suricata
output-json-drop.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * JSON Drop log module to log the dropped packet information
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "threads.h"
34 #include "tm-threads.h"
35 #include "threadvars.h"
36 #include "util-debug.h"
37 
38 #include "decode-ipv4.h"
39 #include "detect-parse.h"
40 #include "detect-engine.h"
41 #include "detect-engine-mpm.h"
42 #include "detect-reference.h"
43 
44 #include "output.h"
45 #include "output-json.h"
46 #include "output-json-alert.h"
47 #include "output-json-drop.h"
48 
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
52 #include "util-privs.h"
53 #include "util-print.h"
54 #include "util-proto-name.h"
55 #include "util-logopenfile.h"
56 #include "util-time.h"
57 #include "util-buffer.h"
58 
59 #define MODULE_NAME "JsonDropLog"
60 
61 #ifdef HAVE_LIBJANSSON
62 
63 #define LOG_DROP_ALERTS 1
64 
65 typedef struct JsonDropOutputCtx_ {
66  LogFileCtx *file_ctx;
67  uint8_t flags;
68  OutputJsonCommonSettings cfg;
69 } JsonDropOutputCtx;
70 
71 typedef struct JsonDropLogThread_ {
72  JsonDropOutputCtx *drop_ctx;
73  MemBuffer *buffer;
74 } JsonDropLogThread;
75 
76 /* default to true as this has been the default behavior for a long time */
77 static int g_droplog_flows_start = 1;
78 
79 /**
80  * \brief Log the dropped packets in netfilter format when engine is running
81  * in inline mode
82  *
83  * \param tv Pointer the current thread variables
84  * \param p Pointer the packet which is being logged
85  *
86  * \return return TM_EODE_OK on success
87  */
88 static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
89 {
90  JsonDropOutputCtx *drop_ctx = aft->drop_ctx;
91 
92  json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "drop");
93  if (unlikely(js == NULL))
94  return TM_ECODE_OK;
95 
96  JsonAddCommonOptions(&drop_ctx->cfg, p, p->flow, js);
97 
98  json_t *djs = json_object();
99  if (unlikely(djs == NULL)) {
100  json_decref(js);
101  return TM_ECODE_OK;
102  }
103 
104  /* reset */
105  MemBufferReset(aft->buffer);
106 
107  uint16_t proto = 0;
108  if (PKT_IS_IPV4(p)) {
109  json_object_set_new(djs, "len", json_integer(IPV4_GET_IPLEN(p)));
110  json_object_set_new(djs, "tos", json_integer(IPV4_GET_IPTOS(p)));
111  json_object_set_new(djs, "ttl", json_integer(IPV4_GET_IPTTL(p)));
112  json_object_set_new(djs, "ipid", json_integer(IPV4_GET_IPID(p)));
113  proto = IPV4_GET_IPPROTO(p);
114  } else if (PKT_IS_IPV6(p)) {
115  json_object_set_new(djs, "len", json_integer(IPV6_GET_PLEN(p)));
116  json_object_set_new(djs, "tc", json_integer(IPV6_GET_CLASS(p)));
117  json_object_set_new(djs, "hoplimit", json_integer(IPV6_GET_HLIM(p)));
118  json_object_set_new(djs, "flowlbl", json_integer(IPV6_GET_FLOW(p)));
119  proto = IPV6_GET_L4PROTO(p);
120  }
121  switch (proto) {
122  case IPPROTO_TCP:
123  if (PKT_IS_TCP(p)) {
124  json_object_set_new(djs, "tcpseq", json_integer(TCP_GET_SEQ(p)));
125  json_object_set_new(djs, "tcpack", json_integer(TCP_GET_ACK(p)));
126  json_object_set_new(djs, "tcpwin", json_integer(TCP_GET_WINDOW(p)));
127  json_object_set_new(djs, "syn", TCP_ISSET_FLAG_SYN(p) ? json_true() : json_false());
128  json_object_set_new(djs, "ack", TCP_ISSET_FLAG_ACK(p) ? json_true() : json_false());
129  json_object_set_new(djs, "psh", TCP_ISSET_FLAG_PUSH(p) ? json_true() : json_false());
130  json_object_set_new(djs, "rst", TCP_ISSET_FLAG_RST(p) ? json_true() : json_false());
131  json_object_set_new(djs, "urg", TCP_ISSET_FLAG_URG(p) ? json_true() : json_false());
132  json_object_set_new(djs, "fin", TCP_ISSET_FLAG_FIN(p) ? json_true() : json_false());
133  json_object_set_new(djs, "tcpres", json_integer(TCP_GET_RAW_X2(p->tcph)));
134  json_object_set_new(djs, "tcpurgp", json_integer(TCP_GET_URG_POINTER(p)));
135  }
136  break;
137  case IPPROTO_UDP:
138  if (PKT_IS_UDP(p)) {
139  json_object_set_new(djs, "udplen", json_integer(UDP_GET_LEN(p)));
140  }
141  break;
142  case IPPROTO_ICMP:
143  if (PKT_IS_ICMPV4(p)) {
144  json_object_set_new(djs, "icmp_id", json_integer(ICMPV4_GET_ID(p)));
145  json_object_set_new(djs, "icmp_seq", json_integer(ICMPV4_GET_SEQ(p)));
146  } else if(PKT_IS_ICMPV6(p)) {
147  json_object_set_new(djs, "icmp_id", json_integer(ICMPV6_GET_ID(p)));
148  json_object_set_new(djs, "icmp_seq", json_integer(ICMPV6_GET_SEQ(p)));
149  }
150  break;
151  }
152  json_object_set_new(js, "drop", djs);
153 
154  if (aft->drop_ctx->flags & LOG_DROP_ALERTS) {
155  int logged = 0;
156  int i;
157  for (i = 0; i < p->alerts.cnt; i++) {
158  const PacketAlert *pa = &p->alerts.alerts[i];
159  if (unlikely(pa->s == NULL)) {
160  continue;
161  }
163  ((pa->action & ACTION_DROP) && EngineModeIsIPS()))
164  {
165  AlertJsonHeader(NULL, p, pa, js, 0);
166  logged = 1;
167  }
168  }
169  if (logged == 0) {
170  if (p->alerts.drop.action != 0) {
171  const PacketAlert *pa = &p->alerts.drop;
172  AlertJsonHeader(NULL, p, pa, js, 0);
173  }
174  }
175  }
176 
177  OutputJSONBuffer(js, aft->drop_ctx->file_ctx, &aft->buffer);
178  json_object_del(js, "drop");
179  json_object_clear(js);
180  json_decref(js);
181 
182  return TM_ECODE_OK;
183 }
184 
185 static TmEcode JsonDropLogThreadInit(ThreadVars *t, const void *initdata, void **data)
186 {
187  JsonDropLogThread *aft = SCMalloc(sizeof(JsonDropLogThread));
188  if (unlikely(aft == NULL))
189  return TM_ECODE_FAILED;
190  memset(aft, 0, sizeof(*aft));
191 
192  if(initdata == NULL)
193  {
194  SCLogDebug("Error getting context for EveLogDrop. \"initdata\" argument NULL");
195  SCFree(aft);
196  return TM_ECODE_FAILED;
197  }
198 
199  aft->buffer = MemBufferCreateNew(JSON_OUTPUT_BUFFER_SIZE);
200  if (aft->buffer == NULL) {
201  SCFree(aft);
202  return TM_ECODE_FAILED;
203  }
204 
205  /** Use the Ouptut Context (file pointer and mutex) */
206  aft->drop_ctx = ((OutputCtx *)initdata)->data;
207 
208  *data = (void *)aft;
209  return TM_ECODE_OK;
210 }
211 
212 static TmEcode JsonDropLogThreadDeinit(ThreadVars *t, void *data)
213 {
214  JsonDropLogThread *aft = (JsonDropLogThread *)data;
215  if (aft == NULL) {
216  return TM_ECODE_OK;
217  }
218 
219  MemBufferFree(aft->buffer);
220 
221  /* clear memory */
222  memset(aft, 0, sizeof(*aft));
223 
224  SCFree(aft);
225  return TM_ECODE_OK;
226 }
227 
228 static void JsonDropOutputCtxFree(JsonDropOutputCtx *drop_ctx)
229 {
230  if (drop_ctx != NULL) {
231  if (drop_ctx->file_ctx != NULL)
232  LogFileFreeCtx(drop_ctx->file_ctx);
233  SCFree(drop_ctx);
234  }
235 }
236 
237 static void JsonDropLogDeInitCtx(OutputCtx *output_ctx)
238 {
240 
241  JsonDropOutputCtx *drop_ctx = output_ctx->data;
242  JsonDropOutputCtxFree(drop_ctx);
243  SCFree(output_ctx);
244 }
245 
246 static void JsonDropLogDeInitCtxSub(OutputCtx *output_ctx)
247 {
249 
250  JsonDropOutputCtx *drop_ctx = output_ctx->data;
251  SCFree(drop_ctx);
252  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
253  SCFree(output_ctx);
254 }
255 
256 #define DEFAULT_LOG_FILENAME "drop.json"
257 static OutputInitResult JsonDropLogInitCtx(ConfNode *conf)
258 {
259  OutputInitResult result = { NULL, false };
260  if (OutputDropLoggerEnable() != 0) {
261  SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'drop' logger "
262  "can be enabled");
263  return result;
264  }
265 
266  JsonDropOutputCtx *drop_ctx = SCCalloc(1, sizeof(*drop_ctx));
267  if (drop_ctx == NULL)
268  return result;
269 
270  drop_ctx->file_ctx = LogFileNewCtx();
271  if (drop_ctx->file_ctx == NULL) {
272  JsonDropOutputCtxFree(drop_ctx);
273  return result;
274  }
275 
276  if (SCConfLogOpenGeneric(conf, drop_ctx->file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
277  JsonDropOutputCtxFree(drop_ctx);
278  return result;
279  }
280 
281  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
282  if (unlikely(output_ctx == NULL)) {
283  JsonDropOutputCtxFree(drop_ctx);
284  return result;
285  }
286 
287  if (conf) {
288  const char *extended = ConfNodeLookupChildValue(conf, "alerts");
289  if (extended != NULL) {
290  if (ConfValIsTrue(extended)) {
291  drop_ctx->flags = LOG_DROP_ALERTS;
292  }
293  }
294  extended = ConfNodeLookupChildValue(conf, "flows");
295  if (extended != NULL) {
296  if (strcasecmp(extended, "start") == 0) {
297  g_droplog_flows_start = 1;
298  } else if (strcasecmp(extended, "all") == 0) {
299  g_droplog_flows_start = 0;
300  } else {
301  SCLogWarning(SC_ERR_CONF_YAML_ERROR, "valid options for "
302  "'flow' are 'start' and 'all'");
303  }
304  }
305  }
306 
307  output_ctx->data = drop_ctx;
308  output_ctx->DeInit = JsonDropLogDeInitCtx;
309 
310  result.ctx = output_ctx;
311  result.ok = true;
312  return result;
313 }
314 
315 static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
316 {
317  OutputInitResult result = { NULL, false };
318  if (OutputDropLoggerEnable() != 0) {
319  SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'drop' logger "
320  "can be enabled");
321  return result;
322  }
323 
324  OutputJsonCtx *ajt = parent_ctx->data;
325 
326  JsonDropOutputCtx *drop_ctx = SCCalloc(1, sizeof(*drop_ctx));
327  if (drop_ctx == NULL)
328  return result;
329 
330  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
331  if (unlikely(output_ctx == NULL)) {
332  JsonDropOutputCtxFree(drop_ctx);
333  return result;
334  }
335 
336  if (conf) {
337  const char *extended = ConfNodeLookupChildValue(conf, "alerts");
338  if (extended != NULL) {
339  if (ConfValIsTrue(extended)) {
340  drop_ctx->flags = LOG_DROP_ALERTS;
341  }
342  }
343  extended = ConfNodeLookupChildValue(conf, "flows");
344  if (extended != NULL) {
345  if (strcasecmp(extended, "start") == 0) {
346  g_droplog_flows_start = 1;
347  } else if (strcasecmp(extended, "all") == 0) {
348  g_droplog_flows_start = 0;
349  } else {
350  SCLogWarning(SC_ERR_CONF_YAML_ERROR, "valid options for "
351  "'flow' are 'start' and 'all'");
352  }
353  }
354  }
355 
356  drop_ctx->file_ctx = ajt->file_ctx;
357  drop_ctx->cfg = ajt->cfg;
358 
359  output_ctx->data = drop_ctx;
360  output_ctx->DeInit = JsonDropLogDeInitCtxSub;
361 
362  result.ctx = output_ctx;
363  result.ok = true;
364  return result;
365 }
366 
367 /**
368  * \brief Log the dropped packets when engine is running in inline mode
369  *
370  * \param tv Pointer the current thread variables
371  * \param data Pointer to the droplog struct
372  * \param p Pointer the packet which is being logged
373  *
374  * \retval 0 on succes
375  */
376 static int JsonDropLogger(ThreadVars *tv, void *thread_data, const Packet *p)
377 {
378  JsonDropLogThread *td = thread_data;
379  int r = DropLogJSON(td, p);
380  if (r < 0)
381  return -1;
382 
383  if (!g_droplog_flows_start)
384  return 0;
385 
386  if (p->flow) {
387  if (p->flow->flags & FLOW_ACTION_DROP) {
390  else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
392  }
393  }
394  return 0;
395 }
396 
397 
398 /**
399  * \brief Check if we need to drop-log this packet
400  *
401  * \param tv Pointer the current thread variables
402  * \param p Pointer the packet which is tested
403  *
404  * \retval bool TRUE or FALSE
405  */
406 static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
407 {
408  if (!EngineModeIsIPS()) {
409  SCLogDebug("engine is not running in inline mode, so returning");
410  return FALSE;
411  }
412  if (PKT_IS_PSEUDOPKT(p)) {
413  SCLogDebug("drop log doesn't log pseudo packets");
414  return FALSE;
415  }
416 
417  if (g_droplog_flows_start && p->flow != NULL) {
418  int ret = FALSE;
419 
420  /* for a flow that will be dropped fully, log just once per direction */
421  if (p->flow->flags & FLOW_ACTION_DROP) {
423  ret = TRUE;
424  else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
425  ret = TRUE;
426  }
427 
428  /* if drop is caused by signature, log anyway */
429  if (p->alerts.drop.action != 0)
430  ret = TRUE;
431 
432  return ret;
433  } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
434  return TRUE;
435  }
436 
437  return FALSE;
438 }
439 
440 void JsonDropLogRegister (void)
441 {
443  JsonDropLogInitCtx, JsonDropLogger, JsonDropLogCondition,
444  JsonDropLogThreadInit, JsonDropLogThreadDeinit, NULL);
446  "eve-log.drop", JsonDropLogInitCtxSub, JsonDropLogger,
447  JsonDropLogCondition, JsonDropLogThreadInit, JsonDropLogThreadDeinit,
448  NULL);
449 }
450 
451 #else
452 
454 {
455 }
456 
457 #endif
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
#define TCP_GET_RAW_X2(tcph)
Definition: decode-tcp.h:66
uint16_t flags
#define SCLogDebug(...)
Definition: util-debug.h:335
struct Flow_ * flow
Definition: decode.h:445
#define ACTION_REJECT_DST
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:857
#define FALSE
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:258
#define IPV4_GET_IPPROTO(p)
Definition: decode-ipv4.h:148
int logged
#define unlikely(expr)
Definition: util-optimize.h:35
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
#define ACTION_REJECT
uint8_t action
Definition: decode.h:271
#define FLOW_ACTION_DROP
Definition: flow.h:64
#define ICMPV6_GET_ID(p)
#define IPV6_GET_HLIM(p)
Definition: decode-ipv6.h:90
#define MODULE_NAME
int OutputDropLoggerEnable(void)
Definition: output.c:849
#define PKT_IS_IPV6(p)
Definition: decode.h:252
#define TCP_GET_WINDOW(p)
Definition: decode-tcp.h:109
#define ICMPV6_GET_SEQ(p)
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
TCPHdr * tcph
Definition: decode.h:522
int EngineModeIsIPS(void)
Definition: suricata.c:245
#define TRUE
#define ICMPV4_GET_SEQ(p)
#define PKT_IS_IPV4(p)
Definition: decode.h:251
#define TCP_ISSET_FLAG_SYN(p)
Definition: decode-tcp.h:115
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:294
const struct Signature_ * s
Definition: decode.h:273
#define SCCalloc(nm, a)
Definition: util-mem.h:253
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843
#define TCP_GET_SEQ(p)
Definition: decode-tcp.h:107
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:161
#define IPV6_GET_PLEN(p)
Definition: decode-ipv6.h:88
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:202
#define ACTION_REJECT_BOTH
#define TCP_ISSET_FLAG_URG(p)
Definition: decode-tcp.h:119
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
#define PKT_IS_ICMPV6(p)
Definition: decode.h:256
#define IPV6_GET_FLOW(p)
Definition: decode-ipv6.h:84
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
#define PKT_IS_TOSERVER(p)
Definition: decode.h:257
#define IPV6_GET_CLASS(p)
Definition: decode-ipv6.h:82
#define UDP_GET_LEN(p)
Definition: decode-udp.h:35
void JsonDropLogRegister(void)
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
#define FLOW_TOCLIENT_DROP_LOGGED
Definition: flow.h:74
uint8_t proto
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
#define IPV6_GET_L4PROTO(p)
Definition: decode-ipv6.h:93
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
#define IPV4_GET_IPLEN(p)
Definition: decode-ipv4.h:127
Definition: conf.h:32
#define TCP_ISSET_FLAG_RST(p)
Definition: decode-tcp.h:116
OutputCtx * ctx
Definition: output.h:42
#define DEFAULT_LOG_FILENAME
#define SCMalloc(a)
Definition: util-mem.h:222
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
#define ICMPV4_GET_ID(p)
#define SCFree(a)
Definition: util-mem.h:322
#define PKT_IS_TCP(p)
Definition: decode.h:253
#define TCP_ISSET_FLAG_ACK(p)
Definition: decode-tcp.h:118
PacketAlert drop
Definition: decode.h:297
void OutputDropLoggerDisable(void)
Definition: output.c:857
void * data
Definition: tm-modules.h:81
#define PKT_IS_ICMPV4(p)
Definition: decode.h:255
#define IPV4_GET_IPTOS(p)
Definition: decode-ipv4.h:125
PacketAlerts alerts
Definition: decode.h:555
#define TCP_GET_URG_POINTER(p)
Definition: decode-tcp.h:110
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1129
#define TCP_ISSET_FLAG_PUSH(p)
Definition: decode-tcp.h:117
uint16_t cnt
Definition: decode.h:293
#define PKT_IS_UDP(p)
Definition: decode.h:254
Per thread variable structure.
Definition: threadvars.h:57
#define ACTION_DROP
#define TCP_GET_ACK(p)
Definition: decode-tcp.h:108
#define TCP_ISSET_FLAG_FIN(p)
Definition: decode-tcp.h:114
#define IPV4_GET_IPID(p)
Definition: decode-ipv4.h:129
uint32_t flags
Definition: flow.h:379
#define FLOW_TOSERVER_DROP_LOGGED
Definition: flow.h:72
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
#define IPV4_GET_IPTTL(p)
Definition: decode-ipv4.h:146