Go to the documentation of this file.
55 static JsonBuilder *CreateEveHeaderFromFlow(
const Flow *f)
58 char srcip[46] = {0}, dstip[46] = {0};
61 JsonBuilder *jb = jb_new_object();
72 PrintInet(AF_INET, (
const void *)&(f->
src.addr_data32[0]), srcip,
sizeof(srcip));
73 PrintInet(AF_INET, (
const void *)&(f->
dst.addr_data32[0]), dstip,
sizeof(dstip));
82 PrintInet(AF_INET, (
const void *)&(f->
dst.addr_data32[0]), srcip,
sizeof(srcip));
83 PrintInet(AF_INET, (
const void *)&(f->
src.addr_data32[0]), dstip,
sizeof(dstip));
93 jb_set_string(jb,
"timestamp", timebuf);
100 json_object_set_new(js,
"sensor_id", json_integer(sensor_id));
105 jb_set_string(jb,
"in_iface", f->
livedev->
dev);
112 jb_open_array(jb,
"vlan");
113 jb_append_uint(jb, f->
vlan_id[0]);
115 jb_append_uint(jb, f->
vlan_id[1]);
118 jb_append_uint(jb, f->
vlan_id[2]);
124 jb_set_string(jb,
"src_ip", srcip);
131 jb_set_uint(jb,
"src_port", sp);
134 jb_set_string(jb,
"dest_ip", dstip);
141 jb_set_uint(jb,
"dest_port", dp);
150 jb_set_string(jb,
"proto",
proto);
156 jb_set_uint(jb,
"icmp_type", f->
icmp_s.type);
157 jb_set_uint(jb,
"icmp_code", f->
icmp_s.code);
159 jb_set_uint(jb,
"response_icmp_type", f->
icmp_d.type);
160 jb_set_uint(jb,
"response_icmp_code", f->
icmp_d.code);
164 jb_set_uint(jb,
"spi", f->
esp.spi);
185 jb_set_string(js,
"app_proto_expected",
200 jb_open_object(js,
"bypassed");
215 jb_set_string(js,
"start", timebuf1);
218 static void EveExceptionPolicyLog(JsonBuilder *js, uint16_t flag)
222 jb_set_string(js,
"target",
224 jb_set_string(js,
"policy",
231 jb_set_string(js,
"target",
233 jb_set_string(js,
"policy",
240 jb_set_string(js,
"target",
242 jb_set_string(js,
"policy",
252 jb_set_string(js,
"policy",
261 jb_set_string(js,
"policy",
268 jb_set_string(js,
"target",
270 jb_set_string(js,
"policy",
281 jb_open_object(jb,
"flow");
286 jb_set_string(jb,
"end", timebuf2);
289 jb_set_uint(jb,
"age", age);
295 switch (flow_state) {
309 #ifdef CAPTURE_OFFLOAD
310 case FLOW_STATE_CAPTURE_BYPASSED:
317 SCLogDebug(
"invalid flow state: %d, contact developers", flow_state);
320 const char *reason = NULL;
322 reason =
"tcp_reuse";
332 jb_set_string(jb,
"reason", reason);
344 jb_open_array(jb,
"exception_policy");
355 if (f->
proto == IPPROTO_TCP) {
356 jb_open_object(jb,
"tcp");
361 snprintf(hexflags,
sizeof(hexflags),
"%02x",
363 jb_set_string(jb,
"tcp_flags", hexflags);
365 snprintf(hexflags,
sizeof(hexflags),
"%02x",
367 jb_set_string(jb,
"tcp_flags_ts", hexflags);
369 snprintf(hexflags,
sizeof(hexflags),
"%02x",
371 jb_set_string(jb,
"tcp_flags_tc", hexflags);
377 if (tcp_state != NULL)
378 jb_set_string(jb,
"state", tcp_state);
406 MemBufferReset(thread->
buffer);
408 JsonBuilder *jb = CreateEveHeaderFromFlow(f);
413 EveFlowLogJSON(thread, jb, f);
OutputInitResult OutputJsonLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
void CreateIsoTimeString(const SCTime_t ts, char *str, size_t size)
OutputJsonCommonSettings cfg
FlowStorageId GetFlowBypassInfoID(void)
TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data)
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *js, OutputJsonThreadCtx *ctx)
#define EXCEPTION_TARGET_FLAG_APPLAYER_ERROR
bool SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
const char * known_proto[256]
const char * ExceptionPolicyTargetFlagToString(uint8_t target_flag)
void JsonFlowLogRegister(void)
void OutputRegisterFlowSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, FlowLogger FlowLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Register a flow output sub-module.
@ FLOW_STATE_LOCAL_BYPASSED
#define EXCEPTION_TARGET_FLAG_DEFRAG_MEMCAP
enum ExceptionPolicy ExceptionPolicyTargetPolicy(uint8_t target_flag)
#define JB_SET_STRING(jb, key, val)
Per thread variable structure.
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, JsonBuilder *js, enum OutputJsonLogDirection dir)
void EveTcpFlags(const uint8_t flags, JsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
#define FLOW_WRONG_THREAD
#define JB_SET_TRUE(jb, key)
#define FLOW_END_FLAG_TCPREUSE
#define FLOW_END_FLAG_EMERGENCY
#define STREAMTCP_STREAM_FLAG_HAS_GAP
#define EXCEPTION_TARGET_FLAG_REASSEMBLY_MEMCAP
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
#define EXCEPTION_TARGET_FLAG_MIDSTREAM
uint8_t applied_exception_policy
#define EXCEPTION_TARGET_FLAG_SESSION_MEMCAP
void EveAddAppProto(Flow *f, JsonBuilder *js)
struct Flow_::@114::@120 icmp_d
struct Flow_::@112::@118 icmp_s
struct LiveDevice_ * livedev
void CreateEveFlowId(JsonBuilder *js, const Flow *f)
const char * ExceptionPolicyEnumToString(enum ExceptionPolicy policy, bool is_json)
union FlowAddress_::@111 address
#define FLOW_END_FLAG_SHUTDOWN
#define EXCEPTION_TARGET_FLAG_FLOW_MEMCAP
const char * StreamTcpStateAsString(const enum TcpState state)
uint16_t vlan_id[VLAN_MAX_LAYERS]
int FlowHasAlerts(const Flow *f)
Check if flow has alerts.
#define FLOW_END_FLAG_TIMEOUT
TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data)
AppProto alproto
application level protocol
#define FLOW_END_FLAG_FORCED
#define FLOW_DIR_REVERSED
#define DEBUG_VALIDATE_BUG_ON(exp)
void EveAddFlow(Flow *f, JsonBuilder *js)
struct Flow_::@112::@119 esp