suricata
output-json-file.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Log files we track.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "pkt-var.h"
31 #include "conf.h"
32 
33 #include "threadvars.h"
34 #include "tm-modules.h"
35 
36 #include "threads.h"
37 
38 #include "app-layer-parser.h"
39 
40 #include "detect-filemagic.h"
41 
42 #include "stream.h"
43 
44 #include "util-print.h"
45 #include "util-unittest.h"
46 #include "util-privs.h"
47 #include "util-debug.h"
48 #include "util-atomic.h"
49 #include "util-file.h"
50 #include "util-time.h"
51 #include "util-buffer.h"
52 #include "util-byte.h"
53 #include "util-validate.h"
54 
55 #include "util-logopenfile.h"
56 
57 #include "output.h"
58 #include "output-json.h"
59 #include "output-json-file.h"
60 #include "output-json-http.h"
61 #include "output-json-smtp.h"
62 #include "output-json-email-common.h"
63 #include "output-json-nfs.h"
64 #include "output-json-smb.h"
65 
66 #include "app-layer-htp.h"
67 #include "app-layer-htp-xff.h"
68 #include "util-memcmp.h"
69 #include "stream-tcp-reassemble.h"
70 
71 typedef struct OutputFileCtx_ {
72  LogFileCtx *file_ctx;
73  uint32_t file_cnt;
74  HttpXFFCfg *xff_cfg;
75  HttpXFFCfg *parent_xff_cfg;
76 } OutputFileCtx;
77 
78 typedef struct JsonFileLogThread_ {
79  OutputFileCtx *filelog_ctx;
80  MemBuffer *buffer;
81 } JsonFileLogThread;
82 
83 json_t *JsonBuildFileInfoRecord(const Packet *p, const File *ff,
84  const bool stored, uint8_t dir, HttpXFFCfg *xff_cfg)
85 {
86  json_t *hjs = NULL;
87  enum OutputJsonLogDirection fdir = LOG_DIR_FLOW;
88 
89  switch(dir) {
90  case STREAM_TOCLIENT:
91  fdir = LOG_DIR_FLOW_TOCLIENT;
92  break;
93  case STREAM_TOSERVER:
94  fdir = LOG_DIR_FLOW_TOSERVER;
95  break;
96  default:
97  DEBUG_VALIDATE_BUG_ON(1);
98  break;
99  }
100 
101  json_t *js = CreateJSONHeader(p, fdir, "fileinfo");
102  if (unlikely(js == NULL))
103  return NULL;
104 
105  switch (p->flow->alproto) {
106  case ALPROTO_HTTP:
107  hjs = JsonHttpAddMetadata(p->flow, ff->txid);
108  if (hjs)
109  json_object_set_new(js, "http", hjs);
110  break;
111  case ALPROTO_SMTP:
112  hjs = JsonSMTPAddMetadata(p->flow, ff->txid);
113  if (hjs)
114  json_object_set_new(js, "smtp", hjs);
115  hjs = JsonEmailAddMetadata(p->flow, ff->txid);
116  if (hjs)
117  json_object_set_new(js, "email", hjs);
118  break;
119  case ALPROTO_NFS:
120  hjs = JsonNFSAddMetadataRPC(p->flow, ff->txid);
121  if (hjs)
122  json_object_set_new(js, "rpc", hjs);
123  hjs = JsonNFSAddMetadata(p->flow, ff->txid);
124  if (hjs)
125  json_object_set_new(js, "nfs", hjs);
126  break;
127  case ALPROTO_SMB:
128  hjs = JsonSMBAddMetadata(p->flow, ff->txid);
129  if (hjs)
130  json_object_set_new(js, "smb", hjs);
131  break;
132  }
133 
134  json_object_set_new(js, "app_proto",
135  json_string(AppProtoToString(p->flow->alproto)));
136 
137  json_t *fjs = json_object();
138  if (unlikely(fjs == NULL)) {
139  json_decref(js);
140  return NULL;
141  }
142 
143  size_t filename_size = ff->name_len * 2 + 1;
144  char filename_string[filename_size];
145  BytesToStringBuffer(ff->name, ff->name_len, filename_string, filename_size);
146  json_object_set_new(fjs, "filename", SCJsonString(filename_string));
147 
148  json_t *sig_ids = json_array();
149  if (unlikely(sig_ids == NULL)) {
150  json_decref(js);
151  return NULL;
152  }
153 
154  for (uint32_t i = 0; ff->sid != NULL && i < ff->sid_cnt; i++) {
155  json_array_append_new(sig_ids, json_integer(ff->sid[i]));
156  }
157  json_object_set_new(fjs, "sid", sig_ids);
158 
159 #ifdef HAVE_MAGIC
160  if (ff->magic)
161  json_object_set_new(fjs, "magic", json_string((char *)ff->magic));
162 #endif
163  json_object_set_new(fjs, "gaps", json_boolean((ff->flags & FILE_HAS_GAPS)));
164  switch (ff->state) {
165  case FILE_STATE_CLOSED:
166  json_object_set_new(fjs, "state", json_string("CLOSED"));
167 #ifdef HAVE_NSS
168  if (ff->flags & FILE_MD5) {
169  size_t x;
170  int i;
171  char str[256];
172  for (i = 0, x = 0; x < sizeof(ff->md5); x++) {
173  i += snprintf(&str[i], 255-i, "%02x", ff->md5[x]);
174  }
175  json_object_set_new(fjs, "md5", json_string(str));
176  }
177  if (ff->flags & FILE_SHA1) {
178  size_t x;
179  int i;
180  char str[256];
181  for (i = 0, x = 0; x < sizeof(ff->sha1); x++) {
182  i += snprintf(&str[i], 255-i, "%02x", ff->sha1[x]);
183  }
184  json_object_set_new(fjs, "sha1", json_string(str));
185  }
186 #endif
187  break;
188  case FILE_STATE_TRUNCATED:
189  json_object_set_new(fjs, "state", json_string("TRUNCATED"));
190  break;
191  case FILE_STATE_ERROR:
192  json_object_set_new(fjs, "state", json_string("ERROR"));
193  break;
194  default:
195  json_object_set_new(fjs, "state", json_string("UNKNOWN"));
196  break;
197  }
198 
199 #ifdef HAVE_NSS
200  if (ff->flags & FILE_SHA256) {
201  size_t x;
202  int i;
203  char str[256];
204  for (i = 0, x = 0; x < sizeof(ff->sha256); x++) {
205  i += snprintf(&str[i], 255-i, "%02x", ff->sha256[x]);
206  }
207  json_object_set_new(fjs, "sha256", json_string(str));
208  }
209 #endif
210 
211  json_object_set_new(fjs, "stored", stored ? json_true() : json_false());
212  if (ff->flags & FILE_STORED) {
213  json_object_set_new(fjs, "file_id", json_integer(ff->file_store_id));
214  }
215  json_object_set_new(fjs, "size", json_integer(FileTrackedSize(ff)));
216  if (ff->end > 0) {
217  json_object_set_new(fjs, "start", json_integer(ff->start));
218  json_object_set_new(fjs, "end", json_integer(ff->end));
219  }
220  json_object_set_new(fjs, "tx_id", json_integer(ff->txid));
221 
222  /* xff header */
223  if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED)) {
224  int have_xff_ip = 0;
225  char buffer[XFF_MAXLEN];
226 
227  if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
228  have_xff_ip = HttpXFFGetIPFromTx(p->flow, ff->txid, xff_cfg, buffer, XFF_MAXLEN);
229  }
230 
231  if (have_xff_ip) {
232  if (xff_cfg->flags & XFF_EXTRADATA) {
233  json_object_set_new(js, "xff", json_string(buffer));
234  }
235  else if (xff_cfg->flags & XFF_OVERWRITE) {
236  if (p->flowflags & FLOW_PKT_TOCLIENT) {
237  json_object_set(js, "dest_ip", json_string(buffer));
238  } else {
239  json_object_set(js, "src_ip", json_string(buffer));
240  }
241  }
242  }
243  }
244 
245  /* originally just 'file', but due to bug 1127 naming it fileinfo */
246  json_object_set_new(js, "fileinfo", fjs);
247 
248  return js;
249 }
250 
251 /**
252  * \internal
253  * \brief Write meta data on a single line json record
254  */
255 static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p,
256  const File *ff, uint32_t dir)
257 {
258  HttpXFFCfg *xff_cfg = aft->filelog_ctx->xff_cfg != NULL ?
259  aft->filelog_ctx->xff_cfg : aft->filelog_ctx->parent_xff_cfg;;
260  json_t *js = JsonBuildFileInfoRecord(p, ff,
261  ff->flags & FILE_STORED ? true : false, dir, xff_cfg);
262  if (unlikely(js == NULL)) {
263  return;
264  }
265 
266  MemBufferReset(aft->buffer);
267  OutputJSONBuffer(js, aft->filelog_ctx->file_ctx, &aft->buffer);
268  json_decref(js);
269 }
270 
271 static int JsonFileLogger(ThreadVars *tv, void *thread_data, const Packet *p,
272  const File *ff, uint8_t dir)
273 {
274  SCEnter();
275  JsonFileLogThread *aft = (JsonFileLogThread *)thread_data;
276 
277  BUG_ON(ff->flags & FILE_LOGGED);
278 
279  SCLogDebug("ff %p", ff);
280 
281  FileWriteJsonRecord(aft, p, ff, dir);
282  return 0;
283 }
284 
285 
286 static TmEcode JsonFileLogThreadInit(ThreadVars *t, const void *initdata, void **data)
287 {
288  JsonFileLogThread *aft = SCMalloc(sizeof(JsonFileLogThread));
289  if (unlikely(aft == NULL))
290  return TM_ECODE_FAILED;
291  memset(aft, 0, sizeof(JsonFileLogThread));
292 
293  if(initdata == NULL)
294  {
295  SCLogDebug("Error getting context for EveLogFile. \"initdata\" argument NULL");
296  SCFree(aft);
297  return TM_ECODE_FAILED;
298  }
299 
300  /* Use the Ouptut Context (file pointer and mutex) */
301  aft->filelog_ctx = ((OutputCtx *)initdata)->data;
302 
303  aft->buffer = MemBufferCreateNew(JSON_OUTPUT_BUFFER_SIZE);
304  if (aft->buffer == NULL) {
305  SCFree(aft);
306  return TM_ECODE_FAILED;
307  }
308 
309  *data = (void *)aft;
310  return TM_ECODE_OK;
311 }
312 
313 static TmEcode JsonFileLogThreadDeinit(ThreadVars *t, void *data)
314 {
315  JsonFileLogThread *aft = (JsonFileLogThread *)data;
316  if (aft == NULL) {
317  return TM_ECODE_OK;
318  }
319 
320  MemBufferFree(aft->buffer);
321  /* clear memory */
322  memset(aft, 0, sizeof(JsonFileLogThread));
323 
324  SCFree(aft);
325  return TM_ECODE_OK;
326 }
327 
328 static void OutputFileLogDeinitSub(OutputCtx *output_ctx)
329 {
330  OutputFileCtx *ff_ctx = output_ctx->data;
331  if (ff_ctx->xff_cfg != NULL) {
332  SCFree(ff_ctx->xff_cfg);
333  }
334  SCFree(ff_ctx);
335  SCFree(output_ctx);
336 }
337 
338 /** \brief Create a new http log LogFileCtx.
339  * \param conf Pointer to ConfNode containing this loggers configuration.
340  * \return NULL if failure, LogFileCtx* to the file_ctx if succesful
341  * */
342 static OutputInitResult OutputFileLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
343 {
344  OutputInitResult result = { NULL, false };
345  OutputJsonCtx *ojc = parent_ctx->data;
346 
347  OutputFileCtx *output_file_ctx = SCCalloc(1, sizeof(OutputFileCtx));
348  if (unlikely(output_file_ctx == NULL))
349  return result;
350 
351  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
352  if (unlikely(output_ctx == NULL)) {
353  SCFree(output_file_ctx);
354  return result;
355  }
356 
357  output_file_ctx->file_ctx = ojc->file_ctx;
358 
359  if (conf) {
360  const char *force_filestore = ConfNodeLookupChildValue(conf, "force-filestore");
361  if (force_filestore != NULL && ConfValIsTrue(force_filestore)) {
362  FileForceFilestoreEnable();
363  SCLogConfig("forcing filestore of all files");
364  }
365 
366  const char *force_magic = ConfNodeLookupChildValue(conf, "force-magic");
367  if (force_magic != NULL && ConfValIsTrue(force_magic)) {
368  FileForceMagicEnable();
369  SCLogConfig("forcing magic lookup for logged files");
370  }
371 
372  FileForceHashParseCfg(conf);
373  }
374 
375  if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
376  output_file_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
377  if (output_file_ctx->xff_cfg != NULL) {
378  HttpXFFGetCfg(conf, output_file_ctx->xff_cfg);
379  }
380  } else if (ojc->xff_cfg) {
381  output_file_ctx->parent_xff_cfg = ojc->xff_cfg;
382  }
383 
384  output_ctx->data = output_file_ctx;
385  output_ctx->DeInit = OutputFileLogDeinitSub;
386 
387  FileForceTrackingEnable();
388  result.ctx = output_ctx;
389  result.ok = true;
390  return result;
391 }
392 
393 void JsonFileLogRegister (void)
394 {
395  /* register as child of eve-log */
396  OutputRegisterFileSubModule(LOGGER_JSON_FILE, "eve-log", "JsonFileLog",
397  "eve-log.files", OutputFileLogInitSub, JsonFileLogger,
398  JsonFileLogThreadInit, JsonFileLogThreadDeinit, NULL);
399 }
XFF_MAXLEN
#define XFF_MAXLEN
Definition: app-layer-htp-xff.h:39
util-byte.h
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:82
XFF_EXTRADATA
#define XFF_EXTRADATA
Definition: app-layer-htp-xff.h:31
FileForceTrackingEnable
void FileForceTrackingEnable(void)
Definition: util-file.c:163
SCFree
#define SCFree(a)
Definition: util-mem.h:322
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:43
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
JSON_OUTPUT_BUFFER_SIZE
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:44
threads.h
json_boolean
#define json_boolean(val)
Definition: suricata-common.h:245
OutputJsonCtx_
Definition: output-json.h:78
File_::state
FileState state
Definition: util-file.h:66
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
LogFileCtx_
Definition: util-logopenfile.h:52
JsonFileLogRegister
void JsonFileLogRegister(void)
Definition: output-json-file.c:393
JsonSMTPAddMetadata
json_t * JsonSMTPAddMetadata(const Flow *f, uint64_t tx_id)
Definition: output-json-smtp.c:118
File_::file_store_id
uint32_t file_store_id
Definition: util-file.h:70
OutputRegisterFileSubModule
void OutputRegisterFileSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, FileLogger FileLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a file output sub-module.
Definition: output.c:469
tm-modules.h
JsonFileLogThread_::buffer
MemBuffer * buffer
Definition: output-json-file.c:80
util-privs.h
stream-tcp-reassemble.h
FileForceMagicEnable
void FileForceMagicEnable(void)
Definition: util-file.c:100
FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition: util-file.h:57
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:440
OutputFileCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json-file.c:74
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:79
JsonNFSAddMetadataRPC
json_t * JsonNFSAddMetadataRPC(const Flow *f, uint64_t tx_id)
Definition: output-json-nfs.c:51
util-unittest.h
SCJsonString
json_t * SCJsonString(const char *val)
Definition: output-json.c:107
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:78
OutputCtx_
Definition: tm-modules.h:78
app-layer-htp-xff.h
util-memcmp.h
JsonHttpAddMetadata
json_t * JsonHttpAddMetadata(const Flow *f, uint64_t tx_id)
Definition: output-json-http.c:565
File_::name_len
uint16_t name_len
Definition: util-file.h:65
app-layer-htp.h
util-debug.h
File_::end
uint64_t end
Definition: util-file.h:93
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:42
LOGGER_JSON_FILE
@ LOGGER_JSON_FILE
Definition: suricata-common.h:456
output-json.h
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
output-json-file.h
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
util-print.h
detect-filemagic.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
JsonBuildFileInfoRecord
json_t * JsonBuildFileInfoRecord(const Packet *p, const File *ff, const bool stored, uint8_t dir, HttpXFFCfg *xff_cfg)
Definition: output-json-file.c:83
pkt-var.h
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:308
util-atomic.h
output-json-email-common.h
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:43
app-layer-parser.h
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:265
stream.h
Packet_
Definition: decode.h:408
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:253
conf.h
XFF_OVERWRITE
#define XFF_OVERWRITE
Definition: app-layer-htp-xff.h:33
TmEcode
TmEcode
Definition: tm-threads-common.h:77
File_::name
uint8_t * name
Definition: util-file.h:73
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
LOG_DIR_FLOW_TOCLIENT
@ LOG_DIR_FLOW_TOCLIENT
Definition: output-json.h:39
File_::sid
uint32_t * sid
Definition: util-file.h:95
MemBuffer_
Definition: util-buffer.h:27
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:217
File_::sid_cnt
uint32_t sid_cnt
Definition: util-file.h:96
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:815
File_::flags
uint16_t flags
Definition: util-file.h:64
util-file.h
MemBufferReset
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:55
File_
Definition: util-file.h:63
OutputInitResult_
Definition: output.h:41
Packet_::flow
struct Flow_ * flow
Definition: decode.h:446
suricata-common.h
FileForceFilestoreEnable
void FileForceFilestoreEnable(void)
Definition: util-file.c:94
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
OutputFileCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-file.c:72
CreateJSONHeader
json_t * CreateJSONHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type)
Definition: output-json.c:710
output-json-nfs.h
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
FILE_STORED
#define FILE_STORED
Definition: util-file.h:47
JsonFileLogThread_
Definition: output-json-file.c:78
FileForceHashParseCfg
void FileForceHashParseCfg(ConfNode *conf)
Function to parse forced file hashing configuration.
Definition: util-file.c:172
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
JsonSMBAddMetadata
json_t * JsonSMBAddMetadata(const Flow *f, uint64_t tx_id)
Definition: output-json-smb.c:50
FILE_MD5
#define FILE_MD5
Definition: util-file.h:39
JsonNFSAddMetadata
json_t * JsonNFSAddMetadata(const Flow *f, uint64_t tx_id)
Definition: output-json-nfs.c:64
OutputJsonLogDirection
OutputJsonLogDirection
Definition: output-json.h:36
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
File_::start
uint64_t start
Definition: util-file.h:92
threadvars.h
util-validate.h
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-json.h:38
FlowGetAppProtocol
AppProto FlowGetAppProtocol(const Flow *f)
Definition: flow.c:1077
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
HttpXFFCfg_::flags
uint8_t flags
Definition: app-layer-htp-xff.h:42
FILE_LOGGED
#define FILE_LOGGED
Definition: util-file.h:44
str
#define str(s)
Definition: suricata-common.h:256
LOG_DIR_FLOW_TOSERVER
@ LOG_DIR_FLOW_TOSERVER
Definition: output-json.h:40
ConfNode_
Definition: conf.h:32
util-logopenfile.h
util-buffer.h
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
BytesToStringBuffer
void BytesToStringBuffer(const uint8_t *bytes, size_t nbytes, char *outstr, size_t outlen)
Turn byte array into string.
Definition: util-byte.c:85
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:79
JsonFileLogThread
struct JsonFileLogThread_ JsonFileLogThread
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:809
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:41
File_::txid
uint64_t txid
Definition: util-file.h:68
HttpXFFGetCfg
void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:202
output-json-smb.h
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
JsonEmailAddMetadata
json_t * JsonEmailAddMetadata(const Flow *f, uint32_t tx_id)
Definition: output-json-email-common.c:398
OutputFileCtx_
Definition: output-json-file.c:71
HttpXFFGetIPFromTx
int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
Function to return XFF IP if any in the selected transaction. The caller needs to lock the flow.
Definition: app-layer-htp-xff.c:113
output-json-smtp.h
output-json-http.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:423
OutputFileCtx
struct OutputFileCtx_ OutputFileCtx
XFF_DISABLED
#define XFF_DISABLED
Definition: app-layer-htp-xff.h:29
FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition: util-file.h:59
JsonFileLogThread_::filelog_ctx
OutputFileCtx * filelog_ctx
Definition: output-json-file.c:79
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
debug.h
OutputFileCtx_::file_cnt
uint32_t file_cnt
Definition: output-json-file.c:73
FILE_HAS_GAPS
#define FILE_HAS_GAPS
Definition: util-file.h:50
output.h
OutputFileCtx_::parent_xff_cfg
HttpXFFCfg * parent_xff_cfg
Definition: output-json-file.c:75
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:843