suricata
output-json-flow.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements Flow JSON logging portion of the engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "detect.h"
29 #include "pkt-var.h"
30 #include "conf.h"
31 
32 #include "threads.h"
33 #include "threadvars.h"
34 #include "tm-threads.h"
35 
36 #include "util-print.h"
37 #include "util-unittest.h"
38 
39 #include "util-debug.h"
40 
41 #include "output.h"
42 #include "util-privs.h"
43 #include "util-buffer.h"
44 #include "util-proto-name.h"
45 #include "util-logopenfile.h"
46 #include "util-time.h"
47 #include "output-json.h"
48 #include "output-json-flow.h"
49 
50 #include "stream-tcp-private.h"
51 #include "flow-storage.h"
52 
53 #ifdef HAVE_LIBJANSSON
54 
55 typedef struct LogJsonFileCtx_ {
56  LogFileCtx *file_ctx;
57  uint32_t flags; /** Store mode */
58  OutputJsonCommonSettings cfg;
59 } LogJsonFileCtx;
60 
61 typedef struct JsonFlowLogThread_ {
62  LogJsonFileCtx *flowlog_ctx;
63  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
64  MemBuffer *buffer;
65 } JsonFlowLogThread;
66 
67 static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type)
68 {
69  char timebuf[64];
70  char srcip[46] = {0}, dstip[46] = {0};
71  Port sp, dp;
72 
73  json_t *js = json_object();
74  if (unlikely(js == NULL))
75  return NULL;
76 
77  struct timeval tv;
78  memset(&tv, 0x00, sizeof(tv));
79  TimeGet(&tv);
80 
81  CreateIsoTimeString(&tv, timebuf, sizeof(timebuf));
82 
83  if ((f->flags & FLOW_DIR_REVERSED) == 0) {
84  if (FLOW_IS_IPV4(f)) {
85  PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip));
86  PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip));
87  } else if (FLOW_IS_IPV6(f)) {
88  PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip));
89  PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip));
90  }
91  sp = f->sp;
92  dp = f->dp;
93  } else {
94  if (FLOW_IS_IPV4(f)) {
95  PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), srcip, sizeof(srcip));
96  PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), dstip, sizeof(dstip));
97  } else if (FLOW_IS_IPV6(f)) {
98  PrintInet(AF_INET6, (const void *)&(f->dst.address), srcip, sizeof(srcip));
99  PrintInet(AF_INET6, (const void *)&(f->src.address), dstip, sizeof(dstip));
100  }
101  sp = f->dp;
102  dp = f->sp;
103  }
104 
105  char proto[16];
106  if (SCProtoNameValid(f->proto) == TRUE) {
107  strlcpy(proto, known_proto[f->proto], sizeof(proto));
108  } else {
109  snprintf(proto, sizeof(proto), "%03" PRIu32, f->proto);
110  }
111 
112  /* time */
113  json_object_set_new(js, "timestamp", json_string(timebuf));
114 
115  CreateJSONFlowId(js, (const Flow *)f);
116 
117 #if 0 // TODO
118  /* sensor id */
119  if (sensor_id >= 0)
120  json_object_set_new(js, "sensor_id", json_integer(sensor_id));
121 #endif
122 
123  /* input interface */
124  if (f->livedev) {
125  json_object_set_new(js, "in_iface", json_string(f->livedev->dev));
126  }
127 
128  if (event_type) {
129  json_object_set_new(js, "event_type", json_string(event_type));
130  }
131 
132  /* vlan */
133  if (f->vlan_idx > 0) {
134  json_t *js_vlan = json_array();
135  json_array_append_new(js_vlan, json_integer(f->vlan_id[0]));
136  if (f->vlan_idx > 1) {
137  json_array_append_new(js_vlan, json_integer(f->vlan_id[1]));
138  }
139  json_object_set_new(js, "vlan", js_vlan);
140  }
141 
142  /* tuple */
143  json_object_set_new(js, "src_ip", json_string(srcip));
144  switch(f->proto) {
145  case IPPROTO_ICMP:
146  break;
147  case IPPROTO_UDP:
148  case IPPROTO_TCP:
149  case IPPROTO_SCTP:
150  json_object_set_new(js, "src_port", json_integer(sp));
151  break;
152  }
153  json_object_set_new(js, "dest_ip", json_string(dstip));
154  switch(f->proto) {
155  case IPPROTO_ICMP:
156  break;
157  case IPPROTO_UDP:
158  case IPPROTO_TCP:
159  case IPPROTO_SCTP:
160  json_object_set_new(js, "dest_port", json_integer(dp));
161  break;
162  }
163  json_object_set_new(js, "proto", json_string(proto));
164  switch (f->proto) {
165  case IPPROTO_ICMP:
166  case IPPROTO_ICMPV6:
167  json_object_set_new(js, "icmp_type",
168  json_integer(f->icmp_s.type));
169  json_object_set_new(js, "icmp_code",
170  json_integer(f->icmp_s.code));
171  if (f->tosrcpktcnt) {
172  json_object_set_new(js, "response_icmp_type",
173  json_integer(f->icmp_d.type));
174  json_object_set_new(js, "response_icmp_code",
175  json_integer(f->icmp_d.code));
176  }
177  break;
178  }
179  return js;
180 }
181 
182 void JsonAddFlow(Flow *f, json_t *js, json_t *hjs)
183 {
184  json_object_set_new(js, "app_proto",
185  json_string(AppProtoToString(f->alproto)));
186  if (f->alproto_ts != f->alproto) {
187  json_object_set_new(js, "app_proto_ts",
188  json_string(AppProtoToString(f->alproto_ts)));
189  }
190  if (f->alproto_tc != f->alproto) {
191  json_object_set_new(js, "app_proto_tc",
192  json_string(AppProtoToString(f->alproto_tc)));
193  }
194  if (f->alproto_orig != f->alproto && f->alproto_orig != ALPROTO_UNKNOWN) {
195  json_object_set_new(js, "app_proto_orig",
196  json_string(AppProtoToString(f->alproto_orig)));
197  }
198  if (f->alproto_expect != f->alproto && f->alproto_expect != ALPROTO_UNKNOWN) {
199  json_object_set_new(js, "app_proto_expected",
200  json_string(AppProtoToString(f->alproto_expect)));
201  }
202 
203  FlowBypassInfo *fc = FlowGetStorageById(f, GetFlowBypassInfoID());
204  if (fc) {
205  json_object_set_new(hjs, "pkts_toserver",
206  json_integer(f->todstpktcnt + fc->todstpktcnt));
207  json_object_set_new(hjs, "pkts_toclient",
208  json_integer(f->tosrcpktcnt + fc->tosrcpktcnt));
209  json_object_set_new(hjs, "bytes_toserver",
210  json_integer(f->todstbytecnt + fc->todstbytecnt));
211  json_object_set_new(hjs, "bytes_toclient",
212  json_integer(f->tosrcbytecnt + fc->tosrcbytecnt));
213  json_t *bhjs = json_object();
214  if (bhjs != NULL) {
215  json_object_set_new(bhjs, "pkts_toserver",
216  json_integer(fc->todstpktcnt));
217  json_object_set_new(bhjs, "pkts_toclient",
218  json_integer(fc->tosrcpktcnt));
219  json_object_set_new(bhjs, "bytes_toserver",
220  json_integer(fc->todstbytecnt));
221  json_object_set_new(bhjs, "bytes_toclient",
222  json_integer(fc->tosrcbytecnt));
223  json_object_set_new(hjs, "bypassed", bhjs);
224  }
225  } else {
226  json_object_set_new(hjs, "pkts_toserver",
227  json_integer(f->todstpktcnt));
228  json_object_set_new(hjs, "pkts_toclient",
229  json_integer(f->tosrcpktcnt));
230  json_object_set_new(hjs, "bytes_toserver",
231  json_integer(f->todstbytecnt));
232  json_object_set_new(hjs, "bytes_toclient",
233  json_integer(f->tosrcbytecnt));
234  }
235 
236  char timebuf1[64];
237  CreateIsoTimeString(&f->startts, timebuf1, sizeof(timebuf1));
238  json_object_set_new(hjs, "start", json_string(timebuf1));
239 }
240 
241 /* JSON format logging */
242 static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
243 {
244  LogJsonFileCtx *flow_ctx = aft->flowlog_ctx;
245  json_t *hjs = json_object();
246  if (hjs == NULL) {
247  return;
248  }
249 
250  JsonAddFlow(f, js, hjs);
251 
252  char timebuf2[64];
253  CreateIsoTimeString(&f->lastts, timebuf2, sizeof(timebuf2));
254  json_object_set_new(hjs, "end", json_string(timebuf2));
255 
256  int32_t age = f->lastts.tv_sec - f->startts.tv_sec;
257  json_object_set_new(hjs, "age",
258  json_integer(age));
259 
260  if (f->flow_end_flags & FLOW_END_FLAG_EMERGENCY)
261  json_object_set_new(hjs, "emergency", json_true());
262  const char *state = NULL;
263  if (f->flow_end_flags & FLOW_END_FLAG_STATE_NEW)
264  state = "new";
265  else if (f->flow_end_flags & FLOW_END_FLAG_STATE_ESTABLISHED)
266  state = "established";
267  else if (f->flow_end_flags & FLOW_END_FLAG_STATE_CLOSED)
268  state = "closed";
269  else if (f->flow_end_flags & FLOW_END_FLAG_STATE_BYPASSED) {
270  state = "bypassed";
271  int flow_state = SC_ATOMIC_GET(f->flow_state);
272  switch (flow_state) {
273  case FLOW_STATE_LOCAL_BYPASSED:
274  json_object_set_new(hjs, "bypass",
275  json_string("local"));
276  break;
277  case FLOW_STATE_CAPTURE_BYPASSED:
278  json_object_set_new(hjs, "bypass",
279  json_string("capture"));
280  break;
281  default:
282  SCLogError(SC_ERR_INVALID_VALUE,
283  "Invalid flow state: %d, contact developers",
284  flow_state);
285  }
286  }
287 
288  json_object_set_new(hjs, "state",
289  json_string(state));
290 
291  const char *reason = NULL;
292  if (f->flow_end_flags & FLOW_END_FLAG_TIMEOUT)
293  reason = "timeout";
294  else if (f->flow_end_flags & FLOW_END_FLAG_FORCED)
295  reason = "forced";
296  else if (f->flow_end_flags & FLOW_END_FLAG_SHUTDOWN)
297  reason = "shutdown";
298 
299  json_object_set_new(hjs, "reason",
300  json_string(reason));
301 
302  json_object_set_new(hjs, "alerted", json_boolean(FlowHasAlerts(f)));
303  if (f->flags & FLOW_WRONG_THREAD)
304  json_object_set_new(hjs, "wrong_thread", json_true());
305 
306  json_object_set_new(js, "flow", hjs);
307 
308  JsonAddCommonOptions(&flow_ctx->cfg, NULL, f, js);
309 
310  /* TCP */
311  if (f->proto == IPPROTO_TCP) {
312  json_t *tjs = json_object();
313  if (tjs == NULL) {
314  return;
315  }
316 
317  TcpSession *ssn = f->protoctx;
318 
319  char hexflags[3];
320  snprintf(hexflags, sizeof(hexflags), "%02x",
321  ssn ? ssn->tcp_packet_flags : 0);
322  json_object_set_new(tjs, "tcp_flags", json_string(hexflags));
323 
324  snprintf(hexflags, sizeof(hexflags), "%02x",
325  ssn ? ssn->client.tcp_flags : 0);
326  json_object_set_new(tjs, "tcp_flags_ts", json_string(hexflags));
327 
328  snprintf(hexflags, sizeof(hexflags), "%02x",
329  ssn ? ssn->server.tcp_flags : 0);
330  json_object_set_new(tjs, "tcp_flags_tc", json_string(hexflags));
331 
332  JsonTcpFlags(ssn ? ssn->tcp_packet_flags : 0, tjs);
333 
334  if (ssn) {
335  const char *tcp_state = NULL;
336  switch (ssn->state) {
337  case TCP_NONE:
338  tcp_state = "none";
339  break;
340  case TCP_LISTEN:
341  tcp_state = "listen";
342  break;
343  case TCP_SYN_SENT:
344  tcp_state = "syn_sent";
345  break;
346  case TCP_SYN_RECV:
347  tcp_state = "syn_recv";
348  break;
349  case TCP_ESTABLISHED:
350  tcp_state = "established";
351  break;
352  case TCP_FIN_WAIT1:
353  tcp_state = "fin_wait1";
354  break;
355  case TCP_FIN_WAIT2:
356  tcp_state = "fin_wait2";
357  break;
358  case TCP_TIME_WAIT:
359  tcp_state = "time_wait";
360  break;
361  case TCP_LAST_ACK:
362  tcp_state = "last_ack";
363  break;
364  case TCP_CLOSE_WAIT:
365  tcp_state = "close_wait";
366  break;
367  case TCP_CLOSING:
368  tcp_state = "closing";
369  break;
370  case TCP_CLOSED:
371  tcp_state = "closed";
372  break;
373  }
374  json_object_set_new(tjs, "state", json_string(tcp_state));
375  if (ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP)
376  json_object_set_new(tjs, "gap_ts", json_true());
377  if (ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP)
378  json_object_set_new(tjs, "gap_tc", json_true());
379  }
380 
381  json_object_set_new(js, "tcp", tjs);
382  }
383 }
384 
385 static int JsonFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)
386 {
387  SCEnter();
388  JsonFlowLogThread *jhl = (JsonFlowLogThread *)thread_data;
389 
390  /* reset */
391  MemBufferReset(jhl->buffer);
392 
393  json_t *js = CreateJSONHeaderFromFlow(f, "flow");
394  if (unlikely(js == NULL))
395  return TM_ECODE_OK;
396 
397  JsonFlowLogJSON(jhl, js, f);
398 
399  OutputJSONBuffer(js, jhl->flowlog_ctx->file_ctx, &jhl->buffer);
400  json_object_del(js, "http");
401 
402  json_object_clear(js);
403  json_decref(js);
404 
405  SCReturnInt(TM_ECODE_OK);
406 }
407 
408 static void OutputFlowLogDeinit(OutputCtx *output_ctx)
409 {
410  LogJsonFileCtx *flow_ctx = output_ctx->data;
411  LogFileCtx *logfile_ctx = flow_ctx->file_ctx;
412  LogFileFreeCtx(logfile_ctx);
413  SCFree(flow_ctx);
414  SCFree(output_ctx);
415 }
416 
417 #define DEFAULT_LOG_FILENAME "flow.json"
418 static OutputInitResult OutputFlowLogInit(ConfNode *conf)
419 {
420  OutputInitResult result = { NULL, false };
421  LogFileCtx *file_ctx = LogFileNewCtx();
422  if(file_ctx == NULL) {
423  SCLogError(SC_ERR_FLOW_LOG_GENERIC, "couldn't create new file_ctx");
424  return result;
425  }
426 
427  if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
428  LogFileFreeCtx(file_ctx);
429  return result;
430  }
431 
432  LogJsonFileCtx *flow_ctx = SCMalloc(sizeof(LogJsonFileCtx));
433  if (unlikely(flow_ctx == NULL)) {
434  LogFileFreeCtx(file_ctx);
435  return result;
436  }
437 
438  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
439  if (unlikely(output_ctx == NULL)) {
440  LogFileFreeCtx(file_ctx);
441  SCFree(flow_ctx);
442  return result;
443  }
444 
445  flow_ctx->file_ctx = file_ctx;
446  output_ctx->data = flow_ctx;
447  output_ctx->DeInit = OutputFlowLogDeinit;
448 
449  result.ctx = output_ctx;
450  result.ok = true;
451  return result;
452 }
453 
454 static void OutputFlowLogDeinitSub(OutputCtx *output_ctx)
455 {
456  LogJsonFileCtx *flow_ctx = output_ctx->data;
457  SCFree(flow_ctx);
458  SCFree(output_ctx);
459 }
460 
461 static OutputInitResult OutputFlowLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
462 {
463  OutputInitResult result = { NULL, false };
464  OutputJsonCtx *ojc = parent_ctx->data;
465 
466  LogJsonFileCtx *flow_ctx = SCMalloc(sizeof(LogJsonFileCtx));
467  if (unlikely(flow_ctx == NULL))
468  return result;
469 
470  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
471  if (unlikely(output_ctx == NULL)) {
472  SCFree(flow_ctx);
473  return result;
474  }
475 
476  flow_ctx->file_ctx = ojc->file_ctx;
477  flow_ctx->cfg = ojc->cfg;
478 
479  output_ctx->data = flow_ctx;
480  output_ctx->DeInit = OutputFlowLogDeinitSub;
481 
482  result.ctx = output_ctx;
483  result.ok = true;
484  return result;
485 }
486 
487 #define OUTPUT_BUFFER_SIZE 65535
488 static TmEcode JsonFlowLogThreadInit(ThreadVars *t, const void *initdata, void **data)
489 {
490  JsonFlowLogThread *aft = SCMalloc(sizeof(JsonFlowLogThread));
491  if (unlikely(aft == NULL))
492  return TM_ECODE_FAILED;
493  memset(aft, 0, sizeof(JsonFlowLogThread));
494 
495  if(initdata == NULL)
496  {
497  SCLogDebug("Error getting context for EveLogFlow. \"initdata\" argument NULL");
498  SCFree(aft);
499  return TM_ECODE_FAILED;
500  }
501 
502  /* Use the Ouptut Context (file pointer and mutex) */
503  aft->flowlog_ctx = ((OutputCtx *)initdata)->data; //TODO
504 
505  aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
506  if (aft->buffer == NULL) {
507  SCFree(aft);
508  return TM_ECODE_FAILED;
509  }
510 
511  *data = (void *)aft;
512  return TM_ECODE_OK;
513 }
514 
515 static TmEcode JsonFlowLogThreadDeinit(ThreadVars *t, void *data)
516 {
517  JsonFlowLogThread *aft = (JsonFlowLogThread *)data;
518  if (aft == NULL) {
519  return TM_ECODE_OK;
520  }
521 
522  MemBufferFree(aft->buffer);
523  /* clear memory */
524  memset(aft, 0, sizeof(JsonFlowLogThread));
525 
526  SCFree(aft);
527  return TM_ECODE_OK;
528 }
529 
530 void JsonFlowLogRegister (void)
531 {
532  /* register as separate module */
533  OutputRegisterFlowModule(LOGGER_JSON_FLOW, "JsonFlowLog", "flow-json-log",
534  OutputFlowLogInit, JsonFlowLogger, JsonFlowLogThreadInit,
535  JsonFlowLogThreadDeinit, NULL);
536 
537  /* also register as child of eve-log */
538  OutputRegisterFlowSubModule(LOGGER_JSON_FLOW, "eve-log", "JsonFlowLog",
539  "eve-log.flow", OutputFlowLogInitSub, JsonFlowLogger,
540  JsonFlowLogThreadInit, JsonFlowLogThreadDeinit, NULL);
541 }
542 
543 #else
544 
545 void JsonFlowLogRegister (void)
546 {
547 }
548 
549 #endif
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:418
Flow_::icmp_s
struct Flow_::@116::@120 icmp_s
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
FLOW_IS_IPV4
#define FLOW_IS_IPV4(f)
Definition: flow.h:134
known_proto
char * known_proto[256]
Definition: util-proto-name.h:35
flags
uint16_t flags
Definition: app-layer-dns-common.h:269
JsonFlowLogRegister
void JsonFlowLogRegister(void)
Definition: output-json-flow.c:545
TcpSession_
Definition: stream-tcp-private.h:257
SCProtoNameValid
uint8_t SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
Definition: util-proto-name.c:94
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
FlowBypassInfo_::tosrcbytecnt
uint64_t tosrcbytecnt
Definition: flow.h:490
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:411
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
OutputCtx_
Definition: tm-modules.h:78
Flow_::todstbytecnt
uint64_t todstbytecnt
Definition: flow.h:462
event_type
uint32_t event_type
Definition: alert-unified2-alert.c:84
Flow_::proto
uint8_t proto
Definition: flow.h:344
Flow_::sp
Port sp
Definition: flow.h:331
FLOW_END_FLAG_STATE_ESTABLISHED
#define FLOW_END_FLAG_STATE_ESTABLISHED
Definition: flow.h:210
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
STREAMTCP_STREAM_FLAG_GAP
#define STREAMTCP_STREAM_FLAG_GAP
Definition: stream-tcp-private.h:195
FlowHasAlerts
int FlowHasAlerts(const Flow *f)
Check if flow has alerts.
Definition: flow.c:208
FLOW_END_FLAG_TIMEOUT
#define FLOW_END_FLAG_TIMEOUT
Definition: flow.h:213
MemBufferReset
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
FLOW_END_FLAG_FORCED
#define FLOW_END_FLAG_FORCED
Definition: flow.h:214
FLOW_DIR_REVERSED
#define FLOW_DIR_REVERSED
Definition: flow.h:106
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
Flow_::startts
struct timeval startts
Definition: flow.h:458
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
Flow_::todstpktcnt
uint32_t todstpktcnt
Definition: flow.h:460
FLOW_END_FLAG_STATE_BYPASSED
#define FLOW_END_FLAG_STATE_BYPASSED
Definition: flow.h:216
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:269
TRUE
#define TRUE
Definition: suricata-common.h:33
FlowBypassInfo_::todstpktcnt
uint64_t todstpktcnt
Definition: flow.h:491
Flow_::protoctx
void * protoctx
Definition: flow.h:400
OutputInitResult_
Definition: output.h:41
Flow_::dst
FlowAddress dst
Definition: flow.h:329
FlowBypassInfo_::todstbytecnt
uint64_t todstbytecnt
Definition: flow.h:492
LiveDevice_::dev
char * dev
Definition: util-device.h:41
OutputRegisterFlowModule
void OutputRegisterFlowModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, FlowLogger FlowLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a flow output module.
Definition: output.c:579
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:415
Flow_::vlan_id
uint16_t vlan_id[2]
Definition: flow.h:346
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:410
Flow_::tosrcbytecnt
uint64_t tosrcbytecnt
Definition: flow.h:463
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:197
FLOW_END_FLAG_STATE_NEW
#define FLOW_END_FLAG_STATE_NEW
Definition: flow.h:209
CreateIsoTimeString
void CreateIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:187
FlowAddress_::address
union FlowAddress_::@115 address
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:146
OutputInitResult_::ok
bool ok
Definition: output.h:43
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:268
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
TcpStream_::tcp_flags
uint8_t tcp_flags
Definition: stream-tcp-private.h:99
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:519
FLOW_END_FLAG_STATE_CLOSED
#define FLOW_END_FLAG_STATE_CLOSED
Definition: flow.h:211
Flow_::vlan_idx
uint8_t vlan_idx
Definition: flow.h:347
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:305
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:267
proto
uint8_t proto
Definition: decode-template.h:50
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
Flow_::livedev
struct LiveDevice_ * livedev
Definition: flow.h:350
Port
uint16_t Port
Definition: decode.h:233
Flow_::lastts
struct timeval lastts
Definition: flow.h:358
Flow_::flow_end_flags
uint8_t flow_end_flags
Definition: flow.h:406
OutputRegisterFlowSubModule
void OutputRegisterFlowSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, FlowLogger FlowLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a flow output sub-module.
Definition: output.c:618
ConfNode_
Definition: conf.h:32
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:42
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: alert-debuglog.c:59
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:166
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:541
SCFree
#define SCFree(a)
Definition: util-mem.h:228
Flow_::dp
Port dp
Definition: flow.h:338
FLOW_IS_IPV6
#define FLOW_IS_IPV6(f)
Definition: flow.h:136
FLOW_END_FLAG_EMERGENCY
#define FLOW_END_FLAG_EMERGENCY
Definition: flow.h:212
FLOW_WRONG_THREAD
#define FLOW_WRONG_THREAD
Definition: flow.h:104
OutputCtx_::data
void * data
Definition: tm-modules.h:81
FlowBypassInfo_::tosrcpktcnt
uint64_t tosrcpktcnt
Definition: flow.h:489
Flow_::icmp_d
struct Flow_::@118::@121 icmp_d
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:192
FlowGetStorageById
void * FlowGetStorageById(Flow *f, int id)
Definition: flow-storage.c:39
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:259
Flow_::src
FlowAddress src
Definition: flow.h:329
GetFlowBypassInfoID
int GetFlowBypassInfoID(void)
Definition: flow-util.c:209
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:409
FLOW_END_FLAG_SHUTDOWN
#define FLOW_END_FLAG_SHUTDOWN
Definition: flow.h:215
TcpSession_::tcp_packet_flags
uint8_t tcp_packet_flags
Definition: stream-tcp-private.h:264
MemBuffer_
Definition: util-buffer.h:27
OUTPUT_BUFFER_SIZE
#define OUTPUT_BUFFER_SIZE
Definition: log-httplog.c:58
FlowBypassInfo_
Definition: flow.h:485
Flow_
Flow data structure.
Definition: flow.h:325
LogFileCtx_
Definition: util-logopenfile.h:52
Flow_::flags
uint32_t flags
Definition: flow.h:379
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
Flow_::tosrcpktcnt
uint32_t tosrcpktcnt
Definition: flow.h:461