suricata
output-json-email-common.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2015 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  * \author Eric Leblond <eric@regit.org>
23  *
24  * Implements json common email logging portion of the engine.
25  */
26 
27 #include "suricata-common.h"
28 #include "detect.h"
29 #include "pkt-var.h"
30 #include "conf.h"
31 #include "suricata.h"
32 
33 #include "threads.h"
34 #include "threadvars.h"
35 #include "tm-threads.h"
36 #include "tm-threads-common.h"
37 
38 #include "util-print.h"
39 #include "util-unittest.h"
40 
41 #include "util-debug.h"
42 #include "app-layer-parser.h"
43 #include "output.h"
44 #include "app-layer-smtp.h"
45 #include "app-layer.h"
46 #include "util-privs.h"
47 #include "util-buffer.h"
48 #include "util-byte.h"
49 
50 #include "util-logopenfile.h"
51 
52 #include "output-json.h"
53 #include "output-json-email-common.h"
54 #include "flow-bindgen.h"
55 
56 #define LOG_EMAIL_DEFAULT 0
57 #define LOG_EMAIL_EXTENDED (1<<0)
58 #define LOG_EMAIL_ARRAY (1<<1) /* require array handling */
59 #define LOG_EMAIL_COMMA (1<<2) /* require array handling */
60 #define LOG_EMAIL_BODY_MD5 (1<<3)
61 #define LOG_EMAIL_SUBJECT_MD5 (1<<4)
62 
63 struct {
64  const char *config_field;
65  const char *email_field;
66  uint32_t flags;
67 } email_fields[] = {
68  { "reply_to", "reply-to", LOG_EMAIL_DEFAULT },
69  { "bcc", "bcc", LOG_EMAIL_COMMA|LOG_EMAIL_EXTENDED },
70  { "message_id", "message-id", LOG_EMAIL_EXTENDED },
71  { "subject", "subject", LOG_EMAIL_EXTENDED },
72  { "x_mailer", "x-mailer", LOG_EMAIL_EXTENDED },
73  { "user_agent", "user-agent", LOG_EMAIL_EXTENDED },
74  { "received", "received", LOG_EMAIL_ARRAY },
75  { "x_originating_ip", "x-originating-ip", LOG_EMAIL_DEFAULT },
76  { "in_reply_to", "in-reply-to", LOG_EMAIL_DEFAULT },
77  { "references", "references", LOG_EMAIL_DEFAULT },
78  { "importance", "importance", LOG_EMAIL_DEFAULT },
79  { "priority", "priority", LOG_EMAIL_DEFAULT },
80  { "sensitivity", "sensitivity", LOG_EMAIL_DEFAULT },
81  { "organization", "organization", LOG_EMAIL_DEFAULT },
82  { "content_md5", "content-md5", LOG_EMAIL_DEFAULT },
83  { "date", "date", LOG_EMAIL_DEFAULT },
84  { NULL, NULL, LOG_EMAIL_DEFAULT},
85 };
86 
87 static void EveEmailLogJSONMd5(
88  OutputJsonEmailCtx *email_ctx, SCJsonBuilder *js, SMTPTransaction *tx)
89 {
90  if (email_ctx->flags & LOG_EMAIL_SUBJECT_MD5) {
91  MimeStateSMTP *entity = tx->mime_state;
92  if (entity == NULL) {
93  return;
94  }
95  SCMimeSmtpLogSubjectMd5(js, entity);
96  }
97 
98  if (email_ctx->flags & LOG_EMAIL_BODY_MD5) {
99  MimeStateSMTP *entity = tx->mime_state;
100  if (entity == NULL) {
101  return;
102  }
103  SCMimeSmtpLogBodyMd5(js, entity);
104  }
105 }
106 
107 static void EveEmailLogJSONCustom(
108  OutputJsonEmailCtx *email_ctx, SCJsonBuilder *js, SMTPTransaction *tx)
109 {
110  int f = 0;
111  MimeStateSMTP *entity = tx->mime_state;
112  if (entity == NULL) {
113  return;
114  }
115 
116  while(email_fields[f].config_field) {
117  if (((email_ctx->fields & (1ULL<<f)) != 0)
118  ||
119  ((email_ctx->flags & LOG_EMAIL_EXTENDED) && (email_fields[f].flags & LOG_EMAIL_EXTENDED))
120  ) {
121  if (email_fields[f].flags & LOG_EMAIL_ARRAY) {
122  SCMimeSmtpLogFieldArray(
123  js, entity, email_fields[f].email_field, email_fields[f].config_field);
124  } else if (email_fields[f].flags & LOG_EMAIL_COMMA) {
125  SCMimeSmtpLogFieldComma(
126  js, entity, email_fields[f].email_field, email_fields[f].config_field);
127  } else {
128  SCMimeSmtpLogFieldString(
129  js, entity, email_fields[f].email_field, email_fields[f].config_field);
130  }
131 
132  }
133  f++;
134  }
135 }
136 
137 /* JSON format logging */
138 static bool EveEmailLogJsonData(
139  const Flow *f, void *state, void *vtx, uint64_t tx_id, SCJsonBuilder *sjs)
140 {
141  SMTPState *smtp_state;
142  MimeStateSMTP *mime_state;
143 
144  /* check if we have SMTP state or not */
145  AppProto proto = SCFlowGetAppProtocol(f);
146  switch (proto) {
147  case ALPROTO_SMTP:
148  smtp_state = (SMTPState *)state;
149  if (smtp_state == NULL) {
150  SCLogDebug("no smtp state, so no request logging");
151  SCJbFree(sjs);
152  SCReturnPtr(NULL, "SCJsonBuilder");
153  }
154  SMTPTransaction *tx = vtx;
155  mime_state = tx->mime_state;
156  SCLogDebug("lets go mime_state %p", mime_state);
157  break;
158  default:
159  /* don't know how we got here */
160  SCReturnBool(false);
161  }
162  if ((mime_state != NULL)) {
163  SCMimeSmtpLogData(sjs, mime_state);
164  SCReturnBool(true);
165  }
166 
167  SCReturnBool(false);
168 }
169 
170 /* JSON format logging */
171 TmEcode EveEmailLogJson(JsonEmailLogThread *aft, SCJsonBuilder *js, const Packet *p, Flow *f,
172  void *state, void *vtx, uint64_t tx_id)
173 {
174  OutputJsonEmailCtx *email_ctx = aft->emaillog_ctx;
175  SMTPTransaction *tx = (SMTPTransaction *) vtx;
176  SCJsonBuilderMark mark = { 0, 0, 0 };
177 
178  SCJbGetMark(js, &mark);
179  SCJbOpenObject(js, "email");
180  if (!EveEmailLogJsonData(f, state, vtx, tx_id, js)) {
181  SCJbRestoreMark(js, &mark);
182  SCReturnInt(TM_ECODE_FAILED);
183  }
184 
185  if ((email_ctx->flags & LOG_EMAIL_EXTENDED) || (email_ctx->fields != 0))
186  EveEmailLogJSONCustom(email_ctx, js, tx);
187 
188  if (!g_disable_hashing) {
189  EveEmailLogJSONMd5(email_ctx, js, tx);
190  }
191 
192  SCJbClose(js);
193  SCReturnInt(TM_ECODE_OK);
194 }
195 
196 bool EveEmailAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
197 {
198  SMTPState *smtp_state = (SMTPState *)FlowGetAppState(f);
199  if (smtp_state) {
200  SMTPTransaction *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_SMTP, smtp_state, tx_id);
201  if (tx) {
202  return EveEmailLogJsonData(f, smtp_state, tx, tx_id, js);
203  }
204  }
205 
206  return false;
207 }
208 
209 void OutputEmailInitConf(SCConfNode *conf, OutputJsonEmailCtx *email_ctx)
210 {
211  if (conf) {
212  const char *extended = SCConfNodeLookupChildValue(conf, "extended");
213 
214  if (extended != NULL) {
215  if (SCConfValIsTrue(extended)) {
216  email_ctx->flags = LOG_EMAIL_EXTENDED;
217  }
218  }
219 
220  email_ctx->fields = 0;
221  SCConfNode *custom;
222  if ((custom = SCConfNodeLookupChild(conf, "custom")) != NULL) {
223  SCConfNode *field;
224  TAILQ_FOREACH (field, &custom->head, next) {
225  int f = 0;
226  while (email_fields[f].config_field) {
227  if ((strcmp(email_fields[f].config_field, field->val) == 0) ||
228  (strcasecmp(email_fields[f].email_field, field->val) == 0)) {
229  email_ctx->fields |= (1ULL << f);
230  break;
231  }
232  f++;
233  }
234  }
235  }
236 
237  email_ctx->flags = 0;
238  SCConfNode *md5_conf;
239  if ((md5_conf = SCConfNodeLookupChild(conf, "md5")) != NULL) {
240  SCConfNode *field;
241  TAILQ_FOREACH (field, &md5_conf->head, next) {
242  if (strcmp("body", field->val) == 0) {
243  SCLogInfo("Going to log the md5 sum of email body");
244  email_ctx->flags |= LOG_EMAIL_BODY_MD5;
245  }
246  if (strcmp("subject", field->val) == 0) {
247  SCLogInfo("Going to log the md5 sum of email subject");
248  email_ctx->flags |= LOG_EMAIL_SUBJECT_MD5;
249  }
250  }
251  }
252  }
253 }
util-byte.h
tm-threads.h
SMTPState_
Definition: app-layer-smtp.h:117
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:552
LOG_EMAIL_COMMA
#define LOG_EMAIL_COMMA
Definition: output-json-email-common.c:59
JsonEmailLogThread_
Definition: output-json-email-common.h:33
LOG_EMAIL_EXTENDED
#define LOG_EMAIL_EXTENDED
Definition: output-json-email-common.c:57
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
SCFlowGetAppProtocol
AppProto SCFlowGetAppProtocol(const Flow *f)
Definition: flow.c:1234
threads.h
Flow_
Flow data structure.
Definition: flow.h:347
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
EveEmailLogJson
TmEcode EveEmailLogJson(JsonEmailLogThread *aft, SCJsonBuilder *js, const Packet *p, Flow *f, void *state, void *vtx, uint64_t tx_id)
Definition: output-json-email-common.c:171
tm-threads-common.h
util-privs.h
email_field
const char * email_field
Definition: output-json-email-common.c:65
flags
uint32_t flags
Definition: output-json-email-common.c:66
proto
uint8_t proto
Definition: decode-template.h:0
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:852
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
util-unittest.h
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
SCReturnBool
#define SCReturnBool(x)
Definition: util-debug.h:302
util-debug.h
OutputJsonEmailCtx_::fields
uint64_t fields
Definition: output-json-email-common.h:29
output-json.h
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:38
util-print.h
detect.h
pkt-var.h
output-json-email-common.h
app-layer-parser.h
Packet_
Definition: decode.h:505
SMTPTransaction_
Definition: app-layer-smtp.h:73
conf.h
TmEcode
TmEcode
Definition: tm-threads-common.h:80
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:300
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:232
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1133
LOG_EMAIL_DEFAULT
#define LOG_EMAIL_DEFAULT
Definition: output-json-email-common.c:56
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:824
EveEmailAddMetadata
bool EveEmailAddMetadata(const Flow *f, uint64_t tx_id, SCJsonBuilder *js)
Definition: output-json-email-common.c:196
config_field
const char * config_field
Definition: output-json-email-common.c:64
suricata-common.h
LOG_EMAIL_ARRAY
#define LOG_EMAIL_ARRAY
Definition: output-json-email-common.c:58
threadvars.h
email_fields
struct @135 email_fields[]
util-logopenfile.h
util-buffer.h
flow-bindgen.h
suricata.h
LOG_EMAIL_SUBJECT_MD5
#define LOG_EMAIL_SUBJECT_MD5
Definition: output-json-email-common.c:61
OutputEmailInitConf
void OutputEmailInitConf(SCConfNode *conf, OutputJsonEmailCtx *email_ctx)
Definition: output-json-email-common.c:209
app-layer-smtp.h
JsonEmailLogThread_::emaillog_ctx
OutputJsonEmailCtx * emaillog_ctx
Definition: output-json-email-common.h:34
OutputJsonEmailCtx_::flags
uint32_t flags
Definition: output-json-email-common.h:28
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:288
SCConfNode_
Definition: conf.h:37
OutputJsonEmailCtx_
Definition: output-json-email-common.h:27
SCConfNode_::val
char * val
Definition: conf.h:39
LOG_EMAIL_BODY_MD5
#define LOG_EMAIL_BODY_MD5
Definition: output-json-email-common.c:60
output.h
app-layer.h
SMTPTransaction_::mime_state
MimeStateSMTP * mime_state
Definition: app-layer-smtp.h:86
g_disable_hashing
bool g_disable_hashing
Definition: suricata.c:218