suricata
output-json-drop.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * JSON Drop log module to log the dropped packet information
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "threads.h"
34 #include "tm-threads.h"
35 #include "threadvars.h"
36 #include "util-debug.h"
37 
38 #include "decode-ipv4.h"
39 #include "detect-parse.h"
40 #include "detect-engine.h"
41 #include "detect-engine-mpm.h"
42 #include "detect-reference.h"
43 
44 #include "output.h"
45 #include "output-json.h"
46 #include "output-json-alert.h"
47 #include "output-json-drop.h"
48 
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
52 #include "util-privs.h"
53 #include "util-print.h"
54 #include "util-proto-name.h"
55 #include "util-logopenfile.h"
56 #include "util-time.h"
57 #include "util-buffer.h"
58 
59 #define MODULE_NAME "JsonDropLog"
60 
61 #ifdef HAVE_LIBJANSSON
62 
63 #define LOG_DROP_ALERTS 1
64 
65 typedef struct JsonDropOutputCtx_ {
66  LogFileCtx *file_ctx;
67  uint8_t flags;
68  OutputJsonCommonSettings cfg;
69 } JsonDropOutputCtx;
70 
71 typedef struct JsonDropLogThread_ {
72  JsonDropOutputCtx *drop_ctx;
73  MemBuffer *buffer;
74 } JsonDropLogThread;
75 
76 /* default to true as this has been the default behavior for a long time */
77 static int g_droplog_flows_start = 1;
78 
79 /**
80  * \brief Log the dropped packets in netfilter format when engine is running
81  * in inline mode
82  *
83  * \param tv Pointer the current thread variables
84  * \param p Pointer the packet which is being logged
85  *
86  * \return return TM_EODE_OK on success
87  */
88 static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
89 {
90  JsonDropOutputCtx *drop_ctx = aft->drop_ctx;
91 
92  json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "drop");
93  if (unlikely(js == NULL))
94  return TM_ECODE_OK;
95 
96  JsonAddCommonOptions(&drop_ctx->cfg, p, p->flow, js);
97 
98  json_t *djs = json_object();
99  if (unlikely(djs == NULL)) {
100  json_decref(js);
101  return TM_ECODE_OK;
102  }
103 
104  /* reset */
105  MemBufferReset(aft->buffer);
106 
107  uint16_t proto = 0;
108  if (PKT_IS_IPV4(p)) {
109  json_object_set_new(djs, "len", json_integer(IPV4_GET_IPLEN(p)));
110  json_object_set_new(djs, "tos", json_integer(IPV4_GET_IPTOS(p)));
111  json_object_set_new(djs, "ttl", json_integer(IPV4_GET_IPTTL(p)));
112  json_object_set_new(djs, "ipid", json_integer(IPV4_GET_IPID(p)));
113  proto = IPV4_GET_IPPROTO(p);
114  } else if (PKT_IS_IPV6(p)) {
115  json_object_set_new(djs, "len", json_integer(IPV6_GET_PLEN(p)));
116  json_object_set_new(djs, "tc", json_integer(IPV6_GET_CLASS(p)));
117  json_object_set_new(djs, "hoplimit", json_integer(IPV6_GET_HLIM(p)));
118  json_object_set_new(djs, "flowlbl", json_integer(IPV6_GET_FLOW(p)));
119  proto = IPV6_GET_L4PROTO(p);
120  }
121  switch (proto) {
122  case IPPROTO_TCP:
123  if (PKT_IS_TCP(p)) {
124  json_object_set_new(djs, "tcpseq", json_integer(TCP_GET_SEQ(p)));
125  json_object_set_new(djs, "tcpack", json_integer(TCP_GET_ACK(p)));
126  json_object_set_new(djs, "tcpwin", json_integer(TCP_GET_WINDOW(p)));
127  json_object_set_new(djs, "syn", TCP_ISSET_FLAG_SYN(p) ? json_true() : json_false());
128  json_object_set_new(djs, "ack", TCP_ISSET_FLAG_ACK(p) ? json_true() : json_false());
129  json_object_set_new(djs, "psh", TCP_ISSET_FLAG_PUSH(p) ? json_true() : json_false());
130  json_object_set_new(djs, "rst", TCP_ISSET_FLAG_RST(p) ? json_true() : json_false());
131  json_object_set_new(djs, "urg", TCP_ISSET_FLAG_URG(p) ? json_true() : json_false());
132  json_object_set_new(djs, "fin", TCP_ISSET_FLAG_FIN(p) ? json_true() : json_false());
133  json_object_set_new(djs, "tcpres", json_integer(TCP_GET_RAW_X2(p->tcph)));
134  json_object_set_new(djs, "tcpurgp", json_integer(TCP_GET_URG_POINTER(p)));
135  }
136  break;
137  case IPPROTO_UDP:
138  if (PKT_IS_UDP(p)) {
139  json_object_set_new(djs, "udplen", json_integer(UDP_GET_LEN(p)));
140  }
141  break;
142  case IPPROTO_ICMP:
143  if (PKT_IS_ICMPV4(p)) {
144  json_object_set_new(djs, "icmp_id", json_integer(ICMPV4_GET_ID(p)));
145  json_object_set_new(djs, "icmp_seq", json_integer(ICMPV4_GET_SEQ(p)));
146  } else if(PKT_IS_ICMPV6(p)) {
147  json_object_set_new(djs, "icmp_id", json_integer(ICMPV6_GET_ID(p)));
148  json_object_set_new(djs, "icmp_seq", json_integer(ICMPV6_GET_SEQ(p)));
149  }
150  break;
151  }
152  json_object_set_new(js, "drop", djs);
153 
154  if (aft->drop_ctx->flags & LOG_DROP_ALERTS) {
155  int logged = 0;
156  int i;
157  for (i = 0; i < p->alerts.cnt; i++) {
158  const PacketAlert *pa = &p->alerts.alerts[i];
159  if (unlikely(pa->s == NULL)) {
160  continue;
161  }
163  ((pa->action & ACTION_DROP) && EngineModeIsIPS()))
164  {
165  AlertJsonHeader(NULL, p, pa, js, 0);
166  logged = 1;
167  }
168  }
169  if (logged == 0) {
170  if (p->alerts.drop.action != 0) {
171  const PacketAlert *pa = &p->alerts.drop;
172  AlertJsonHeader(NULL, p, pa, js, 0);
173  }
174  }
175  }
176 
177  OutputJSONBuffer(js, aft->drop_ctx->file_ctx, &aft->buffer);
178  json_object_del(js, "drop");
179  json_object_clear(js);
180  json_decref(js);
181 
182  return TM_ECODE_OK;
183 }
184 
185 #define OUTPUT_BUFFER_SIZE 65535
186 static TmEcode JsonDropLogThreadInit(ThreadVars *t, const void *initdata, void **data)
187 {
188  JsonDropLogThread *aft = SCMalloc(sizeof(JsonDropLogThread));
189  if (unlikely(aft == NULL))
190  return TM_ECODE_FAILED;
191  memset(aft, 0, sizeof(*aft));
192 
193  if(initdata == NULL)
194  {
195  SCLogDebug("Error getting context for EveLogDrop. \"initdata\" argument NULL");
196  SCFree(aft);
197  return TM_ECODE_FAILED;
198  }
199 
200  aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
201  if (aft->buffer == NULL) {
202  SCFree(aft);
203  return TM_ECODE_FAILED;
204  }
205 
206  /** Use the Ouptut Context (file pointer and mutex) */
207  aft->drop_ctx = ((OutputCtx *)initdata)->data;
208 
209  *data = (void *)aft;
210  return TM_ECODE_OK;
211 }
212 
213 static TmEcode JsonDropLogThreadDeinit(ThreadVars *t, void *data)
214 {
215  JsonDropLogThread *aft = (JsonDropLogThread *)data;
216  if (aft == NULL) {
217  return TM_ECODE_OK;
218  }
219 
220  MemBufferFree(aft->buffer);
221 
222  /* clear memory */
223  memset(aft, 0, sizeof(*aft));
224 
225  SCFree(aft);
226  return TM_ECODE_OK;
227 }
228 
229 static void JsonDropOutputCtxFree(JsonDropOutputCtx *drop_ctx)
230 {
231  if (drop_ctx != NULL) {
232  if (drop_ctx->file_ctx != NULL)
233  LogFileFreeCtx(drop_ctx->file_ctx);
234  SCFree(drop_ctx);
235  }
236 }
237 
238 static void JsonDropLogDeInitCtx(OutputCtx *output_ctx)
239 {
241 
242  JsonDropOutputCtx *drop_ctx = output_ctx->data;
243  JsonDropOutputCtxFree(drop_ctx);
244  SCFree(output_ctx);
245 }
246 
247 static void JsonDropLogDeInitCtxSub(OutputCtx *output_ctx)
248 {
250 
251  JsonDropOutputCtx *drop_ctx = output_ctx->data;
252  SCFree(drop_ctx);
253  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
254  SCFree(output_ctx);
255 }
256 
257 #define DEFAULT_LOG_FILENAME "drop.json"
258 static OutputInitResult JsonDropLogInitCtx(ConfNode *conf)
259 {
260  OutputInitResult result = { NULL, false };
261  if (OutputDropLoggerEnable() != 0) {
262  SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'drop' logger "
263  "can be enabled");
264  return result;
265  }
266 
267  JsonDropOutputCtx *drop_ctx = SCCalloc(1, sizeof(*drop_ctx));
268  if (drop_ctx == NULL)
269  return result;
270 
271  drop_ctx->file_ctx = LogFileNewCtx();
272  if (drop_ctx->file_ctx == NULL) {
273  JsonDropOutputCtxFree(drop_ctx);
274  return result;
275  }
276 
277  if (SCConfLogOpenGeneric(conf, drop_ctx->file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
278  JsonDropOutputCtxFree(drop_ctx);
279  return result;
280  }
281 
282  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
283  if (unlikely(output_ctx == NULL)) {
284  JsonDropOutputCtxFree(drop_ctx);
285  return result;
286  }
287 
288  if (conf) {
289  const char *extended = ConfNodeLookupChildValue(conf, "alerts");
290  if (extended != NULL) {
291  if (ConfValIsTrue(extended)) {
292  drop_ctx->flags = LOG_DROP_ALERTS;
293  }
294  }
295  extended = ConfNodeLookupChildValue(conf, "flows");
296  if (extended != NULL) {
297  if (strcasecmp(extended, "start") == 0) {
298  g_droplog_flows_start = 1;
299  } else if (strcasecmp(extended, "all") == 0) {
300  g_droplog_flows_start = 0;
301  } else {
302  SCLogWarning(SC_ERR_CONF_YAML_ERROR, "valid options for "
303  "'flow' are 'start' and 'all'");
304  }
305  }
306  }
307 
308  output_ctx->data = drop_ctx;
309  output_ctx->DeInit = JsonDropLogDeInitCtx;
310 
311  result.ctx = output_ctx;
312  result.ok = true;
313  return result;
314 }
315 
316 static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
317 {
318  OutputInitResult result = { NULL, false };
319  if (OutputDropLoggerEnable() != 0) {
320  SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'drop' logger "
321  "can be enabled");
322  return result;
323  }
324 
325  OutputJsonCtx *ajt = parent_ctx->data;
326 
327  JsonDropOutputCtx *drop_ctx = SCCalloc(1, sizeof(*drop_ctx));
328  if (drop_ctx == NULL)
329  return result;
330 
331  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
332  if (unlikely(output_ctx == NULL)) {
333  JsonDropOutputCtxFree(drop_ctx);
334  return result;
335  }
336 
337  if (conf) {
338  const char *extended = ConfNodeLookupChildValue(conf, "alerts");
339  if (extended != NULL) {
340  if (ConfValIsTrue(extended)) {
341  drop_ctx->flags = LOG_DROP_ALERTS;
342  }
343  }
344  extended = ConfNodeLookupChildValue(conf, "flows");
345  if (extended != NULL) {
346  if (strcasecmp(extended, "start") == 0) {
347  g_droplog_flows_start = 1;
348  } else if (strcasecmp(extended, "all") == 0) {
349  g_droplog_flows_start = 0;
350  } else {
351  SCLogWarning(SC_ERR_CONF_YAML_ERROR, "valid options for "
352  "'flow' are 'start' and 'all'");
353  }
354  }
355  }
356 
357  drop_ctx->file_ctx = ajt->file_ctx;
358  drop_ctx->cfg = ajt->cfg;
359 
360  output_ctx->data = drop_ctx;
361  output_ctx->DeInit = JsonDropLogDeInitCtxSub;
362 
363  result.ctx = output_ctx;
364  result.ok = true;
365  return result;
366 }
367 
368 /**
369  * \brief Log the dropped packets when engine is running in inline mode
370  *
371  * \param tv Pointer the current thread variables
372  * \param data Pointer to the droplog struct
373  * \param p Pointer the packet which is being logged
374  *
375  * \retval 0 on succes
376  */
377 static int JsonDropLogger(ThreadVars *tv, void *thread_data, const Packet *p)
378 {
379  JsonDropLogThread *td = thread_data;
380  int r = DropLogJSON(td, p);
381  if (r < 0)
382  return -1;
383 
384  if (!g_droplog_flows_start)
385  return 0;
386 
387  if (p->flow) {
388  if (p->flow->flags & FLOW_ACTION_DROP) {
391  else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
393  }
394  }
395  return 0;
396 }
397 
398 
399 /**
400  * \brief Check if we need to drop-log this packet
401  *
402  * \param tv Pointer the current thread variables
403  * \param p Pointer the packet which is tested
404  *
405  * \retval bool TRUE or FALSE
406  */
407 static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
408 {
409  if (!EngineModeIsIPS()) {
410  SCLogDebug("engine is not running in inline mode, so returning");
411  return FALSE;
412  }
413  if (PKT_IS_PSEUDOPKT(p)) {
414  SCLogDebug("drop log doesn't log pseudo packets");
415  return FALSE;
416  }
417 
418  if (g_droplog_flows_start && p->flow != NULL) {
419  int ret = FALSE;
420 
421  /* for a flow that will be dropped fully, log just once per direction */
422  if (p->flow->flags & FLOW_ACTION_DROP) {
424  ret = TRUE;
425  else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
426  ret = TRUE;
427  }
428 
429  /* if drop is caused by signature, log anyway */
430  if (p->alerts.drop.action != 0)
431  ret = TRUE;
432 
433  return ret;
434  } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
435  return TRUE;
436  }
437 
438  return FALSE;
439 }
440 
441 void JsonDropLogRegister (void)
442 {
444  JsonDropLogInitCtx, JsonDropLogger, JsonDropLogCondition,
445  JsonDropLogThreadInit, JsonDropLogThreadDeinit, NULL);
447  "eve-log.drop", JsonDropLogInitCtxSub, JsonDropLogger,
448  JsonDropLogCondition, JsonDropLogThreadInit, JsonDropLogThreadDeinit,
449  NULL);
450 }
451 
452 #else
453 
455 {
456 }
457 
458 #endif
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
#define TCP_GET_RAW_X2(tcph)
Definition: decode-tcp.h:66
uint16_t flags
#define SCLogDebug(...)
Definition: util-debug.h:335
struct Flow_ * flow
Definition: decode.h:443
#define ACTION_REJECT_DST
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:860
#define FALSE
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:256
#define IPV4_GET_IPPROTO(p)
Definition: decode-ipv4.h:148
int logged
#define unlikely(expr)
Definition: util-optimize.h:35
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
#define ACTION_REJECT
uint8_t action
Definition: decode.h:269
#define FLOW_ACTION_DROP
Definition: flow.h:64
#define ICMPV6_GET_ID(p)
#define IPV6_GET_HLIM(p)
Definition: decode-ipv6.h:89
#define MODULE_NAME
int OutputDropLoggerEnable(void)
Definition: output.c:848
#define PKT_IS_IPV6(p)
Definition: decode.h:250
#define TCP_GET_WINDOW(p)
Definition: decode-tcp.h:109
#define ICMPV6_GET_SEQ(p)
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
TCPHdr * tcph
Definition: decode.h:520
int EngineModeIsIPS(void)
Definition: suricata.c:241
#define TRUE
#define ICMPV4_GET_SEQ(p)
#define PKT_IS_IPV4(p)
Definition: decode.h:249
#define TCP_ISSET_FLAG_SYN(p)
Definition: decode-tcp.h:115
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:292
const struct Signature_ * s
Definition: decode.h:271
#define SCCalloc(nm, a)
Definition: util-mem.h:197
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843
#define TCP_GET_SEQ(p)
Definition: decode-tcp.h:107
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:160
#define IPV6_GET_PLEN(p)
Definition: decode-ipv6.h:87
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:201
#define ACTION_REJECT_BOTH
#define TCP_ISSET_FLAG_URG(p)
Definition: decode-tcp.h:119
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
#define PKT_IS_ICMPV6(p)
Definition: decode.h:254
#define IPV6_GET_FLOW(p)
Definition: decode-ipv6.h:83
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
#define PKT_IS_TOSERVER(p)
Definition: decode.h:255
#define IPV6_GET_CLASS(p)
Definition: decode-ipv6.h:81
#define UDP_GET_LEN(p)
Definition: decode-udp.h:35
void JsonDropLogRegister(void)
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
#define FLOW_TOCLIENT_DROP_LOGGED
Definition: flow.h:74
uint8_t proto
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
#define IPV6_GET_L4PROTO(p)
Definition: decode-ipv6.h:92
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
#define IPV4_GET_IPLEN(p)
Definition: decode-ipv4.h:127
Definition: conf.h:32
#define TCP_ISSET_FLAG_RST(p)
Definition: decode-tcp.h:116
OutputCtx * ctx
Definition: output.h:42
#define DEFAULT_LOG_FILENAME
#define SCMalloc(a)
Definition: util-mem.h:166
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
#define ICMPV4_GET_ID(p)
#define SCFree(a)
Definition: util-mem.h:228
#define PKT_IS_TCP(p)
Definition: decode.h:251
#define TCP_ISSET_FLAG_ACK(p)
Definition: decode-tcp.h:118
PacketAlert drop
Definition: decode.h:295
void OutputDropLoggerDisable(void)
Definition: output.c:856
void * data
Definition: tm-modules.h:81
#define PKT_IS_ICMPV4(p)
Definition: decode.h:253
#define IPV4_GET_IPTOS(p)
Definition: decode-ipv4.h:125
PacketAlerts alerts
Definition: decode.h:555
#define TCP_GET_URG_POINTER(p)
Definition: decode-tcp.h:110
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1131
#define TCP_ISSET_FLAG_PUSH(p)
Definition: decode-tcp.h:117
uint16_t cnt
Definition: decode.h:291
#define PKT_IS_UDP(p)
Definition: decode.h:252
Per thread variable structure.
Definition: threadvars.h:57
#define ACTION_DROP
#define TCP_GET_ACK(p)
Definition: decode-tcp.h:108
#define TCP_ISSET_FLAG_FIN(p)
Definition: decode-tcp.h:114
#define OUTPUT_BUFFER_SIZE
Definition: log-httplog.c:58
#define IPV4_GET_IPID(p)
Definition: decode-ipv4.h:129
uint32_t flags
Definition: flow.h:379
#define FLOW_TOSERVER_DROP_LOGGED
Definition: flow.h:72
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
#define IPV4_GET_IPTTL(p)
Definition: decode-ipv4.h:146