Go to the documentation of this file.
55 static SCJsonBuilder *CreateEveHeaderFromFlow(
const Flow *f)
58 char srcip[46] = {0}, dstip[46] = {0};
61 SCJsonBuilder *jb = SCJbNewObject();
72 PrintInet(AF_INET, (
const void *)&(f->
src.addr_data32[0]), srcip,
sizeof(srcip));
73 PrintInet(AF_INET, (
const void *)&(f->
dst.addr_data32[0]), dstip,
sizeof(dstip));
82 PrintInet(AF_INET, (
const void *)&(f->
dst.addr_data32[0]), srcip,
sizeof(srcip));
83 PrintInet(AF_INET, (
const void *)&(f->
src.addr_data32[0]), dstip,
sizeof(dstip));
93 SCJbSetString(jb,
"timestamp", timebuf);
100 json_object_set_new(js,
"sensor_id", json_integer(sensor_id));
105 SCJbSetString(jb,
"in_iface", f->
livedev->
dev);
112 SCJbOpenArray(jb,
"vlan");
113 SCJbAppendUint(jb, f->
vlan_id[0]);
115 SCJbAppendUint(jb, f->
vlan_id[1]);
118 SCJbAppendUint(jb, f->
vlan_id[2]);
124 SCJbSetString(jb,
"src_ip", srcip);
131 SCJbSetUint(jb,
"src_port", sp);
134 SCJbSetString(jb,
"dest_ip", dstip);
141 SCJbSetUint(jb,
"dest_port", dp);
150 SCJbSetString(jb,
"proto",
proto);
156 SCJbSetUint(jb,
"icmp_type", f->
icmp_s.type);
157 SCJbSetUint(jb,
"icmp_code", f->
icmp_s.code);
159 SCJbSetUint(jb,
"response_icmp_type", f->
icmp_d.type);
160 SCJbSetUint(jb,
"response_icmp_code", f->
icmp_d.code);
164 SCJbSetUint(jb,
"spi", f->
esp.spi);
199 SCJbOpenObject(js,
"bypassed");
214 SCJbSetString(js,
"start", timebuf1);
217 static void EveExceptionPolicyLog(SCJsonBuilder *js, uint16_t flag)
221 SCJbSetString(js,
"target",
223 SCJbSetString(js,
"policy",
230 SCJbSetString(js,
"target",
232 SCJbSetString(js,
"policy",
239 SCJbSetString(js,
"target",
241 SCJbSetString(js,
"policy",
251 SCJbSetString(js,
"policy",
260 SCJbSetString(js,
"policy",
267 SCJbSetString(js,
"target",
269 SCJbSetString(js,
"policy",
280 SCJbOpenObject(jb,
"flow");
285 SCJbSetString(jb,
"end", timebuf2);
288 SCJbSetUint(jb,
"age", age);
294 switch (flow_state) {
308 #ifdef CAPTURE_OFFLOAD
309 case FLOW_STATE_CAPTURE_BYPASSED:
316 SCLogDebug(
"invalid flow state: %d, contact developers", flow_state);
319 const char *reason = NULL;
321 reason =
"tcp_reuse";
331 SCJbSetString(jb,
"reason", reason);
348 SCJbOpenArray(jb,
"exception_policy");
359 if (f->
proto == IPPROTO_TCP) {
360 SCJbOpenObject(jb,
"tcp");
365 snprintf(hexflags,
sizeof(hexflags),
"%02x",
367 SCJbSetString(jb,
"tcp_flags", hexflags);
369 snprintf(hexflags,
sizeof(hexflags),
"%02x",
371 SCJbSetString(jb,
"tcp_flags_ts", hexflags);
373 snprintf(hexflags,
sizeof(hexflags),
"%02x",
375 SCJbSetString(jb,
"tcp_flags_tc", hexflags);
381 if (tcp_state != NULL)
382 SCJbSetString(jb,
"state", tcp_state);
410 MemBufferReset(thread->
buffer);
412 SCJsonBuilder *jb = CreateEveHeaderFromFlow(f);
417 EveFlowLogJSON(thread, jb, f);
struct Flow_::@118::@124 icmp_s
void CreateIsoTimeString(const SCTime_t ts, char *str, size_t size)
void EveAddFlow(Flow *f, SCJsonBuilder *js)
OutputJsonCommonSettings cfg
FlowStorageId GetFlowBypassInfoID(void)
void EveAddAppProto(Flow *f, SCJsonBuilder *js)
TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data)
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
#define EXCEPTION_TARGET_FLAG_APPLAYER_ERROR
bool SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
void EveTcpFlags(const uint8_t flags, SCJsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
const char * known_proto[256]
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
void CreateEveFlowId(SCJsonBuilder *js, const Flow *f)
const char * ExceptionPolicyTargetFlagToString(uint8_t target_flag)
void JsonFlowLogRegister(void)
OutputInitResult OutputJsonLogInitSub(SCConfNode *conf, OutputCtx *parent_ctx)
void OutputRegisterFlowSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, FlowLogger FlowLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Register a flow output sub-module.
@ FLOW_STATE_LOCAL_BYPASSED
#define EXCEPTION_TARGET_FLAG_DEFRAG_MEMCAP
enum ExceptionPolicy ExceptionPolicyTargetPolicy(uint8_t target_flag)
#define JB_SET_STRING(jb, key, val)
struct Flow_::@120::@126 icmp_d
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
union FlowAddress_::@117 address
Per thread variable structure.
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
#define FLOW_WRONG_THREAD
#define JB_SET_TRUE(jb, key)
struct Flow_::@118::@125 esp
#define FLOW_END_FLAG_TCPREUSE
#define FLOW_END_FLAG_EMERGENCY
#define STREAMTCP_STREAM_FLAG_HAS_GAP
#define EXCEPTION_TARGET_FLAG_REASSEMBLY_MEMCAP
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
#define EXCEPTION_TARGET_FLAG_MIDSTREAM
uint8_t applied_exception_policy
#define EXCEPTION_TARGET_FLAG_SESSION_MEMCAP
struct LiveDevice_ * livedev
#define FLOW_ACTION_ACCEPT
const char * ExceptionPolicyEnumToString(enum ExceptionPolicy policy, bool is_json)
#define FLOW_END_FLAG_SHUTDOWN
#define EXCEPTION_TARGET_FLAG_FLOW_MEMCAP
const char * StreamTcpStateAsString(const enum TcpState state)
uint16_t vlan_id[VLAN_MAX_LAYERS]
int FlowHasAlerts(const Flow *f)
Check if flow has alerts.
#define FLOW_END_FLAG_TIMEOUT
TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data)
AppProto alproto
application level protocol
#define FLOW_END_FLAG_FORCED
#define FLOW_DIR_REVERSED
#define DEBUG_VALIDATE_BUG_ON(exp)