suricata
output-json-flow.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements Flow JSON logging portion of the engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "detect.h"
29 #include "pkt-var.h"
30 #include "conf.h"
31 
32 #include "threads.h"
33 #include "threadvars.h"
34 #include "tm-threads.h"
35 
36 #include "util-print.h"
37 #include "util-unittest.h"
38 
39 #include "util-debug.h"
40 
41 #include "output.h"
42 #include "util-privs.h"
43 #include "util-buffer.h"
44 #include "util-proto-name.h"
45 #include "util-logopenfile.h"
46 #include "util-time.h"
47 #include "output-json.h"
48 #include "output-json-flow.h"
49 
50 #include "stream-tcp-private.h"
51 #include "flow-storage.h"
52 
53 typedef struct LogJsonFileCtx_ {
54  LogFileCtx *file_ctx;
55  uint32_t flags; /** Store mode */
56  OutputJsonCommonSettings cfg;
57 } LogJsonFileCtx;
58 
59 typedef struct JsonFlowLogThread_ {
60  LogJsonFileCtx *flowlog_ctx;
61  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
62  MemBuffer *buffer;
63 } JsonFlowLogThread;
64 
65 static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type)
66 {
67  char timebuf[64];
68  char srcip[46] = {0}, dstip[46] = {0};
69  Port sp, dp;
70 
71  json_t *js = json_object();
72  if (unlikely(js == NULL))
73  return NULL;
74 
75  struct timeval tv;
76  memset(&tv, 0x00, sizeof(tv));
77  TimeGet(&tv);
78 
79  CreateIsoTimeString(&tv, timebuf, sizeof(timebuf));
80 
81  if ((f->flags & FLOW_DIR_REVERSED) == 0) {
82  if (FLOW_IS_IPV4(f)) {
83  PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip));
84  PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip));
85  } else if (FLOW_IS_IPV6(f)) {
86  PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip));
87  PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip));
88  }
89  sp = f->sp;
90  dp = f->dp;
91  } else {
92  if (FLOW_IS_IPV4(f)) {
93  PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), srcip, sizeof(srcip));
94  PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), dstip, sizeof(dstip));
95  } else if (FLOW_IS_IPV6(f)) {
96  PrintInet(AF_INET6, (const void *)&(f->dst.address), srcip, sizeof(srcip));
97  PrintInet(AF_INET6, (const void *)&(f->src.address), dstip, sizeof(dstip));
98  }
99  sp = f->dp;
100  dp = f->sp;
101  }
102 
103  char proto[16];
104  if (SCProtoNameValid(f->proto) == TRUE) {
105  strlcpy(proto, known_proto[f->proto], sizeof(proto));
106  } else {
107  snprintf(proto, sizeof(proto), "%03" PRIu32, f->proto);
108  }
109 
110  /* time */
111  json_object_set_new(js, "timestamp", json_string(timebuf));
112 
113  CreateJSONFlowId(js, (const Flow *)f);
114 
115 #if 0 // TODO
116  /* sensor id */
117  if (sensor_id >= 0)
118  json_object_set_new(js, "sensor_id", json_integer(sensor_id));
119 #endif
120 
121  /* input interface */
122  if (f->livedev) {
123  json_object_set_new(js, "in_iface", json_string(f->livedev->dev));
124  }
125 
126  if (event_type) {
127  json_object_set_new(js, "event_type", json_string(event_type));
128  }
129 
130  /* vlan */
131  if (f->vlan_idx > 0) {
132  json_t *js_vlan = json_array();
133  json_array_append_new(js_vlan, json_integer(f->vlan_id[0]));
134  if (f->vlan_idx > 1) {
135  json_array_append_new(js_vlan, json_integer(f->vlan_id[1]));
136  }
137  json_object_set_new(js, "vlan", js_vlan);
138  }
139 
140  /* tuple */
141  json_object_set_new(js, "src_ip", json_string(srcip));
142  switch(f->proto) {
143  case IPPROTO_ICMP:
144  break;
145  case IPPROTO_UDP:
146  case IPPROTO_TCP:
147  case IPPROTO_SCTP:
148  json_object_set_new(js, "src_port", json_integer(sp));
149  break;
150  }
151  json_object_set_new(js, "dest_ip", json_string(dstip));
152  switch(f->proto) {
153  case IPPROTO_ICMP:
154  break;
155  case IPPROTO_UDP:
156  case IPPROTO_TCP:
157  case IPPROTO_SCTP:
158  json_object_set_new(js, "dest_port", json_integer(dp));
159  break;
160  }
161  json_object_set_new(js, "proto", json_string(proto));
162  switch (f->proto) {
163  case IPPROTO_ICMP:
164  case IPPROTO_ICMPV6:
165  json_object_set_new(js, "icmp_type",
166  json_integer(f->icmp_s.type));
167  json_object_set_new(js, "icmp_code",
168  json_integer(f->icmp_s.code));
169  if (f->tosrcpktcnt) {
170  json_object_set_new(js, "response_icmp_type",
171  json_integer(f->icmp_d.type));
172  json_object_set_new(js, "response_icmp_code",
173  json_integer(f->icmp_d.code));
174  }
175  break;
176  }
177  return js;
178 }
179 
180 void JsonAddFlow(Flow *f, json_t *js, json_t *hjs)
181 {
182  json_object_set_new(js, "app_proto",
183  json_string(AppProtoToString(f->alproto)));
184  if (f->alproto_ts != f->alproto) {
185  json_object_set_new(js, "app_proto_ts",
186  json_string(AppProtoToString(f->alproto_ts)));
187  }
188  if (f->alproto_tc != f->alproto) {
189  json_object_set_new(js, "app_proto_tc",
190  json_string(AppProtoToString(f->alproto_tc)));
191  }
192  if (f->alproto_orig != f->alproto && f->alproto_orig != ALPROTO_UNKNOWN) {
193  json_object_set_new(js, "app_proto_orig",
194  json_string(AppProtoToString(f->alproto_orig)));
195  }
196  if (f->alproto_expect != f->alproto && f->alproto_expect != ALPROTO_UNKNOWN) {
197  json_object_set_new(js, "app_proto_expected",
198  json_string(AppProtoToString(f->alproto_expect)));
199  }
200 
201  FlowBypassInfo *fc = FlowGetStorageById(f, GetFlowBypassInfoID());
202  if (fc) {
203  json_object_set_new(hjs, "pkts_toserver",
204  json_integer(f->todstpktcnt + fc->todstpktcnt));
205  json_object_set_new(hjs, "pkts_toclient",
206  json_integer(f->tosrcpktcnt + fc->tosrcpktcnt));
207  json_object_set_new(hjs, "bytes_toserver",
208  json_integer(f->todstbytecnt + fc->todstbytecnt));
209  json_object_set_new(hjs, "bytes_toclient",
210  json_integer(f->tosrcbytecnt + fc->tosrcbytecnt));
211  json_t *bhjs = json_object();
212  if (bhjs != NULL) {
213  json_object_set_new(bhjs, "pkts_toserver",
214  json_integer(fc->todstpktcnt));
215  json_object_set_new(bhjs, "pkts_toclient",
216  json_integer(fc->tosrcpktcnt));
217  json_object_set_new(bhjs, "bytes_toserver",
218  json_integer(fc->todstbytecnt));
219  json_object_set_new(bhjs, "bytes_toclient",
220  json_integer(fc->tosrcbytecnt));
221  json_object_set_new(hjs, "bypassed", bhjs);
222  }
223  } else {
224  json_object_set_new(hjs, "pkts_toserver",
225  json_integer(f->todstpktcnt));
226  json_object_set_new(hjs, "pkts_toclient",
227  json_integer(f->tosrcpktcnt));
228  json_object_set_new(hjs, "bytes_toserver",
229  json_integer(f->todstbytecnt));
230  json_object_set_new(hjs, "bytes_toclient",
231  json_integer(f->tosrcbytecnt));
232  }
233 
234  char timebuf1[64];
235  CreateIsoTimeString(&f->startts, timebuf1, sizeof(timebuf1));
236  json_object_set_new(hjs, "start", json_string(timebuf1));
237 }
238 
239 /* JSON format logging */
240 static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
241 {
242  LogJsonFileCtx *flow_ctx = aft->flowlog_ctx;
243  json_t *hjs = json_object();
244  if (hjs == NULL) {
245  return;
246  }
247 
248  JsonAddFlow(f, js, hjs);
249 
250  char timebuf2[64];
251  CreateIsoTimeString(&f->lastts, timebuf2, sizeof(timebuf2));
252  json_object_set_new(hjs, "end", json_string(timebuf2));
253 
254  int32_t age = f->lastts.tv_sec - f->startts.tv_sec;
255  json_object_set_new(hjs, "age",
256  json_integer(age));
257 
258  if (f->flow_end_flags & FLOW_END_FLAG_EMERGENCY)
259  json_object_set_new(hjs, "emergency", json_true());
260  const char *state = NULL;
261  if (f->flow_end_flags & FLOW_END_FLAG_STATE_NEW)
262  state = "new";
263  else if (f->flow_end_flags & FLOW_END_FLAG_STATE_ESTABLISHED)
264  state = "established";
265  else if (f->flow_end_flags & FLOW_END_FLAG_STATE_CLOSED)
266  state = "closed";
267  else if (f->flow_end_flags & FLOW_END_FLAG_STATE_BYPASSED) {
268  state = "bypassed";
269  int flow_state = SC_ATOMIC_GET(f->flow_state);
270  switch (flow_state) {
271  case FLOW_STATE_LOCAL_BYPASSED:
272  json_object_set_new(hjs, "bypass",
273  json_string("local"));
274  break;
275 #ifdef CAPTURE_OFFLOAD
276  case FLOW_STATE_CAPTURE_BYPASSED:
277  json_object_set_new(hjs, "bypass",
278  json_string("capture"));
279  break;
280 #endif
281  default:
282  SCLogError(SC_ERR_INVALID_VALUE,
283  "Invalid flow state: %d, contact developers",
284  flow_state);
285  }
286  }
287 
288  json_object_set_new(hjs, "state",
289  json_string(state));
290 
291  const char *reason = NULL;
292  if (f->flow_end_flags & FLOW_END_FLAG_TIMEOUT)
293  reason = "timeout";
294  else if (f->flow_end_flags & FLOW_END_FLAG_FORCED)
295  reason = "forced";
296  else if (f->flow_end_flags & FLOW_END_FLAG_SHUTDOWN)
297  reason = "shutdown";
298 
299  json_object_set_new(hjs, "reason",
300  json_string(reason));
301 
302  json_object_set_new(hjs, "alerted", json_boolean(FlowHasAlerts(f)));
303  if (f->flags & FLOW_WRONG_THREAD)
304  json_object_set_new(hjs, "wrong_thread", json_true());
305 
306  json_object_set_new(js, "flow", hjs);
307 
308  JsonAddCommonOptions(&flow_ctx->cfg, NULL, f, js);
309 
310  /* TCP */
311  if (f->proto == IPPROTO_TCP) {
312  json_t *tjs = json_object();
313  if (tjs == NULL) {
314  return;
315  }
316 
317  TcpSession *ssn = f->protoctx;
318 
319  char hexflags[3];
320  snprintf(hexflags, sizeof(hexflags), "%02x",
321  ssn ? ssn->tcp_packet_flags : 0);
322  json_object_set_new(tjs, "tcp_flags", json_string(hexflags));
323 
324  snprintf(hexflags, sizeof(hexflags), "%02x",
325  ssn ? ssn->client.tcp_flags : 0);
326  json_object_set_new(tjs, "tcp_flags_ts", json_string(hexflags));
327 
328  snprintf(hexflags, sizeof(hexflags), "%02x",
329  ssn ? ssn->server.tcp_flags : 0);
330  json_object_set_new(tjs, "tcp_flags_tc", json_string(hexflags));
331 
332  JsonTcpFlags(ssn ? ssn->tcp_packet_flags : 0, tjs);
333 
334  if (ssn) {
335  const char *tcp_state = NULL;
336  switch (ssn->state) {
337  case TCP_NONE:
338  tcp_state = "none";
339  break;
340  case TCP_LISTEN:
341  tcp_state = "listen";
342  break;
343  case TCP_SYN_SENT:
344  tcp_state = "syn_sent";
345  break;
346  case TCP_SYN_RECV:
347  tcp_state = "syn_recv";
348  break;
349  case TCP_ESTABLISHED:
350  tcp_state = "established";
351  break;
352  case TCP_FIN_WAIT1:
353  tcp_state = "fin_wait1";
354  break;
355  case TCP_FIN_WAIT2:
356  tcp_state = "fin_wait2";
357  break;
358  case TCP_TIME_WAIT:
359  tcp_state = "time_wait";
360  break;
361  case TCP_LAST_ACK:
362  tcp_state = "last_ack";
363  break;
364  case TCP_CLOSE_WAIT:
365  tcp_state = "close_wait";
366  break;
367  case TCP_CLOSING:
368  tcp_state = "closing";
369  break;
370  case TCP_CLOSED:
371  tcp_state = "closed";
372  break;
373  }
374  json_object_set_new(tjs, "state", json_string(tcp_state));
375  if (ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP)
376  json_object_set_new(tjs, "gap_ts", json_true());
377  if (ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP)
378  json_object_set_new(tjs, "gap_tc", json_true());
379  }
380 
381  json_object_set_new(js, "tcp", tjs);
382  }
383 }
384 
385 static int JsonFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)
386 {
387  SCEnter();
388  JsonFlowLogThread *jhl = (JsonFlowLogThread *)thread_data;
389 
390  /* reset */
391  MemBufferReset(jhl->buffer);
392 
393  json_t *js = CreateJSONHeaderFromFlow(f, "flow");
394  if (unlikely(js == NULL))
395  return TM_ECODE_OK;
396 
397  JsonFlowLogJSON(jhl, js, f);
398 
399  OutputJSONBuffer(js, jhl->flowlog_ctx->file_ctx, &jhl->buffer);
400  json_object_del(js, "http");
401 
402  json_object_clear(js);
403  json_decref(js);
404 
405  SCReturnInt(TM_ECODE_OK);
406 }
407 
408 static void OutputFlowLogDeinit(OutputCtx *output_ctx)
409 {
410  LogJsonFileCtx *flow_ctx = output_ctx->data;
411  LogFileCtx *logfile_ctx = flow_ctx->file_ctx;
412  LogFileFreeCtx(logfile_ctx);
413  SCFree(flow_ctx);
414  SCFree(output_ctx);
415 }
416 
417 #define DEFAULT_LOG_FILENAME "flow.json"
418 static OutputInitResult OutputFlowLogInit(ConfNode *conf)
419 {
420  OutputInitResult result = { NULL, false };
421  LogFileCtx *file_ctx = LogFileNewCtx();
422  if(file_ctx == NULL) {
423  SCLogError(SC_ERR_FLOW_LOG_GENERIC, "couldn't create new file_ctx");
424  return result;
425  }
426 
427  if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
428  LogFileFreeCtx(file_ctx);
429  return result;
430  }
431 
432  LogJsonFileCtx *flow_ctx = SCMalloc(sizeof(LogJsonFileCtx));
433  if (unlikely(flow_ctx == NULL)) {
434  LogFileFreeCtx(file_ctx);
435  return result;
436  }
437 
438  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
439  if (unlikely(output_ctx == NULL)) {
440  LogFileFreeCtx(file_ctx);
441  SCFree(flow_ctx);
442  return result;
443  }
444 
445  flow_ctx->file_ctx = file_ctx;
446  output_ctx->data = flow_ctx;
447  output_ctx->DeInit = OutputFlowLogDeinit;
448 
449  result.ctx = output_ctx;
450  result.ok = true;
451  return result;
452 }
453 
454 static void OutputFlowLogDeinitSub(OutputCtx *output_ctx)
455 {
456  LogJsonFileCtx *flow_ctx = output_ctx->data;
457  SCFree(flow_ctx);
458  SCFree(output_ctx);
459 }
460 
461 static OutputInitResult OutputFlowLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
462 {
463  OutputInitResult result = { NULL, false };
464  OutputJsonCtx *ojc = parent_ctx->data;
465 
466  LogJsonFileCtx *flow_ctx = SCMalloc(sizeof(LogJsonFileCtx));
467  if (unlikely(flow_ctx == NULL))
468  return result;
469 
470  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
471  if (unlikely(output_ctx == NULL)) {
472  SCFree(flow_ctx);
473  return result;
474  }
475 
476  flow_ctx->file_ctx = ojc->file_ctx;
477  flow_ctx->cfg = ojc->cfg;
478 
479  output_ctx->data = flow_ctx;
480  output_ctx->DeInit = OutputFlowLogDeinitSub;
481 
482  result.ctx = output_ctx;
483  result.ok = true;
484  return result;
485 }
486 
487 static TmEcode JsonFlowLogThreadInit(ThreadVars *t, const void *initdata, void **data)
488 {
489  JsonFlowLogThread *aft = SCMalloc(sizeof(JsonFlowLogThread));
490  if (unlikely(aft == NULL))
491  return TM_ECODE_FAILED;
492  memset(aft, 0, sizeof(JsonFlowLogThread));
493 
494  if(initdata == NULL)
495  {
496  SCLogDebug("Error getting context for EveLogFlow. \"initdata\" argument NULL");
497  SCFree(aft);
498  return TM_ECODE_FAILED;
499  }
500 
501  /* Use the Ouptut Context (file pointer and mutex) */
502  aft->flowlog_ctx = ((OutputCtx *)initdata)->data; //TODO
503 
504  aft->buffer = MemBufferCreateNew(JSON_OUTPUT_BUFFER_SIZE);
505  if (aft->buffer == NULL) {
506  SCFree(aft);
507  return TM_ECODE_FAILED;
508  }
509 
510  *data = (void *)aft;
511  return TM_ECODE_OK;
512 }
513 
514 static TmEcode JsonFlowLogThreadDeinit(ThreadVars *t, void *data)
515 {
516  JsonFlowLogThread *aft = (JsonFlowLogThread *)data;
517  if (aft == NULL) {
518  return TM_ECODE_OK;
519  }
520 
521  MemBufferFree(aft->buffer);
522  /* clear memory */
523  memset(aft, 0, sizeof(JsonFlowLogThread));
524 
525  SCFree(aft);
526  return TM_ECODE_OK;
527 }
528 
529 void JsonFlowLogRegister (void)
530 {
531  /* register as separate module */
532  OutputRegisterFlowModule(LOGGER_JSON_FLOW, "JsonFlowLog", "flow-json-log",
533  OutputFlowLogInit, JsonFlowLogger, JsonFlowLogThreadInit,
534  JsonFlowLogThreadDeinit, NULL);
535 
536  /* also register as child of eve-log */
537  OutputRegisterFlowSubModule(LOGGER_JSON_FLOW, "eve-log", "JsonFlowLog",
538  "eve-log.flow", OutputFlowLogInitSub, JsonFlowLogger,
539  JsonFlowLogThreadInit, JsonFlowLogThreadDeinit, NULL);
540 }
Flow_::alproto_expect
AppProto alproto_expect
Definition: flow.h:418
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
FLOW_IS_IPV4
#define FLOW_IS_IPV4(f)
Definition: flow.h:134
JSON_OUTPUT_BUFFER_SIZE
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:44
known_proto
char * known_proto[256]
Definition: util-proto-name.h:35
JsonFlowLogRegister
void JsonFlowLogRegister(void)
Definition: output-json-flow.c:529
TcpSession_
Definition: stream-tcp-private.h:259
SCProtoNameValid
uint8_t SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
Definition: util-proto-name.c:94
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
FlowBypassInfo_::tosrcbytecnt
uint64_t tosrcbytecnt
Definition: flow.h:492
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:809
OutputJsonCommonSettings_
Definition: output-json.h:69
Flow_::alproto_tc
AppProto alproto_tc
Definition: flow.h:411
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
OutputCtx_
Definition: tm-modules.h:78
LogJsonFileCtx_::flags
uint32_t flags
Definition: output-json-flow.c:55
Flow_::todstbytecnt
uint64_t todstbytecnt
Definition: flow.h:462
event_type
uint32_t event_type
Definition: alert-unified2-alert.c:84
Flow_::proto
uint8_t proto
Definition: flow.h:344
Flow_::sp
Port sp
Definition: flow.h:331
FLOW_END_FLAG_STATE_ESTABLISHED
#define FLOW_END_FLAG_STATE_ESTABLISHED
Definition: flow.h:210
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
STREAMTCP_STREAM_FLAG_GAP
#define STREAMTCP_STREAM_FLAG_GAP
Definition: stream-tcp-private.h:197
FlowHasAlerts
int FlowHasAlerts(const Flow *f)
Check if flow has alerts.
Definition: flow.c:208
FLOW_END_FLAG_TIMEOUT
#define FLOW_END_FLAG_TIMEOUT
Definition: flow.h:213
MemBufferReset
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
JsonFlowLogThread_::buffer
MemBuffer * buffer
Definition: output-json-flow.c:62
FLOW_END_FLAG_FORCED
#define FLOW_END_FLAG_FORCED
Definition: flow.h:214
FLOW_DIR_REVERSED
#define FLOW_DIR_REVERSED
Definition: flow.h:106
Flow_::icmp_s
struct Flow_::@121::@125 icmp_s
JsonFlowLogThread_::flowlog_ctx
LogJsonFileCtx * flowlog_ctx
Definition: output-json-flow.c:60
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
LogJsonFileCtx
struct LogJsonFileCtx_ LogJsonFileCtx
Flow_::startts
struct timeval startts
Definition: flow.h:458
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
Flow_::todstpktcnt
uint32_t todstpktcnt
Definition: flow.h:460
JsonAddCommonOptions
void JsonAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, json_t *js)
Definition: output-json.c:390
FLOW_END_FLAG_STATE_BYPASSED
#define FLOW_END_FLAG_STATE_BYPASSED
Definition: flow.h:216
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:271
TRUE
#define TRUE
Definition: suricata-common.h:33
FlowBypassInfo_::todstpktcnt
uint64_t todstpktcnt
Definition: flow.h:493
Flow_::protoctx
void * protoctx
Definition: flow.h:400
OutputInitResult_
Definition: output.h:41
json_boolean
#define json_boolean(val)
Definition: suricata-common.h:245
Flow_::dst
FlowAddress dst
Definition: flow.h:329
FlowBypassInfo_::todstbytecnt
uint64_t todstbytecnt
Definition: flow.h:494
LiveDevice_::dev
char * dev
Definition: util-device.h:41
OutputRegisterFlowModule
void OutputRegisterFlowModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, FlowLogger FlowLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a flow output module.
Definition: output.c:582
Flow_::alproto_orig
AppProto alproto_orig
Definition: flow.h:415
Flow_::vlan_id
uint16_t vlan_id[2]
Definition: flow.h:346
Flow_::alproto_ts
AppProto alproto_ts
Definition: flow.h:410
Flow_::tosrcbytecnt
uint64_t tosrcbytecnt
Definition: flow.h:463
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:253
JsonAddFlow
void JsonAddFlow(Flow *f, json_t *js, json_t *hjs)
Definition: output-json-flow.c:180
JsonTcpFlags
void JsonTcpFlags(uint8_t flags, json_t *js)
jsonify tcp flags field Only add &#39;true&#39; fields in an attempt to keep things reasonably compact...
Definition: output-json.c:428
FLOW_END_FLAG_STATE_NEW
#define FLOW_END_FLAG_STATE_NEW
Definition: flow.h:209
CreateIsoTimeString
void CreateIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:187
LogJsonFileCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-flow.c:54
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:146
OutputInitResult_::ok
bool ok
Definition: output.h:43
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:270
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
LogJsonFileCtx_
Definition: output-json-flow.c:53
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:81
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:79
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
TcpStream_::tcp_flags
uint8_t tcp_flags
Definition: stream-tcp-private.h:99
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:517
FLOW_END_FLAG_STATE_CLOSED
#define FLOW_END_FLAG_STATE_CLOSED
Definition: flow.h:211
Flow_::vlan_idx
uint8_t vlan_idx
Definition: flow.h:347
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:305
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:267
proto
uint8_t proto
Definition: decode-template.h:50
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
Flow_::livedev
struct LiveDevice_ * livedev
Definition: flow.h:350
Port
uint16_t Port
Definition: decode.h:236
Flow_::icmp_d
struct Flow_::@123::@126 icmp_d
Flow_::lastts
struct timeval lastts
Definition: flow.h:358
LogJsonFileCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json-flow.c:56
Flow_::flow_end_flags
uint8_t flow_end_flags
Definition: flow.h:406
OutputRegisterFlowSubModule
void OutputRegisterFlowSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, FlowLogger FlowLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a flow output sub-module.
Definition: output.c:621
ConfNode_
Definition: conf.h:32
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:42
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:539
SCFree
#define SCFree(a)
Definition: util-mem.h:322
Flow_::dp
Port dp
Definition: flow.h:338
FLOW_IS_IPV6
#define FLOW_IS_IPV6(f)
Definition: flow.h:136
FlowAddress_::address
union FlowAddress_::@120 address
FLOW_END_FLAG_EMERGENCY
#define FLOW_END_FLAG_EMERGENCY
Definition: flow.h:212
JsonFlowLogThread_
Definition: output-json-flow.c:59
FLOW_WRONG_THREAD
#define FLOW_WRONG_THREAD
Definition: flow.h:104
JsonFlowLogThread
struct JsonFlowLogThread_ JsonFlowLogThread
OutputCtx_::data
void * data
Definition: tm-modules.h:81
FlowBypassInfo_::tosrcpktcnt
uint64_t tosrcpktcnt
Definition: flow.h:491
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:192
FlowGetStorageById
void * FlowGetStorageById(Flow *f, int id)
Definition: flow-storage.c:39
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:261
Flow_::src
FlowAddress src
Definition: flow.h:329
OutputJsonCtx_
Definition: output-json.h:78
GetFlowBypassInfoID
int GetFlowBypassInfoID(void)
Definition: flow-util.c:209
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:409
FLOW_END_FLAG_SHUTDOWN
#define FLOW_END_FLAG_SHUTDOWN
Definition: flow.h:215
CreateJSONFlowId
void CreateJSONFlowId(json_t *js, const Flow *f)
Definition: output-json.c:699
TcpSession_::tcp_packet_flags
uint8_t tcp_packet_flags
Definition: stream-tcp-private.h:266
MemBuffer_
Definition: util-buffer.h:27
FlowBypassInfo_
Definition: flow.h:487
Flow_
Flow data structure.
Definition: flow.h:325
LogFileCtx_
Definition: util-logopenfile.h:52
Flow_::flags
uint32_t flags
Definition: flow.h:379
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: output-json-flow.c:417
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
Flow_::tosrcpktcnt
uint32_t tosrcpktcnt
Definition: flow.h:461