t version;
246 
247 typedef struct LogDnsLogThread_ {
251 
252 bool AlertJsonDns(void *txptr, SCJsonBuilder *js)
253 {
254  return SCDnsLogJson(
256 }
257 
258 bool AlertJsonDoh2(void *txptr, SCJsonBuilder *js)
259 {
260  SCJsonBuilderMark mark = { 0, 0, 0 };
261 
262  SCJbGetMark(js, &mark);
263  // first log HTTP2 part
264  bool r = SCHttp2LogJson(txptr, js);
265  if (!r) {
266  SCJbRestoreMark(js, &mark);
267  }
268  // then log one DNS tx if any, preferring the answer
269  void *tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOCLIENT);
270  if (tx_dns == NULL) {
271  tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOSERVER);
272  }
273  bool r2 = false;
274  if (tx_dns) {
275  SCJbGetMark(js, &mark);
276  r2 = AlertJsonDns(tx_dns, js);
277  if (!r2) {
278  SCJbRestoreMark(js, &mark);
279  }
280  }
281  return r || r2;
282 }
283 
284 static int JsonDoh2Logger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f,
285  void *alstate, void *txptr, uint64_t tx_id)
286 {
287  LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
288  LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
289 
290  /* DOH2 is always logged in flow direction, as its driven by the scope of an
291  * HTTP transation */
292  SCJsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
293 
294  if (unlikely(jb == NULL)) {
295  return TM_ECODE_OK;
296  }
297 
298  SCJsonBuilderMark mark = { 0, 0, 0 };
299 
300  SCJbGetMark(jb, &mark);
301  // first log HTTP2 part
302  bool r = SCHttp2LogJson(txptr, jb);
303  if (!r) {
304  SCJbRestoreMark(jb, &mark);
305  }
306 
307  void *tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOCLIENT);
308  if (tx_dns == NULL) {
309  tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOSERVER);
310  }
311  bool r2 = false;
312  if (tx_dns) {
313  // mix of JsonDnsLogger
314  if (SCDnsTxIsRequest(tx_dns)) {
315  if (unlikely(dnslog_ctx->flags & LOG_QUERIES) == 0) {
316  goto out;
317  }
318  } else if (SCDnsTxIsResponse(tx_dns)) {
319  if (unlikely(dnslog_ctx->flags & LOG_ANSWERS) == 0) {
320  goto out;
321  }
322  }
323 
324  if (!SCDnsLogEnabled(tx_dns, td->dnslog_ctx->flags)) {
325  goto out;
326  }
327 
328  SCJbGetMark(jb, &mark);
329  // log DOH2 with DNS config
330  r2 = SCDnsLogJson(tx_dns, td->dnslog_ctx->flags, jb);
331  if (!r2) {
332  SCJbRestoreMark(jb, &mark);
333  }
334  }
335 out:
336  if (r || r2) {
337  OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
338  }
339  SCJbFree(jb);
340  return TM_ECODE_OK;
341 }
342 
343 static int JsonDnsLoggerToServer(ThreadVars *tv, void *thread_data,
344  const Packet *p, Flow *f, void *alstate, void *txptr, uint64_t tx_id)
345 {
346  SCEnter();
347 
348  LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
349  LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
350 
351  if (unlikely(dnslog_ctx->flags & LOG_QUERIES) == 0) {
352  return TM_ECODE_OK;
353  }
354 
355  for (uint16_t i = 0; i < 0xffff; i++) {
356  SCJsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
357  if (unlikely(jb == NULL)) {
358  return TM_ECODE_OK;
359  }
360 
361  SCJbOpenObject(jb, "dns");
362  SCJbSetInt(jb, "version", 2);
363  if (!SCDnsLogJsonQuery(txptr, i, td->dnslog_ctx->flags, jb)) {
364  SCJbFree(jb);
365  break;
366  }
367  SCJbClose(jb);
368 
369  OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
370  SCJbFree(jb);
371  }
372 
374 }
375 
376 static int JsonDnsLoggerToClient(ThreadVars *tv, void *thread_data,
377  const Packet *p, Flow *f, void *alstate, void *txptr, uint64_t tx_id)
378 {
379  SCEnter();
380 
381  LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
382  LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
383 
384  if (unlikely(dnslog_ctx->flags & LOG_ANSWERS) == 0) {
385  return TM_ECODE_OK;
386  }
387 
388  if (SCDnsLogAnswerEnabled(txptr, td->dnslog_ctx->flags)) {
389  SCJsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
390  if (unlikely(jb == NULL)) {
391  return TM_ECODE_OK;
392  }
393 
394  SCJbOpenObject(jb, "dns");
395  SCJbSetInt(jb, "version", 2);
396  SCDnsLogJsonAnswer(txptr, td->dnslog_ctx->flags, jb);
397  SCJbClose(jb);
398  OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
399  SCJbFree(jb);
400  }
401 
403 }
404 
405 static int JsonDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *alstate,
406  void *txptr, uint64_t tx_id)
407 {
408  LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
409  LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
410 
411  if (dnslog_ctx->version == DNS_LOG_VERSION_2) {
412  if (SCDnsTxIsRequest(txptr)) {
413  return JsonDnsLoggerToServer(tv, thread_data, p, f, alstate, txptr, tx_id);
414  } else if (SCDnsTxIsResponse(txptr)) {
415  return JsonDnsLoggerToClient(tv, thread_data, p, f, alstate, txptr, tx_id);
416  }
417  } else {
418  if (SCDnsTxIsRequest(txptr)) {
419  if (unlikely(dnslog_ctx->flags & LOG_QUERIES) == 0) {
420  return TM_ECODE_OK;
421  }
422  } else if (SCDnsTxIsResponse(txptr)) {
423  if (unlikely(dnslog_ctx->flags & LOG_ANSWERS) == 0) {
424  return TM_ECODE_OK;
425  }
426  }
427 
428  if (!SCDnsLogEnabled(txptr, td->dnslog_ctx->flags)) {
429  return TM_ECODE_OK;
430  }
431 
432  /* If UDP we can rely on the packet direction. */
434 
435  /* If not UDP we have to query the transaction for direction, which
436  * could be wrong - this is a bit of a hack. */
437  if (PacketIsTCP(p)) {
438  if (SCDnsTxIsRequest(txptr)) {
439  dir = LOG_DIR_FLOW_TOSERVER;
440  } else {
441  dir = LOG_DIR_FLOW_TOCLIENT;
442  }
443  }
444 
445  SCJsonBuilder *jb = CreateEveHeader(p, dir, "dns", NULL, dnslog_ctx->eve_ctx);
446  if (unlikely(jb == NULL)) {
447  return TM_ECODE_OK;
448  }
449 
450  if (SCDnsLogJson(txptr, td->dnslog_ctx->flags, jb)) {
451  OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
452  }
453  SCJbFree(jb);
454  }
455  return TM_ECODE_OK;
456 }
457 
458 static TmEcode LogDnsLogThreadInit(ThreadVars *t, const void *initdata, void **data)
459 {
460  LogDnsLogThread *aft = SCCalloc(1, sizeof(LogDnsLogThread));
461  if (unlikely(aft == NULL))
462  return TM_ECODE_FAILED;
463 
464  if(initdata == NULL)
465  {
466  SCLogDebug("Error getting context for EveLogDNS. \"initdata\" argument NULL");
467  goto error_exit;
468  }
469 
470  /* Use the Output Context (file pointer and mutex) */
471  aft->dnslog_ctx = ((OutputCtx *)initdata)->data;
472  aft->ctx = CreateEveThreadCtx(t, aft->dnslog_ctx->eve_ctx);
473  if (!aft->ctx) {
474  goto error_exit;
475  }
476 
477  *data = (void *)aft;
478  return TM_ECODE_OK;
479 
480 error_exit:
481  SCFree(aft);
482  return TM_ECODE_FAILED;
483 }
484 
485 static TmEcode LogDnsLogThreadDeinit(ThreadVars *t, void *data)
486 {
487  LogDnsLogThread *aft = (LogDnsLogThread *)data;
488  if (aft == NULL) {
489  return TM_ECODE_OK;
490  }
491  FreeEveThreadCtx(aft->ctx);
492 
493  /* clear memory */
494  memset(aft, 0, sizeof(LogDnsLogThread));
495 
496  SCFree(aft);
497  return TM_ECODE_OK;
498 }
499 
500 static void LogDnsLogDeInitCtxSub(OutputCtx *output_ctx)
501 {
502  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
503  LogDnsFileCtx *dnslog_ctx = (LogDnsFileCtx *)output_ctx->data;
504  SCFree(dnslog_ctx);
505  SCFree(output_ctx);
506 }
507 
508 static void JsonDnsLogParseConfig(LogDnsFileCtx *dnslog_ctx, SCConfNode *conf,
509  const char *query_key, const char *answer_key, const char *answer_types_key)
510 {
511  const char *query = SCConfNodeLookupChildValue(conf, query_key);
512  if (query != NULL) {
513  if (SCConfValIsTrue(query)) {
514  dnslog_ctx->flags |= LOG_QUERIES;
515  } else {
516  dnslog_ctx->flags &= ~LOG_QUERIES;
517  }
518  } else {
519  dnslog_ctx->flags |= LOG_QUERIES;
520  }
521 
522  const char *response = SCConfNodeLookupChildValue(conf, answer_key);
523  if (response != NULL) {
524  if (SCConfValIsTrue(response)) {
525  dnslog_ctx->flags |= LOG_ANSWERS;
526  } else {
527  dnslog_ctx->flags &= ~LOG_ANSWERS;
528  }
529  } else {
530  dnslog_ctx->flags |= LOG_ANSWERS;
531  }
532 
533  SCConfNode *custom;
534  if ((custom = SCConfNodeLookupChild(conf, answer_types_key)) != NULL) {
535  dnslog_ctx->flags &= ~LOG_ALL_RRTYPES;
536  SCConfNode *field;
537  TAILQ_FOREACH (field, &custom->head, next) {
538  DnsRRTypes f;
539  for (f = DNS_RRTYPE_A; f < DNS_RRTYPE_MAX; f++) {
540  if (strcasecmp(dns_rrtype_fields[f].config_rrtype, field->val) == 0) {
541  dnslog_ctx->flags |= dns_rrtype_fields[f].flags;
542  break;
543  }
544  }
545  }
546  } else {
547  dnslog_ctx->flags |= LOG_ALL_RRTYPES;
548  }
549 }
550 
551 static uint8_t GetDnsLogVersion(SCConfNode *conf)
552 {
553  if (conf == NULL) {
554  return DNS_LOG_VERSION_DEFAULT;
555  }
556 
557  char *version_string = NULL;
558  const SCConfNode *version_node = SCConfNodeLookupChild(conf, "version");
559  if (version_node != NULL) {
560  version_string = version_node->val;
561  }
562 
563  if (version_string == NULL) {
564  version_string = getenv("SURICATA_EVE_DNS_VERSION");
565  }
566 
567  if (version_string == NULL) {
568  return DNS_LOG_VERSION_DEFAULT;
569  }
570 
571  uint8_t version;
572  if (StringParseUint8(&version, 10, 0, version_string) >= 0) {
573  return version;
574  }
575  SCLogWarning("Failed to parse EVE DNS log version of \"%s\"", version_string);
576  return DNS_LOG_VERSION_DEFAULT;
577 }
578 
579 static uint8_t JsonDnsCheckVersion(SCConfNode *conf)
580 {
581  const uint8_t default_version = DNS_LOG_VERSION_DEFAULT;
582  const uint8_t version = GetDnsLogVersion(conf);
583  static bool v1_deprecation_warned = false;
584  static bool v2_deprecation_warned = false;
585 
586  switch (version) {
587  case 3:
588  return DNS_LOG_VERSION_3;
589  case 2:
590  if (!v2_deprecation_warned) {
591  SCLogNotice("DNS EVE v2 logging has been deprecated and will be removed in "
592  "Suricata 9.0");
593  v2_deprecation_warned = true;
594  }
595  return DNS_LOG_VERSION_2;
596  case 1:
597  if (!v1_deprecation_warned) {
598  SCLogWarning("DNS EVE v1 logging has been removed, will use v2");
599  v1_deprecation_warned = true;
600  }
601  return default_version;
602  default:
603  SCLogWarning(
604  "Invalid EVE DNS version %d, will use v%d", version, DNS_LOG_VERSION_DEFAULT);
605  return default_version;
606  }
607 
608  return default_version;
609 }
610 
611 static void JsonDnsLogInitFilters(LogDnsFileCtx *dnslog_ctx, SCConfNode *conf)
612 {
613  dnslog_ctx->flags = ~0ULL;
614 
615  if (conf) {
616  JsonDnsLogParseConfig(dnslog_ctx, conf, "requests", "responses", "types");
617  if (dnslog_ctx->flags & LOG_ANSWERS) {
618  SCConfNode *format;
619  if ((format = SCConfNodeLookupChild(conf, "formats")) != NULL) {
620  uint64_t flags = 0;
621  SCConfNode *field;
622  TAILQ_FOREACH (field, &format->head, next) {
623  if (strcasecmp(field->val, "detailed") == 0) {
625  } else if (strcasecmp(field->val, "grouped") == 0) {
627  } else {
628  SCLogWarning("Invalid JSON DNS log format: %s", field->val);
629  }
630  }
631  if (flags) {
632  dnslog_ctx->flags &= ~LOG_FORMAT_ALL;
633  dnslog_ctx->flags |= flags;
634  } else {
635  SCLogWarning("Empty EVE DNS format array, using defaults");
636  }
637  } else {
638  dnslog_ctx->flags |= LOG_FORMAT_ALL;
639  }
640  }
641  }
642 }
643 
644 static OutputInitResult JsonDnsLogInitCtxSub(SCConfNode *conf, OutputCtx *parent_ctx)
645 {
646  OutputInitResult result = { NULL, false };
647  const char *enabled = SCConfNodeLookupChildValue(conf, "enabled");
648  if (enabled != NULL && !SCConfValIsTrue(enabled)) {
649  result.ok = true;
650  return result;
651  }
652 
653  OutputJsonCtx *ojc = parent_ctx->data;
654 
655  LogDnsFileCtx *dnslog_ctx = SCCalloc(1, sizeof(LogDnsFileCtx));
656  if (unlikely(dnslog_ctx == NULL)) {
657  return result;
658  }
659 
660  dnslog_ctx->eve_ctx = ojc;
661  dnslog_ctx->version = JsonDnsCheckVersion(conf);
662 
663  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
664  if (unlikely(output_ctx == NULL)) {
665  SCFree(dnslog_ctx);
666  return result;
667  }
668 
669  output_ctx->data = dnslog_ctx;
670  output_ctx->DeInit = LogDnsLogDeInitCtxSub;
671 
672  JsonDnsLogInitFilters(dnslog_ctx, conf);
673 
674  SCLogDebug("DNS log sub-module initialized");
675 
678 
679  result.ctx = output_ctx;
680  result.ok = true;
681  return result;
682 }
683 
684 
685 #define MODULE_NAME "JsonDnsLog"
687 {
688  OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", MODULE_NAME, "eve-log.dns",
689  JsonDnsLogInitCtxSub, ALPROTO_DNS, JsonDnsLogger, LogDnsLogThreadInit,
690  LogDnsLogThreadDeinit);
691 }
692 
694 {
695  OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonDoH2Log", "eve-log.doh2",
696  JsonDnsLogInitCtxSub, ALPROTO_DOH2, JsonDoh2Logger, LogDnsLogThreadInit,
697  LogDnsLogThreadDeinit);
698 }
DNS_RRTYPE_PX
@ DNS_RRTYPE_PX
Definition: output-json-dns.c:137
util-byte.h
DNS_RRTYPE_AAAA
@ DNS_RRTYPE_AAAA
Definition: output-json-dns.c:139
DNS_RRTYPE_GPOS
@ DNS_RRTYPE_GPOS
Definition: output-json-dns.c:138
SCOutputJsonLogDirection
SCOutputJsonLogDirection
Definition: output-eve-bindgen.h:31
LOG_MR
#define LOG_MR
Definition: output-json-dns.c:53
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:551
DNS_RRTYPE_TKEY
@ DNS_RRTYPE_TKEY
Definition: output-json-dns.c:166
DNS_RRTYPE_ANY
@ DNS_RRTYPE_ANY
Definition: output-json-dns.c:169
JsonDoh2LogRegister
void JsonDoh2LogRegister(void)
Definition: output-json-dns.c:693
LOG_NULL
#define LOG_NULL
Definition: output-json-dns.c:54
LOG_NSEC3PARAM
#define LOG_NSEC3PARAM
Definition: output-json-dns.c:92
DNS_RRTYPE_OPT
@ DNS_RRTYPE_OPT
Definition: output-json-dns.c:149
LOG_NSEC
#define LOG_NSEC
Definition: output-json-dns.c:88
LOG_RP
#define LOG_RP
Definition: output-json-dns.c:61
LOG_GPOS
#define LOG_GPOS
Definition: output-json-dns.c:71
DNS_RRTYPE_NULL
@ DNS_RRTYPE_NULL
Definition: output-json-dns.c:121
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
MODULE_NAME
#define MODULE_NAME
Definition: output-json-dns.c:685
DNS_RRTYPE_MX
@ DNS_RRTYPE_MX
Definition: output-json-dns.c:126
DNS_RRTYPE_HIP
@ DNS_RRTYPE_HIP
Definition: output-json-dns.c:161
LOG_NXT
#define LOG_NXT
Definition: output-json-dns.c:74
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DNS_RRTYPE_LOC
@ DNS_RRTYPE_LOC
Definition: output-json-dns.c:140
LOG_TLSA
#define LOG_TLSA
Definition: output-json-dns.c:93
DNS_RRTYPE_NS
@ DNS_RRTYPE_NS
Definition: output-json-dns.c:113
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
DNS_RRTYPE_MAX
@ DNS_RRTYPE_MAX
Definition: output-json-dns.c:171
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
DNS_RRTYPE_X25
@ DNS_RRTYPE_X25
Definition: output-json-dns.c:130
CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:850
DnsRRTypes
DnsRRTypes
Definition: output-json-dns.c:111
LOG_TKEY
#define LOG_TKEY
Definition: output-json-dns.c:98
OutputJsonCtx_
Definition: output-json.h:75
Flow_
Flow data structure.
Definition: flow.h:356
DNS_RRTYPE_TSIG
@ DNS_RRTYPE_TSIG
Definition: output-json-dns.c:167
AlertJsonDns
bool AlertJsonDns(void *txptr, SCJsonBuilder *js)
Definition: output-json-dns.c:252
DNS_RRTYPE_HTTPS
@ DNS_RRTYPE_HTTPS
Definition: output-json-dns.c:164
LOG_LOC
#define LOG_LOC
Definition: output-json-dns.c:73
LOG_TSIG
#define LOG_TSIG
Definition: output-json-dns.c:99
LOG_APL
#define LOG_APL
Definition: output-json-dns.c:83
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29
OutputRegisterTxSubModule
void OutputRegisterTxSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Definition: output.c:406
LOG_DNSKEY
#define LOG_DNSKEY
Definition: output-json-dns.c:89
rust.h
DNS_RRTYPE_DHCID
@ DNS_RRTYPE_DHCID
Definition: output-json-dns.c:157
LOG_DNAME
#define LOG_DNAME
Definition: output-json-dns.c:81
LOG_DIR_FLOW_TOSERVER
@ LOG_DIR_FLOW_TOSERVER
Definition: output-eve-bindgen.h:35
LOG_ANSWERS
#define LOG_ANSWERS
Definition: output-json-dns.c:43
LOG_NSEC3
#define LOG_NSEC3
Definition: output-json-dns.c:91
LOG_DS
#define LOG_DS
Definition: output-json-dns.c:84
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:1015
LOG_MAILA
#define LOG_MAILA
Definition: output-json-dns.c:100
LOG_NS
#define LOG_NS
Definition: output-json-dns.c:46
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:824
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
LOG_CERT
#define LOG_CERT
Definition: output-json-dns.c:79
DNS_RRTYPE_SPF
@ DNS_RRTYPE_SPF
Definition: output-json-dns.c:165
DNS_RRTYPE_WKS
@ DNS_RRTYPE_WKS
Definition: output-json-dns.c:122
LogDnsFileCtx_::flags
uint64_t flags
Definition: output-json-dns.c:242
LOG_MD
#define LOG_MD
Definition: output-json-dns.c:47
LOG_SOA
#define LOG_SOA
Definition: output-json-dns.c:50
LOG_NAPTR
#define LOG_NAPTR
Definition: output-json-dns.c:77
LOG_WKS
#define LOG_WKS
Definition: output-json-dns.c:55
LOG_CDS
#define LOG_CDS
Definition: output-json-dns.c:95
OutputCtx_::data
void * data
Definition: tm-modules.h:91
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
OutputCtx_
Definition: tm-modules.h:88
LOG_URI
#define LOG_URI
Definition: output-json-dns.c:102
LOG_SRV
#define LOG_SRV
Definition: output-json-dns.c:75
OutputJsonThreadCtx_
Definition: output-json.h:83
LOG_HINFO
#define LOG_HINFO
Definition: output-json-dns.c:57
DNS_RRTYPE_URI
@ DNS_RRTYPE_URI
Definition: output-json-dns.c:170
LogDnsFileCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-dns.c:243
StringParseUint8
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:361
DNS_RRTYPE_HINFO
@ DNS_RRTYPE_HINFO
Definition: output-json-dns.c:124
DNS_RRTYPE_NSEC
@ DNS_RRTYPE_NSEC
Definition: output-json-dns.c:155
LOG_ATMA
#define LOG_ATMA
Definition: output-json-dns.c:76
LOG_KEY
#define LOG_KEY
Definition: output-json-dns.c:69
LOG_ALL_RRTYPES
#define LOG_ALL_RRTYPES
Definition: output-json-dns.c:109
decode.h
util-debug.h
DNS_RRTYPE_MF
@ DNS_RRTYPE_MF
Definition: output-json-dns.c:115
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
LOG_MINFO
#define LOG_MINFO
Definition: output-json-dns.c:58
LOG_SIG
#define LOG_SIG
Definition: output-json-dns.c:68
DNS_RRTYPE_RP
@ DNS_RRTYPE_RP
Definition: output-json-dns.c:128
SCAppLayerParserRegisterLogger
void SCAppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:491
output-json.h
LOG_KX
#define LOG_KX
Definition: output-json-dns.c:78
LOG_A
#define LOG_A
Definition: output-json-dns.c:45
LOG_MF
#define LOG_MF
Definition: output-json-dns.c:48
DNS_RRTYPE_CDNSKEY
@ DNS_RRTYPE_CDNSKEY
Definition: output-json-dns.c:163
LogDnsLogThread_
Definition: output-json-dns.c:247
DNS_RRTYPE_IPSECKEY
@ DNS_RRTYPE_IPSECKEY
Definition: output-json-dns.c:153
DNS_RRTYPE_KEY
@ DNS_RRTYPE_KEY
Definition: output-json-dns.c:136
SCEnter
#define SCEnter(...)
Definition: util-debug.h:277
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DNS_RRTYPE_NSEC3PARAM
@ DNS_RRTYPE_NSEC3PARAM
Definition: output-json-dns.c:159
LOG_RT
#define LOG_RT
Definition: output-json-dns.c:65
LogDnsLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-dns.c:249
LOG_SSHFP
#define LOG_SSHFP
Definition: output-json-dns.c:85
OutputInitResult_::ok
bool ok
Definition: output.h:48
DNS_RRTYPE_A
@ DNS_RRTYPE_A
Definition: output-json-dns.c:112
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:255
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-eve-bindgen.h:33
DNS_RRTYPE_DNAME
@ DNS_RRTYPE_DNAME
Definition: output-json-dns.c:148
app-layer-parser.h
DNS_RRTYPE_RRSIG
@ DNS_RRTYPE_RRSIG
Definition: output-json-dns.c:154
DNS_RRTYPE_DS
@ DNS_RRTYPE_DS
Definition: output-json-dns.c:151
LOG_RRSIG
#define LOG_RRSIG
Definition: output-json-dns.c:87
LOG_MG
#define LOG_MG
Definition: output-json-dns.c:52
DNS_RRTYPE_MAILA
@ DNS_RRTYPE_MAILA
Definition: output-json-dns.c:168
DNS_RRTYPE_TXT
@ DNS_RRTYPE_TXT
Definition: output-json-dns.c:127
Packet_
Definition: decode.h:501
DNS_RRTYPE_AFSDB
@ DNS_RRTYPE_AFSDB
Definition: output-json-dns.c:129
DNS_RRTYPE_ATMA
@ DNS_RRTYPE_ATMA
Definition: output-json-dns.c:143
DNS_RRTYPE_KX
@ DNS_RRTYPE_KX
Definition: output-json-dns.c:145
DNS_RRTYPE_PTR
@ DNS_RRTYPE_PTR
Definition: output-json-dns.c:123
conf.h
DNS_RRTYPE_NSAP
@ DNS_RRTYPE_NSAP
Definition: output-json-dns.c:133
LOG_ANY
#define LOG_ANY
Definition: output-json-dns.c:101
TmEcode
TmEcode
Definition: tm-threads-common.h:80
ALPROTO_DOH2
@ ALPROTO_DOH2
Definition: app-layer-protos.h:66
LOG_MB
#define LOG_MB
Definition: output-json-dns.c:51
LogDnsFileCtx_
Definition: output-json-dns.c:241
LOG_PTR
#define LOG_PTR
Definition: output-json-dns.c:56
DNS_RRTYPE_ISDN
@ DNS_RRTYPE_ISDN
Definition: output-json-dns.c:131
DNS_RRTYPE_TLSA
@ DNS_RRTYPE_TLSA
Definition: output-json-dns.c:160
DNS_RRTYPE_NSEC3
@ DNS_RRTYPE_NSEC3
Definition: output-json-dns.c:158
LOG_HTTPS
#define LOG_HTTPS
Definition: output-json-dns.c:106
DNS_RRTYPE_A6
@ DNS_RRTYPE_A6
Definition: output-json-dns.c:147
DNS_RRTYPE_CERT
@ DNS_RRTYPE_CERT
Definition: output-json-dns.c:146
LOG_HIP
#define LOG_HIP
Definition: output-json-dns.c:94
util-mem.h
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:796
LOG_NSAP
#define LOG_NSAP
Definition: output-json-dns.c:66
LOG_AAAA
#define LOG_AAAA
Definition: output-json-dns.c:72
LOG_DHCID
#define LOG_DHCID
Definition: output-json-dns.c:90
OutputInitResult_
Definition: output.h:46
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
DNS_RRTYPE_SIG
@ DNS_RRTYPE_SIG
Definition: output-json-dns.c:135
DNS_RRTYPE_NXT
@ DNS_RRTYPE_NXT
Definition: output-json-dns.c:141
LOG_CNAME
#define LOG_CNAME
Definition: output-json-dns.c:49
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:94
version
uint8_t version
Definition: decode-gre.h:1
LogDnsFileCtx
struct LogDnsFileCtx_ LogDnsFileCtx
LOG_QUERIES
#define LOG_QUERIES
Definition: output-json-dns.c:42
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
LOG_FORMAT_GROUPED
#define LOG_FORMAT_GROUPED
Definition: output-json-dns.c:104
LogDnsLogThread
struct LogDnsLogThread_ LogDnsLogThread
threadvars.h
output-json-dns.h
LOG_NSAPPTR
#define LOG_NSAPPTR
Definition: output-json-dns.c:67
LOGGER_JSON_TX
@ LOGGER_JSON_TX
Definition: suricata-common.h:485
DNS_RRTYPE_DNSKEY
@ DNS_RRTYPE_DNSKEY
Definition: output-json-dns.c:156
JsonDnsLogRegister
void JsonDnsLogRegister(void)
Definition: output-json-dns.c:686
DNS_RRTYPE_MG
@ DNS_RRTYPE_MG
Definition: output-json-dns.c:119
LOG_CDNSKEY
#define LOG_CDNSKEY
Definition: output-json-dns.c:96
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DNS_RRTYPE_MR
@ DNS_RRTYPE_MR
Definition: output-json-dns.c:120
LOG_ISDN
#define LOG_ISDN
Definition: output-json-dns.c:64
LOG_OPT
#define LOG_OPT
Definition: output-json-dns.c:82
DNS_RRTYPE_SOA
@ DNS_RRTYPE_SOA
Definition: output-json-dns.c:117
DNS_RRTYPE_RT
@ DNS_RRTYPE_RT
Definition: output-json-dns.c:132
LOG_X25
#define LOG_X25
Definition: output-json-dns.c:63
LOG_MX
#define LOG_MX
Definition: output-json-dns.c:59
DNS_RRTYPE_APL
@ DNS_RRTYPE_APL
Definition: output-json-dns.c:150
DNS_RRTYPE_SSHFP
@ DNS_RRTYPE_SSHFP
Definition: output-json-dns.c:152
LOG_FORMAT_DETAILED
#define LOG_FORMAT_DETAILED
Definition: output-json-dns.c:105
DNS_RRTYPE_NSAPPTR
@ DNS_RRTYPE_NSAPPTR
Definition: output-json-dns.c:134
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-eve-bindgen.h:32
DNS_RRTYPE_MB
@ DNS_RRTYPE_MB
Definition: output-json-dns.c:118
LOG_DIR_FLOW_TOCLIENT
@ LOG_DIR_FLOW_TOCLIENT
Definition: output-eve-bindgen.h:34
DNS_RRTYPE_CDS
@ DNS_RRTYPE_CDS
Definition: output-json-dns.c:162
LOG_FORMAT_ALL
#define LOG_FORMAT_ALL
Definition: output-json-dns.c:108
DetectGetInnerTx
void * DetectGetInnerTx(void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags)
Definition: detect.c:1153
LOG_TXT
#define LOG_TXT
Definition: output-json-dns.c:60
flags
uint64_t flags
Definition: output-json-dns.c:176
LOG_IPSECKEY
#define LOG_IPSECKEY
Definition: output-json-dns.c:86
DNS_RRTYPE_MD
@ DNS_RRTYPE_MD
Definition: output-json-dns.c:114
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:243
DNS_RRTYPE_NAPTR
@ DNS_RRTYPE_NAPTR
Definition: output-json-dns.c:144
DNS_RRTYPE_SRV
@ DNS_RRTYPE_SRV
Definition: output-json-dns.c:142
DNS_RRTYPE_MINFO
@ DNS_RRTYPE_MINFO
Definition: output-json-dns.c:125
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
LogDnsLogThread_::dnslog_ctx
LogDnsFileCtx * dnslog_ctx
Definition: output-json-dns.c:248
LOG_A6
#define LOG_A6
Definition: output-json-dns.c:80
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:281
SCConfNode_
Definition: conf.h:37
AlertJsonDoh2
bool AlertJsonDoh2(void *txptr, SCJsonBuilder *js)
Definition: output-json-dns.c:258
LogDnsFileCtx_::version
uint8_t version
Definition: output-json-dns.c:244
SCConfNode_::val
char * val
Definition: conf.h:39
output.h
DNS_RRTYPE_CNAME
@ DNS_RRTYPE_CNAME
Definition: output-json-dns.c:116
LOG_PX
#define LOG_PX
Definition: output-json-dns.c:70
LOG_SPF
#define LOG_SPF
Definition: output-json-dns.c:97
config_rrtype
const char * config_rrtype
Definition: output-json-dns.c:175
LOG_AFSDB
#define LOG_AFSDB
Definition: output-json-dns.c:62