suricata
output-json-frame.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Logs frames in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "detect.h"
29 #include "flow.h"
30 #include "conf.h"
31 
32 #include "threads.h"
33 #include "tm-threads.h"
34 #include "threadvars.h"
35 #include "util-debug.h"
36 
37 #include "util-logopenfile.h"
38 #include "util-misc.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 
42 #include "detect-parse.h"
43 #include "detect-engine.h"
44 #include "detect-engine-mpm.h"
45 #include "detect-reference.h"
46 #include "detect-metadata.h"
47 #include "app-layer-parser.h"
48 #include "app-layer-frames.h"
49 #include "app-layer-dnp3.h"
50 #include "app-layer-htp.h"
51 #include "app-layer-htp-xff.h"
52 #include "app-layer-ftp.h"
54 #include "stream-tcp.h"
55 
56 #include "output.h"
57 #include "output-json.h"
58 #include "output-json-frame.h"
59 
60 #include "util-byte.h"
61 #include "util-privs.h"
62 #include "util-print.h"
63 #include "util-proto-name.h"
64 #include "util-optimize.h"
65 #include "util-buffer.h"
66 #include "util-validate.h"
67 
68 #define MODULE_NAME "JsonFrameLog"
69 
70 typedef struct FrameJsonOutputCtx_ {
72  uint16_t flags;
76 
77 typedef struct JsonFrameLogThread_ {
82 
83 #if 0 // TODO see if this is useful in some way
84 static inline bool NeedsAsHex(uint8_t c)
85 {
86  if (!isprint(c))
87  return true;
88 
89  switch (c) {
90  case '/':
91  case ';':
92  case ':':
93  case '\\':
94  case ' ':
95  case '|':
96  case '"':
97  case '`':
98  case '\'':
99  return true;
100  }
101  return false;
102 }
103 
104 static void PayloadAsHex(const uint8_t *data, uint32_t data_len, char *str, size_t str_len)
105 {
106  bool hex = false;
107  for (uint32_t i = 0; i < data_len; i++) {
108  if (NeedsAsHex(data[i])) {
109  char hex_str[4];
110  snprintf(hex_str, sizeof(hex_str), "%s%02X", !hex ? "|" : " ", data[i]);
111  strlcat(str, hex_str, str_len);
112  hex = true;
113  } else {
114  char p_str[3];
115  snprintf(p_str, sizeof(p_str), "%s%c", hex ? "|" : "", data[i]);
116  strlcat(str, p_str, str_len);
117  hex = false;
118  }
119  }
120  if (hex) {
121  strlcat(str, "|", str_len);
122  }
123 }
124 #endif
125 
128  const Frame *frame;
129  uint64_t last_re; /**< used to detect gaps */
130 };
131 
132 static int FrameJsonStreamDataCallback(
133  void *cb_data, const uint8_t *input, const uint32_t input_len, const uint64_t input_offset)
134 {
135  struct FrameJsonStreamDataCallbackData *cbd = cb_data;
136  const Frame *frame = cbd->frame;
137 
138  uint32_t write_size = input_len;
139  int done = 0;
140 
141  if (frame->len >= 0) {
142  const uint64_t data_re = input_offset + input_len;
143  const uint64_t frame_re = frame->offset + (uint64_t)frame->len;
144 
145  /* data entirely after frame, we're done */
146  if (input_offset >= frame_re) {
147  return 1;
148  }
149  /* make sure to only log data belonging to the frame */
150  if (data_re >= frame_re) {
151  const uint64_t to_write = frame_re - input_offset;
152  if (to_write < (uint64_t)write_size) {
153  write_size = (uint32_t)to_write;
154  }
155  done = 1;
156  }
157  }
158  if (input_offset > cbd->last_re) {
160  cbd->payload, "[%" PRIu64 " bytes missing]", input_offset - cbd->last_re);
161  }
162 
163  if (write_size > 0) {
164  uint32_t written = MemBufferWriteRaw(cbd->payload, input, write_size);
165  if (written < write_size)
166  done = 1;
167  }
168  cbd->last_re = input_offset + write_size;
169  return done;
170 }
171 
172 /** \internal
173  * \brief try to log frame's stream data into payload/payload_printable
174  */
175 static void FrameAddPayloadTCP(Flow *f, const TcpSession *ssn, const TcpStream *stream,
176  const Frame *frame, JsonBuilder *jb, MemBuffer *buffer)
177 {
178  MemBufferReset(buffer);
179 
180  /* consider all data, ACK'd and non-ACK'd */
181  const uint64_t stream_data_re = StreamDataRightEdge(stream, true);
182  bool complete = false;
183  if (frame->len >= 0 && frame->offset + (uint64_t)frame->len <= stream_data_re) {
184  complete = true;
185  }
186 
187  struct FrameJsonStreamDataCallbackData cbd = {
188  .payload = buffer, .frame = frame, .last_re = frame->offset
189  };
190  uint64_t unused = 0;
192  ssn, stream, FrameJsonStreamDataCallback, &cbd, frame->offset, &unused, false);
193  /* if we have all data, but didn't log until the end of the frame, we have a gap at the
194  * end of the frame
195  * TODO what about not logging due to buffer full? */
196  if (complete && frame->len >= 0 && cbd.last_re < frame->offset + (uint64_t)frame->len) {
197  MemBufferWriteString(cbd.payload, "[%" PRIu64 " bytes missing]",
198  (frame->offset + (uint64_t)frame->len) - cbd.last_re);
199  }
200 
201  if (cbd.payload->offset) {
202  jb_set_base64(jb, "payload", cbd.payload->buffer, cbd.payload->offset);
203  uint8_t printable_buf[cbd.payload->offset + 1];
204  uint32_t offset = 0;
205  PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), cbd.payload->buffer,
206  cbd.payload->offset);
207  jb_set_string(jb, "payload_printable", (char *)printable_buf);
208  jb_set_bool(jb, "complete", complete);
209  }
210 }
211 
212 static void FrameAddPayloadUDP(JsonBuilder *js, const Packet *p, const Frame *frame)
213 {
215  if (frame->offset >= p->payload_len)
216  return;
217 
218  uint32_t frame_len;
219  if (frame->len == -1) {
220  frame_len = p->payload_len - frame->offset;
221  } else {
222  frame_len = (uint32_t)frame->len;
223  }
224  if (frame->offset + frame_len > p->payload_len) {
225  frame_len = p->payload_len - frame->offset;
226  JB_SET_FALSE(js, "complete");
227  } else {
228  JB_SET_TRUE(js, "complete");
229  }
230  const uint8_t *data = p->payload + frame->offset;
231  const uint32_t data_len = frame_len;
232 
233  const uint32_t log_data_len = MIN(data_len, 256);
234  jb_set_base64(js, "payload", data, log_data_len);
235 
236  uint8_t printable_buf[log_data_len + 1];
237  uint32_t o = 0;
238  PrintStringsToBuffer(printable_buf, &o, log_data_len + 1, data, log_data_len);
239  printable_buf[log_data_len] = '\0';
240  jb_set_string(js, "payload_printable", (char *)printable_buf);
241 #if 0
242  char pretty_buf[data_len * 4 + 1];
243  pretty_buf[0] = '\0';
244  PayloadAsHex(data, data_len, pretty_buf, data_len * 4 + 1);
245  jb_set_string(js, "payload_hex", pretty_buf);
246 #endif
247 }
248 
249 // TODO separate between stream_offset and frame_offset
250 /** \brief log a single frame
251  * \note ipproto argument is passed to assist static code analyzers
252  */
253 void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, Flow *f,
254  const TcpStream *stream, const Packet *p, JsonBuilder *jb, MemBuffer *buffer)
255 {
256  DEBUG_VALIDATE_BUG_ON(ipproto != p->proto);
257  DEBUG_VALIDATE_BUG_ON(ipproto != f->proto);
258 
259  jb_open_object(jb, "frame");
260  if (frame->type == FRAME_STREAM_TYPE) {
261  jb_set_string(jb, "type", "stream");
262  } else {
263  jb_set_string(jb, "type", AppLayerParserGetFrameNameById(ipproto, f->alproto, frame->type));
264  }
265  jb_set_uint(jb, "id", frame->id);
266  jb_set_string(jb, "direction", PKT_IS_TOSERVER(p) ? "toserver" : "toclient");
267 
268  if (ipproto == IPPROTO_TCP) {
269  DEBUG_VALIDATE_BUG_ON(stream == NULL);
270  jb_set_uint(jb, "stream_offset", frame->offset);
271 
272  if (frame->len < 0) {
273  uint64_t usable = StreamTcpGetUsable(stream, true);
274  uint64_t len = usable - frame->offset;
275  jb_set_uint(jb, "length", len);
276  } else {
277  jb_set_uint(jb, "length", frame->len);
278  }
279  FrameAddPayloadTCP(f, f->protoctx, stream, frame, jb, buffer);
280  } else {
281  jb_set_uint(jb, "length", frame->len);
282  FrameAddPayloadUDP(jb, p, frame);
283  }
285  jb_set_uint(jb, "tx_id", frame->tx_id);
286  }
287  jb_close(jb);
288 }
289 
290 static int FrameJsonUdp(
291  JsonFrameLogThread *aft, const Packet *p, Flow *f, FramesContainer *frames_container)
292 {
293  FrameJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
294 
295  Frames *frames;
296  if (PKT_IS_TOSERVER(p)) {
297  frames = &frames_container->toserver;
298  } else {
299  frames = &frames_container->toclient;
300  }
301 
302  for (uint32_t idx = 0; idx < frames->cnt; idx++) {
303  Frame *frame = FrameGetByIndex(frames, idx);
304  if (frame == NULL || frame->flags & FRAME_FLAG_LOGGED)
305  continue;
306 
307  /* First initialize the address info (5-tuple). */
309  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
310 
311  JsonBuilder *jb =
312  CreateEveHeader(p, LOG_DIR_PACKET, "frame", &addr, json_output_ctx->eve_ctx);
313  if (unlikely(jb == NULL))
314  return TM_ECODE_OK;
315 
316  jb_set_string(jb, "app_proto", AppProtoToString(f->alproto));
317  FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb, aft->payload_buffer);
318  OutputJsonBuilderBuffer(jb, aft->ctx);
319  jb_free(jb);
321  }
322  return TM_ECODE_OK;
323 }
324 
325 static int FrameJson(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p)
326 {
327  FrameJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
328 
329  BUG_ON(p->flow == NULL);
330 
331  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
332  if (frames_container == NULL)
333  return TM_ECODE_OK;
334 
335  if (p->proto == IPPROTO_UDP) {
336  return FrameJsonUdp(aft, p, p->flow, frames_container);
337  }
338 
339  BUG_ON(p->proto != IPPROTO_TCP);
340  BUG_ON(p->flow->protoctx == NULL);
341 
342  /* TODO can we set these EOF flags once per packet? We have them in detect, tx, file, filedata,
343  * etc */
344  const bool last_pseudo = (p->flowflags & FLOW_PKT_LAST_PSEUDO) != 0;
345  Frames *frames;
346  TcpSession *ssn = p->flow->protoctx;
347  bool eof = (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
348  TcpStream *stream;
349  if (PKT_IS_TOSERVER(p)) {
350  stream = &ssn->client;
351  frames = &frames_container->toserver;
352  SCLogDebug("TOSERVER base %" PRIu64 ", app %" PRIu64, STREAM_BASE_OFFSET(stream),
353  STREAM_APP_PROGRESS(stream));
355  } else {
356  stream = &ssn->server;
357  frames = &frames_container->toclient;
359  }
360  eof |= last_pseudo;
361  SCLogDebug("eof %s", eof ? "true" : "false");
362 
363  for (uint32_t idx = 0; idx < frames->cnt; idx++) {
364  Frame *frame = FrameGetByIndex(frames, idx);
365  if (frame != NULL) {
367  continue;
368 
369  int64_t abs_offset = (int64_t)frame->offset + (int64_t)STREAM_BASE_OFFSET(stream);
370  int64_t win = STREAM_APP_PROGRESS(stream) - abs_offset;
371 
372  if (!eof && win < frame->len && win < 2500) {
373  SCLogDebug("frame id %" PRIi64 " len %" PRIi64 ", win %" PRIi64
374  ", skipping logging",
375  frame->id, frame->len, win);
376  continue;
377  }
378 
379  /* First initialize the address info (5-tuple). */
381  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
382 
383  JsonBuilder *jb =
384  CreateEveHeader(p, LOG_DIR_PACKET, "frame", &addr, json_output_ctx->eve_ctx);
385  if (unlikely(jb == NULL))
386  return TM_ECODE_OK;
387 
388  jb_set_string(jb, "app_proto", AppProtoToString(p->flow->alproto));
389  FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb, aft->payload_buffer);
390  OutputJsonBuilderBuffer(jb, aft->ctx);
391  jb_free(jb);
393  } else if (frame != NULL) {
394  SCLogDebug("frame %p id %" PRIi64, frame, frame->id);
395  }
396  }
397  return TM_ECODE_OK;
398 }
399 
400 static int JsonFrameLogger(ThreadVars *tv, void *thread_data, const Packet *p)
401 {
402  JsonFrameLogThread *aft = thread_data;
403  return FrameJson(tv, aft, p);
404 }
405 
406 static bool JsonFrameLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
407 {
408  if (p->flow == NULL || p->flow->alproto == ALPROTO_UNKNOWN)
409  return false;
410 
411  if ((p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) && p->flow->alparser != NULL) {
412  if (p->proto == IPPROTO_TCP) {
413  if ((p->flow->flags & FLOW_TS_APP_UPDATED) && PKT_IS_TOSERVER(p)) {
414  // fallthrough
415  } else if ((p->flow->flags & FLOW_TC_APP_UPDATED) && PKT_IS_TOCLIENT(p)) {
416  // fallthrough
417  } else {
418  return false;
419  }
420  }
421 
422  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
423  if (frames_container == NULL)
424  return false;
425 
426  Frames *frames;
427  if (PKT_IS_TOSERVER(p)) {
428  frames = &frames_container->toserver;
429  } else {
430  frames = &frames_container->toclient;
431  }
432  return (frames->cnt != 0);
433  }
434  return false;
435 }
436 
437 static TmEcode JsonFrameLogThreadInit(ThreadVars *t, const void *initdata, void **data)
438 {
440  if (unlikely(aft == NULL))
441  return TM_ECODE_FAILED;
442 
443  if (initdata == NULL) {
444  SCLogDebug("Error getting context for EveLogFrame. \"initdata\" argument NULL");
445  goto error_exit;
446  }
447 
448  /** Use the Output Context (file pointer and mutex) */
449  FrameJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
450 
451  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
452  if (aft->payload_buffer == NULL) {
453  goto error_exit;
454  }
455  aft->ctx = CreateEveThreadCtx(t, json_output_ctx->eve_ctx);
456  if (!aft->ctx) {
457  goto error_exit;
458  }
459 
460  aft->json_output_ctx = json_output_ctx;
461 
462  *data = (void *)aft;
463  return TM_ECODE_OK;
464 
465 error_exit:
466  if (aft->payload_buffer != NULL) {
468  }
469  SCFree(aft);
470  return TM_ECODE_FAILED;
471 }
472 
473 static TmEcode JsonFrameLogThreadDeinit(ThreadVars *t, void *data)
474 {
475  JsonFrameLogThread *aft = (JsonFrameLogThread *)data;
476  if (aft == NULL) {
477  return TM_ECODE_OK;
478  }
479 
481  FreeEveThreadCtx(aft->ctx);
482 
483  /* clear memory */
484  memset(aft, 0, sizeof(JsonFrameLogThread));
485 
486  SCFree(aft);
487  return TM_ECODE_OK;
488 }
489 
490 static void JsonFrameLogDeInitCtxSub(OutputCtx *output_ctx)
491 {
492  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
493 
494  FrameJsonOutputCtx *json_output_ctx = (FrameJsonOutputCtx *)output_ctx->data;
495 
496  if (json_output_ctx != NULL) {
497  SCFree(json_output_ctx);
498  }
499  SCFree(output_ctx);
500 }
501 
502 /**
503  * \brief Create a new LogFileCtx for "fast" output style.
504  * \param conf The configuration node for this output.
505  * \return A LogFileCtx pointer on success, NULL on failure.
506  */
507 static OutputInitResult JsonFrameLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
508 {
509  OutputInitResult result = { NULL, false };
510  OutputJsonCtx *ajt = parent_ctx->data;
511  FrameJsonOutputCtx *json_output_ctx = NULL;
512 
513  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
514  if (unlikely(output_ctx == NULL))
515  return result;
516 
517  json_output_ctx = SCCalloc(1, sizeof(FrameJsonOutputCtx));
518  if (unlikely(json_output_ctx == NULL)) {
519  goto error;
520  }
521 
522  uint32_t payload_buffer_size = 4096;
523  if (conf != NULL) {
524  const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
525  if (payload_buffer_value != NULL) {
526  uint32_t value;
527  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
528  SCLogError("Error parsing payload-buffer-size \"%s\"", payload_buffer_value);
529  goto error;
530  }
531  payload_buffer_size = value;
532  }
533  }
534 
535  json_output_ctx->file_ctx = ajt->file_ctx;
536  json_output_ctx->eve_ctx = ajt;
537  json_output_ctx->payload_buffer_size = payload_buffer_size;
538 
539  output_ctx->data = json_output_ctx;
540  output_ctx->DeInit = JsonFrameLogDeInitCtxSub;
541 
543 
544  result.ctx = output_ctx;
545  result.ok = true;
546  return result;
547 
548 error:
549  if (json_output_ctx != NULL) {
550  SCFree(json_output_ctx);
551  }
552  if (output_ctx != NULL) {
553  SCFree(output_ctx);
554  }
555 
556  return result;
557 }
558 
560 {
561  OutputRegisterPacketSubModule(LOGGER_JSON_FRAME, "eve-log", MODULE_NAME, "eve-log.frame",
562  JsonFrameLogInitCtxSub, JsonFrameLogger, JsonFrameLogCondition, JsonFrameLogThreadInit,
563  JsonFrameLogThreadDeinit, NULL);
564 }
PKT_IS_TOCLIENT
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:244
util-byte.h
tm-threads.h
FrameJsonStreamDataCallbackData::frame
const Frame * frame
Definition: output-json-frame.c:128
Packet_::proto
uint8_t proto
Definition: decode.h:504
TcpStream_
Definition: stream-tcp-private.h:106
len
uint8_t len
Definition: app-layer-dnp3.h:2
detect-engine.h
Frame::tx_id
uint64_t tx_id
Definition: app-layer-frames.h:54
MemBuffer_::buffer
uint8_t buffer[]
Definition: util-buffer.h:30
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
stream-tcp.h
FLOW_PKT_LAST_PSEUDO
#define FLOW_PKT_LAST_PSEUDO
Definition: flow.h:241
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FrameJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-frame.c:72
JsonFrameLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-frame.c:80
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
FrameJsonOutputCtx
struct FrameJsonOutputCtx_ FrameJsonOutputCtx
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
Flow_::proto
uint8_t proto
Definition: flow.h:382
FrameJsonOutputCtx_
Definition: output-json-frame.c:70
Packet_::payload
uint8_t * payload
Definition: decode.h:588
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:74
threads.h
Frame::offset
uint64_t offset
Definition: app-layer-frames.h:51
OutputJsonCtx_
Definition: output-json.h:81
Frame
Definition: app-layer-frames.h:45
Flow_
Flow data structure.
Definition: flow.h:360
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:76
FLOW_TC_APP_UPDATED
#define FLOW_TC_APP_UPDATED
Definition: flow.h:119
LogFileCtx_
Definition: util-logopenfile.h:72
output-json-frame.h
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:967
Frames::cnt
uint16_t cnt
Definition: app-layer-frames.h:61
Frame::id
int64_t id
Definition: app-layer-frames.h:53
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29
FrameGetByIndex
Frame * FrameGetByIndex(Frames *frames, const uint32_t idx)
Definition: app-layer-frames.c:134
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
FrameJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-frame.c:71
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
Frames
Definition: app-layer-frames.h:60
FramesContainer
Definition: app-layer-frames.h:73
util-privs.h
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:513
APP_LAYER_PARSER_EOF_TS
#define APP_LAYER_PARSER_EOF_TS
Definition: app-layer-parser.h:39
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:85
Flow_::protoctx
void * protoctx
Definition: flow.h:450
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:589
util-unittest.h
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:29
util-unittest-helper.h
OutputCtx_::data
void * data
Definition: tm-modules.h:88
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:84
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:195
StreamTcpGetUsable
uint64_t StreamTcpGetUsable(const TcpStream *stream, const bool eof)
Definition: stream-tcp-reassemble.c:425
OutputCtx_
Definition: tm-modules.h:85
app-layer-htp-xff.h
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:292
OutputJsonThreadCtx_
Definition: output-json.h:89
detect-reference.h
FrameJsonStreamDataCallbackData
Definition: output-json-frame.c:126
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:484
app-layer-htp.h
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:75
util-debug.h
FrameJsonOutputCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-frame.c:74
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:243
AppLayerParserGetFrameNameById
const char * AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
Definition: app-layer-parser.c:1582
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
MODULE_NAME
#define MODULE_NAME
Definition: output-json-frame.c:68
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
app-layer-dnp3.h
output-json.h
FRAME_FLAG_TX_ID_SET
#define FRAME_FLAG_TX_ID_SET
Definition: app-layer-frames.h:38
STREAM_BASE_OFFSET
#define STREAM_BASE_OFFSET(stream)
Definition: stream-tcp-private.h:144
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:816
util-print.h
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
FrameJsonStreamDataCallbackData::payload
MemBuffer * payload
Definition: output-json-frame.c:127
JB_SET_TRUE
#define JB_SET_TRUE(jb, key)
Definition: rust.h:27
OutputInitResult_::ok
bool ok
Definition: output.h:48
app-layer-parser.h
JsonFrameLogThread_::json_output_ctx
FrameJsonOutputCtx * json_output_ctx
Definition: output-json-frame.c:79
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
FrameJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-frame.c:73
JsonAddrInfo_
Definition: output-json.h:47
Packet_
Definition: decode.h:482
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:173
APP_LAYER_PARSER_EOF_TC
#define APP_LAYER_PARSER_EOF_TC
Definition: app-layer-parser.h:40
conf.h
JsonFrameLogThread_
Definition: output-json-frame.c:77
Frame::len
int64_t len
Definition: app-layer-frames.h:52
TmEcode
TmEcode
Definition: tm-threads-common.h:83
util-proto-name.h
MemBuffer_
Definition: util-buffer.h:27
Frame::flags
uint8_t flags
Definition: app-layer-frames.h:47
JsonFrameLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-frame.c:78
JsonFrameLogRegister
void JsonFrameLogRegister(void)
Definition: output-json-frame.c:559
OutputInitResult_
Definition: output.h:46
app-layer-frames.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:521
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:37
Frame::type
uint8_t type
Definition: app-layer-frames.h:46
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:91
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:210
detect-metadata.h
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:81
FLOW_TS_APP_UPDATED
#define FLOW_TS_APP_UPDATED
Definition: flow.h:118
util-classification-config.h
FrameConfigEnableAll
void FrameConfigEnableAll(void)
Definition: app-layer-frames.c:45
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:295
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
JB_SET_FALSE
#define JB_SET_FALSE(jb, key)
Definition: rust.h:28
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:173
util-optimize.h
threadvars.h
util-validate.h
FRAME_STREAM_TYPE
#define FRAME_STREAM_TYPE
Definition: app-layer-frames.h:30
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:294
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
util-logopenfile.h
Flow_::flags
uint32_t flags
Definition: flow.h:430
FRAME_FLAG_LOGGED
#define FRAME_FLAG_LOGGED
Definition: app-layer-frames.h:42
detect-parse.h
util-buffer.h
FrameJsonLogOneFrame
void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, Flow *f, const TcpStream *stream, const Packet *p, JsonBuilder *jb, MemBuffer *buffer)
log a single frame
Definition: output-json-frame.c:253
JsonFrameLogThread
struct JsonFrameLogThread_ JsonFrameLogThread
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:82
LOGGER_JSON_FRAME
@ LOGGER_JSON_FRAME
Definition: suricata-common.h:492
StreamDataRightEdge
uint64_t StreamDataRightEdge(const TcpStream *stream, const bool eof)
Definition: stream-tcp-reassemble.c:416
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
MemBufferWriteRaw
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.c:110
MemBufferWriteString
void MemBufferWriteString(MemBuffer *dst, const char *fmt,...)
Definition: util-buffer.c:125
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:469
STREAM_APP_PROGRESS
#define STREAM_APP_PROGRESS(stream)
Definition: stream-tcp-private.h:145
TcpSession_
Definition: stream-tcp-private.h:283
util-misc.h
flow.h
AppLayerParserStateIssetFlag
uint16_t AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1771
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:459
StreamReassembleLog
int StreamReassembleLog(const TcpSession *ssn, const TcpStream *stream, StreamReassembleRawFunc Callback, void *cb_data, const uint64_t progress_in, uint64_t *progress_out, const bool eof)
Definition: stream-tcp-reassemble.c:1918
FrameJsonStreamDataCallbackData::last_re
uint64_t last_re
Definition: output-json-frame.c:129
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
output.h
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:809