suricata
output-json-frame.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Logs frames in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "threads.h"
34 #include "tm-threads.h"
35 #include "threadvars.h"
36 #include "util-debug.h"
37 
38 #include "util-logopenfile.h"
39 #include "util-misc.h"
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 
43 #include "detect-parse.h"
44 #include "detect-engine.h"
45 #include "detect-engine-mpm.h"
46 #include "detect-reference.h"
47 #include "detect-metadata.h"
48 #include "app-layer-parser.h"
49 #include "app-layer-frames.h"
50 #include "app-layer-dnp3.h"
51 #include "app-layer-htp.h"
52 #include "app-layer-htp-xff.h"
53 #include "app-layer-ftp.h"
55 #include "stream-tcp.h"
56 
57 #include "output.h"
58 #include "output-json.h"
59 #include "output-json-frame.h"
60 
61 #include "util-byte.h"
62 #include "util-privs.h"
63 #include "util-print.h"
64 #include "util-proto-name.h"
65 #include "util-optimize.h"
66 #include "util-buffer.h"
67 #include "util-validate.h"
68 
69 #define MODULE_NAME "JsonFrameLog"
70 
71 #define JSON_STREAM_BUFFER_SIZE 4096
72 
73 typedef struct FrameJsonOutputCtx_ {
75  uint16_t flags;
79 
80 typedef struct JsonFrameLogThread_ {
85 
86 #if 0 // TODO see if this is useful in some way
87 static inline bool NeedsAsHex(uint8_t c)
88 {
89  if (!isprint(c))
90  return true;
91 
92  switch (c) {
93  case '/':
94  case ';':
95  case ':':
96  case '\\':
97  case ' ':
98  case '|':
99  case '"':
100  case '`':
101  case '\'':
102  return true;
103  }
104  return false;
105 }
106 
107 static void PayloadAsHex(const uint8_t *data, uint32_t data_len, char *str, size_t str_len)
108 {
109  bool hex = false;
110  for (uint32_t i = 0; i < data_len; i++) {
111  if (NeedsAsHex(data[i])) {
112  char hex_str[4];
113  snprintf(hex_str, sizeof(hex_str), "%s%02X", !hex ? "|" : " ", data[i]);
114  strlcat(str, hex_str, str_len);
115  hex = true;
116  } else {
117  char p_str[3];
118  snprintf(p_str, sizeof(p_str), "%s%c", hex ? "|" : "", data[i]);
119  strlcat(str, p_str, str_len);
120  hex = false;
121  }
122  }
123  if (hex) {
124  strlcat(str, "|", str_len);
125  }
126 }
127 #endif
128 
129 static void FrameAddPayloadTCP(JsonBuilder *js, const TcpStream *stream, const Frame *frame)
130 {
131  uint32_t sb_data_len = 0;
132  const uint8_t *data = NULL;
133  uint64_t data_offset = 0;
134 
135  // TODO consider ACK'd
136 
137  if (frame->rel_offset < 0) {
138  if (StreamingBufferGetData(&stream->sb, &data, &sb_data_len, &data_offset) == 0) {
139  SCLogDebug("NO DATA1");
140  return;
141  }
142  } else {
143  data_offset = (uint64_t)(frame->rel_offset + (int64_t)STREAM_BASE_OFFSET(stream));
144  SCLogDebug("data_offset %" PRIu64, data_offset);
146  &stream->sb, &data, &sb_data_len, (uint64_t)data_offset) == 0) {
147  SCLogDebug("NO DATA1");
148  return;
149  }
150  }
151  if (data == NULL || sb_data_len == 0) {
152  SCLogDebug("NO DATA2");
153  return;
154  }
155 
156  if (frame->len >= 0) {
157  sb_data_len = MIN(frame->len, (int32_t)sb_data_len);
158  }
159  SCLogDebug("frame data_offset %" PRIu64 ", data_len %u frame len %" PRIi64, data_offset,
160  sb_data_len, frame->len);
161 
162  // TODO update to work with large frames
163  jb_set_bool(js, "complete", ((int64_t)sb_data_len >= frame->len));
164 
165  uint32_t data_len = MIN(sb_data_len, 256);
166  jb_set_base64(js, "payload", data, data_len);
167 
168  uint8_t printable_buf[data_len + 1];
169  uint32_t o = 0;
170  PrintStringsToBuffer(printable_buf, &o, data_len + 1, data, data_len);
171  printable_buf[data_len] = '\0';
172  jb_set_string(js, "payload_printable", (char *)printable_buf);
173 #if 0
174  char pretty_buf[data_len * 4 + 1];
175  pretty_buf[0] = '\0';
176  PayloadAsHex(data, data_len, pretty_buf, data_len * 4 + 1);
177  jb_set_string(js, "payload_hex", pretty_buf);
178 #endif
179 }
180 
181 static void FrameAddPayloadUDP(JsonBuilder *js, const Packet *p, const Frame *frame)
182 {
184  if (frame->rel_offset >= p->payload_len)
185  return;
186 
187  int frame_len = frame->len != -1 ? frame->len : p->payload_len - frame->rel_offset;
188 
189  if (frame->rel_offset + frame_len > p->payload_len) {
190  frame_len = p->payload_len - frame->rel_offset;
191  JB_SET_FALSE(js, "complete");
192  } else {
193  JB_SET_TRUE(js, "complete");
194  }
195  const uint8_t *data = p->payload + frame->rel_offset;
196  const uint32_t data_len = frame_len;
197 
198  const uint32_t log_data_len = MIN(data_len, 256);
199  jb_set_base64(js, "payload", data, log_data_len);
200 
201  uint8_t printable_buf[log_data_len + 1];
202  uint32_t o = 0;
203  PrintStringsToBuffer(printable_buf, &o, log_data_len + 1, data, log_data_len);
204  printable_buf[log_data_len] = '\0';
205  jb_set_string(js, "payload_printable", (char *)printable_buf);
206 #if 0
207  char pretty_buf[data_len * 4 + 1];
208  pretty_buf[0] = '\0';
209  PayloadAsHex(data, data_len, pretty_buf, data_len * 4 + 1);
210  jb_set_string(js, "payload_hex", pretty_buf);
211 #endif
212 }
213 
214 // TODO separate between stream_offset and frame_offset
215 /** \brief log a single frame
216  * \note ipproto argument is passed to assist static code analyzers
217  */
218 void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, const Flow *f,
219  const TcpStream *stream, const Packet *p, JsonBuilder *jb)
220 {
221  DEBUG_VALIDATE_BUG_ON(ipproto != p->proto);
222  DEBUG_VALIDATE_BUG_ON(ipproto != f->proto);
223 
224  jb_open_object(jb, "frame");
225  jb_set_string(jb, "type", AppLayerParserGetFrameNameById(ipproto, f->alproto, frame->type));
226  jb_set_uint(jb, "id", frame->id);
227  jb_set_string(jb, "direction", PKT_IS_TOSERVER(p) ? "toserver" : "toclient");
228 
229  if (ipproto == IPPROTO_TCP) {
230  DEBUG_VALIDATE_BUG_ON(stream == NULL);
231  int64_t abs_offset = frame->rel_offset + (int64_t)STREAM_BASE_OFFSET(stream);
232  jb_set_uint(jb, "stream_offset", (uint64_t)abs_offset);
233 
234  if (frame->len < 0) {
235  uint64_t usable = StreamTcpGetUsable(stream, true);
236  uint64_t len = usable - abs_offset;
237  jb_set_uint(jb, "length", len);
238  } else {
239  jb_set_uint(jb, "length", frame->len);
240  }
241  FrameAddPayloadTCP(jb, stream, frame);
242  } else {
243  jb_set_uint(jb, "length", frame->len);
244  FrameAddPayloadUDP(jb, p, frame);
245  }
246  if (frame->flags & FRAME_FLAG_TX_ID_SET) {
247  jb_set_uint(jb, "tx_id", frame->tx_id);
248  }
249  jb_close(jb);
250 }
251 
252 static int FrameJsonUdp(
253  JsonFrameLogThread *aft, const Packet *p, Flow *f, FramesContainer *frames_container)
254 {
255  FrameJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
256 
257  Frames *frames;
258  if (PKT_IS_TOSERVER(p)) {
259  frames = &frames_container->toserver;
260  } else {
261  frames = &frames_container->toclient;
262  }
263 
264  for (uint32_t idx = 0; idx < frames->cnt; idx++) {
265  Frame *frame = FrameGetByIndex(frames, idx);
266  if (frame == NULL || frame->flags & FRAME_FLAG_LOGGED)
267  continue;
268 
269  /* First initialize the address info (5-tuple). */
271  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
272 
273  JsonBuilder *jb =
274  CreateEveHeader(p, LOG_DIR_PACKET, "frame", &addr, json_output_ctx->eve_ctx);
275  if (unlikely(jb == NULL))
276  return TM_ECODE_OK;
277 
278  jb_set_string(jb, "app_proto", AppProtoToString(f->alproto));
279  FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb);
280  OutputJsonBuilderBuffer(jb, aft->ctx);
281  jb_free(jb);
282  frame->flags |= FRAME_FLAG_LOGGED;
283  }
284  return TM_ECODE_OK;
285 }
286 
287 static int FrameJson(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p)
288 {
289  FrameJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
290 
291  BUG_ON(p->flow == NULL);
292 
293  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
294  if (frames_container == NULL)
295  return TM_ECODE_OK;
296 
297  if (p->proto == IPPROTO_UDP) {
298  return FrameJsonUdp(aft, p, p->flow, frames_container);
299  }
300 
301  BUG_ON(p->proto != IPPROTO_TCP);
302  BUG_ON(p->flow->protoctx == NULL);
303 
304  /* TODO can we set these EOF flags once per packet? We have them in detect, tx, file, filedata,
305  * etc */
306  const bool last_pseudo = (p->flowflags & FLOW_PKT_LAST_PSEUDO) != 0;
307  Frames *frames;
308  TcpSession *ssn = p->flow->protoctx;
309  bool eof = (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
310  TcpStream *stream;
311  if (PKT_IS_TOSERVER(p)) {
312  stream = &ssn->client;
313  frames = &frames_container->toserver;
314  SCLogDebug("TOSERVER base %" PRIu64 ", app %" PRIu64, STREAM_BASE_OFFSET(stream),
315  STREAM_APP_PROGRESS(stream));
317  } else {
318  stream = &ssn->server;
319  frames = &frames_container->toclient;
321  }
322  eof |= last_pseudo;
323  SCLogDebug("eof %s", eof ? "true" : "false");
324 
325  for (uint32_t idx = 0; idx < frames->cnt; idx++) {
326  Frame *frame = FrameGetByIndex(frames, idx);
327  if (frame != NULL && frame->rel_offset >= 0) {
328  if (frame->flags & FRAME_FLAG_LOGGED)
329  continue;
330 
331  int64_t abs_offset = (int64_t)frame->rel_offset + (int64_t)STREAM_BASE_OFFSET(stream);
332  int64_t win = STREAM_APP_PROGRESS(stream) - abs_offset;
333  // SCLogDebug("abs_offset %" PRIi64 ", frame->rel_offset %" PRIi64
334  // ", frames->progress_rel %d win %" PRIi64,
335  // abs_offset, frame->rel_offset, frames->progress_rel, win);
336 
337  if (!eof && win < frame->len && win < 2500) {
338  SCLogDebug("frame id %" PRIi64 " len %" PRIi64 ", win %" PRIi64
339  ", skipping logging",
340  frame->id, frame->len, win);
341  continue;
342  }
343 
344  /* First initialize the address info (5-tuple). */
346  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
347 
348  JsonBuilder *jb =
349  CreateEveHeader(p, LOG_DIR_PACKET, "frame", &addr, json_output_ctx->eve_ctx);
350  if (unlikely(jb == NULL))
351  return TM_ECODE_OK;
352 
353  jb_set_string(jb, "app_proto", AppProtoToString(p->flow->alproto));
354  FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb);
355  OutputJsonBuilderBuffer(jb, aft->ctx);
356  jb_free(jb);
357  frame->flags |= FRAME_FLAG_LOGGED;
358  } else if (frame != NULL) {
359  SCLogDebug("frame %p id %" PRIi64, frame, frame->id);
360  }
361  }
362  return TM_ECODE_OK;
363 }
364 
365 static int JsonFrameLogger(ThreadVars *tv, void *thread_data, const Packet *p)
366 {
367  JsonFrameLogThread *aft = thread_data;
368  return FrameJson(tv, aft, p);
369 }
370 
371 static int JsonFrameLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
372 {
373  if (p->flow == NULL || p->flow->alproto == ALPROTO_UNKNOWN)
374  return FALSE;
375 
376  if ((p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) && p->flow->alparser != NULL) {
377  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
378  if (frames_container == NULL)
379  return FALSE;
380 
381  Frames *frames;
382  if (PKT_IS_TOSERVER(p)) {
383  frames = &frames_container->toserver;
384  } else {
385  frames = &frames_container->toclient;
386  }
387  return (frames->cnt != 0);
388  }
389  return FALSE;
390 }
391 
392 static TmEcode JsonFrameLogThreadInit(ThreadVars *t, const void *initdata, void **data)
393 {
395  if (unlikely(aft == NULL))
396  return TM_ECODE_FAILED;
397 
398  if (initdata == NULL) {
399  SCLogDebug("Error getting context for EveLogFrame. \"initdata\" argument NULL");
400  goto error_exit;
401  }
402 
403  /** Use the Output Context (file pointer and mutex) */
404  FrameJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
405 
406  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
407  if (aft->payload_buffer == NULL) {
408  goto error_exit;
409  }
410  aft->ctx = CreateEveThreadCtx(t, json_output_ctx->eve_ctx);
411  if (!aft->ctx) {
412  goto error_exit;
413  }
414 
415  aft->json_output_ctx = json_output_ctx;
416 
417  *data = (void *)aft;
418  return TM_ECODE_OK;
419 
420 error_exit:
421  if (aft->payload_buffer != NULL) {
423  }
424  SCFree(aft);
425  return TM_ECODE_FAILED;
426 }
427 
428 static TmEcode JsonFrameLogThreadDeinit(ThreadVars *t, void *data)
429 {
430  JsonFrameLogThread *aft = (JsonFrameLogThread *)data;
431  if (aft == NULL) {
432  return TM_ECODE_OK;
433  }
434 
436  FreeEveThreadCtx(aft->ctx);
437 
438  /* clear memory */
439  memset(aft, 0, sizeof(JsonFrameLogThread));
440 
441  SCFree(aft);
442  return TM_ECODE_OK;
443 }
444 
445 static void JsonFrameLogDeInitCtxSub(OutputCtx *output_ctx)
446 {
447  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
448 
449  FrameJsonOutputCtx *json_output_ctx = (FrameJsonOutputCtx *)output_ctx->data;
450 
451  if (json_output_ctx != NULL) {
452  SCFree(json_output_ctx);
453  }
454  SCFree(output_ctx);
455 }
456 
457 /**
458  * \brief Create a new LogFileCtx for "fast" output style.
459  * \param conf The configuration node for this output.
460  * \return A LogFileCtx pointer on success, NULL on failure.
461  */
462 static OutputInitResult JsonFrameLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
463 {
464  OutputInitResult result = { NULL, false };
465  OutputJsonCtx *ajt = parent_ctx->data;
466  FrameJsonOutputCtx *json_output_ctx = NULL;
467 
468  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
469  if (unlikely(output_ctx == NULL))
470  return result;
471 
472  json_output_ctx = SCMalloc(sizeof(FrameJsonOutputCtx));
473  if (unlikely(json_output_ctx == NULL)) {
474  goto error;
475  }
476  memset(json_output_ctx, 0, sizeof(FrameJsonOutputCtx));
477 
478  json_output_ctx->file_ctx = ajt->file_ctx;
479  json_output_ctx->eve_ctx = ajt;
480 
481  output_ctx->data = json_output_ctx;
482  output_ctx->DeInit = JsonFrameLogDeInitCtxSub;
483 
484  result.ctx = output_ctx;
485  result.ok = true;
486  return result;
487 
488 error:
489  if (json_output_ctx != NULL) {
490  SCFree(json_output_ctx);
491  }
492  if (output_ctx != NULL) {
493  SCFree(output_ctx);
494  }
495 
496  return result;
497 }
498 
500 {
501  OutputRegisterPacketSubModule(LOGGER_JSON_FRAME, "eve-log", MODULE_NAME, "eve-log.frame",
502  JsonFrameLogInitCtxSub, JsonFrameLogger, JsonFrameLogCondition, JsonFrameLogThreadInit,
503  JsonFrameLogThreadDeinit, NULL);
504 }
util-byte.h
tm-threads.h
FrameJsonLogOneFrame
void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, const Flow *f, const TcpStream *stream, const Packet *p, JsonBuilder *jb)
log a single frame
Definition: output-json-frame.c:218
Packet_::proto
uint8_t proto
Definition: decode.h:455
TcpStream_
Definition: stream-tcp-private.h:106
len
uint8_t len
Definition: app-layer-dnp3.h:2
detect-engine.h
Frame::tx_id
uint64_t tx_id
Definition: app-layer-frames.h:50
stream-tcp.h
FLOW_PKT_LAST_PSEUDO
#define FLOW_PKT_LAST_PSEUDO
Definition: flow.h:232
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FrameJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-frame.c:75
JsonFrameLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-frame.c:83
Frame::rel_offset
int64_t rel_offset
Definition: app-layer-frames.h:46
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
FrameJsonOutputCtx
struct FrameJsonOutputCtx_ FrameJsonOutputCtx
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:73
Flow_::proto
uint8_t proto
Definition: flow.h:375
FrameJsonOutputCtx_
Definition: output-json-frame.c:73
Packet_::payload
uint8_t * payload
Definition: decode.h:573
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:71
threads.h
OutputJsonCtx_
Definition: output-json.h:81
Frame
Definition: app-layer-frames.h:40
Flow_
Flow data structure.
Definition: flow.h:353
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
LogFileCtx_
Definition: util-logopenfile.h:64
output-json-frame.h
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:960
Frames::cnt
uint16_t cnt
Definition: app-layer-frames.h:57
Frame::id
int64_t id
Definition: app-layer-frames.h:49
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:44
FrameGetByIndex
Frame * FrameGetByIndex(Frames *frames, const uint32_t idx)
Definition: app-layer-frames.c:64
StreamingBufferGetData
int StreamingBufferGetData(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t *stream_offset)
Definition: util-streaming-buffer.c:830
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:89
FrameJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-frame.c:74
MIN
#define MIN(x, y)
Definition: suricata-common.h:372
Frames
Definition: app-layer-frames.h:56
FramesContainer
Definition: app-layer-frames.h:70
util-privs.h
StreamingBufferGetDataAtOffset
int StreamingBufferGetDataAtOffset(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t offset)
Definition: util-streaming-buffer.c:847
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:464
APP_LAYER_PARSER_EOF_TS
#define APP_LAYER_PARSER_EOF_TS
Definition: app-layer-parser.h:39
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:83
Flow_::protoctx
void * protoctx
Definition: flow.h:451
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:574
util-unittest.h
util-unittest-helper.h
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:280
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:82
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:230
StreamTcpGetUsable
uint64_t StreamTcpGetUsable(const TcpStream *stream, const bool eof)
Definition: stream-tcp-reassemble.c:410
OutputCtx_
Definition: tm-modules.h:78
app-layer-htp-xff.h
OutputJsonThreadCtx_
Definition: output-json.h:89
detect-reference.h
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:485
app-layer-htp.h
AppLayerParserStateIssetFlag
int AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint8_t flag)
Definition: app-layer-parser.c:1727
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:72
util-debug.h
FrameJsonOutputCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-frame.c:77
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:259
AppLayerParserGetFrameNameById
const char * AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
Definition: app-layer-parser.c:1550
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:45
MODULE_NAME
#define MODULE_NAME
Definition: output-json-frame.c:69
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
app-layer-dnp3.h
output-json.h
FRAME_FLAG_TX_ID_SET
#define FRAME_FLAG_TX_ID_SET
Definition: app-layer-frames.h:33
STREAM_BASE_OFFSET
#define STREAM_BASE_OFFSET(stream)
Definition: stream-tcp-private.h:143
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:822
util-print.h
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:56
JB_SET_TRUE
#define JB_SET_TRUE(jb, key)
Definition: rust.h:38
OutputInitResult_::ok
bool ok
Definition: output.h:46
app-layer-parser.h
JsonFrameLogThread_::json_output_ctx
FrameJsonOutputCtx * json_output_ctx
Definition: output-json-frame.c:82
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:281
FrameJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-frame.c:76
FALSE
#define FALSE
Definition: suricata-common.h:34
JsonAddrInfo_
Definition: output-json.h:49
Packet_
Definition: decode.h:433
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:200
APP_LAYER_PARSER_EOF_TC
#define APP_LAYER_PARSER_EOF_TC
Definition: app-layer-parser.h:40
conf.h
JsonFrameLogThread_
Definition: output-json-frame.c:80
Frame::len
int64_t len
Definition: app-layer-frames.h:48
TmEcode
TmEcode
Definition: tm-threads-common.h:81
util-proto-name.h
MemBuffer_
Definition: util-buffer.h:27
Frame::flags
uint8_t flags
Definition: app-layer-frames.h:42
JsonFrameLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-frame.c:81
JsonFrameLogRegister
void JsonFrameLogRegister(void)
Definition: output-json-frame.c:499
OutputInitResult_
Definition: output.h:44
app-layer-frames.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:470
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
Frame::type
uint8_t type
Definition: app-layer-frames.h:41
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:217
detect-metadata.h
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
TcpStream_::sb
StreamingBuffer sb
Definition: stream-tcp-private.h:134
util-classification-config.h
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:284
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:31
JB_SET_FALSE
#define JB_SET_FALSE(jb, key)
Definition: rust.h:39
util-optimize.h
threadvars.h
util-validate.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:283
str
#define str(s)
Definition: suricata-common.h:272
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
util-logopenfile.h
FRAME_FLAG_LOGGED
#define FRAME_FLAG_LOGGED
Definition: app-layer-frames.h:37
detect-parse.h
util-buffer.h
JsonFrameLogThread
struct JsonFrameLogThread_ JsonFrameLogThread
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:82
LOGGER_JSON_FRAME
@ LOGGER_JSON_FRAME
Definition: suricata-common.h:491
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:199
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:475
STREAM_APP_PROGRESS
#define STREAM_APP_PROGRESS(stream)
Definition: stream-tcp-private.h:144
TcpSession_
Definition: stream-tcp-private.h:271
util-misc.h
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
debug.h
output.h