suricata
output-json-frame.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Logs frames in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "detect.h"
29 #include "flow.h"
30 #include "conf.h"
31 
32 #include "threads.h"
33 #include "tm-threads.h"
34 #include "threadvars.h"
35 #include "util-debug.h"
36 
37 #include "util-logopenfile.h"
38 #include "util-misc.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 
42 #include "detect-parse.h"
43 #include "detect-engine.h"
44 #include "detect-engine-mpm.h"
45 #include "detect-reference.h"
46 #include "detect-metadata.h"
47 #include "app-layer-parser.h"
48 #include "app-layer-frames.h"
49 #include "app-layer-dnp3.h"
50 #include "app-layer-htp.h"
51 #include "app-layer-htp-xff.h"
52 #include "app-layer-ftp.h"
54 #include "stream-tcp.h"
55 
56 #include "output.h"
57 #include "output-json.h"
58 #include "output-json-frame.h"
59 
60 #include "util-byte.h"
61 #include "util-privs.h"
62 #include "util-print.h"
63 #include "util-proto-name.h"
64 #include "util-optimize.h"
65 #include "util-buffer.h"
66 #include "util-validate.h"
67 
68 #define MODULE_NAME "JsonFrameLog"
69 
70 typedef struct FrameJsonOutputCtx_ {
72  uint16_t flags;
76 
77 typedef struct JsonFrameLogThread_ {
82 
83 #if 0 // TODO see if this is useful in some way
84 static inline bool NeedsAsHex(uint8_t c)
85 {
86  if (!isprint(c))
87  return true;
88 
89  switch (c) {
90  case '/':
91  case ';':
92  case ':':
93  case '\\':
94  case ' ':
95  case '|':
96  case '"':
97  case '`':
98  case '\'':
99  return true;
100  }
101  return false;
102 }
103 
104 static void PayloadAsHex(const uint8_t *data, uint32_t data_len, char *str, size_t str_len)
105 {
106  bool hex = false;
107  for (uint32_t i = 0; i < data_len; i++) {
108  if (NeedsAsHex(data[i])) {
109  char hex_str[4];
110  snprintf(hex_str, sizeof(hex_str), "%s%02X", !hex ? "|" : " ", data[i]);
111  strlcat(str, hex_str, str_len);
112  hex = true;
113  } else {
114  char p_str[3];
115  snprintf(p_str, sizeof(p_str), "%s%c", hex ? "|" : "", data[i]);
116  strlcat(str, p_str, str_len);
117  hex = false;
118  }
119  }
120  if (hex) {
121  strlcat(str, "|", str_len);
122  }
123 }
124 #endif
125 
128  const Frame *frame;
129  uint64_t last_re; /**< used to detect gaps */
130 };
131 
132 static int FrameJsonStreamDataCallback(
133  void *cb_data, const uint8_t *input, const uint32_t input_len, const uint64_t input_offset)
134 {
135  struct FrameJsonStreamDataCallbackData *cbd = cb_data;
136  const Frame *frame = cbd->frame;
137 
138  uint32_t write_size = input_len;
139  int done = 0;
140 
141  if (frame->len >= 0) {
142  const uint64_t data_re = input_offset + input_len;
143  const uint64_t frame_re = frame->offset + (uint64_t)frame->len;
144 
145  /* data entirely after frame, we're done */
146  if (input_offset >= frame_re) {
147  return 1;
148  }
149  /* make sure to only log data belonging to the frame */
150  if (data_re >= frame_re) {
151  const uint64_t to_write = frame_re - input_offset;
152  if (to_write < (uint64_t)write_size) {
153  write_size = (uint32_t)to_write;
154  }
155  done = 1;
156  }
157  }
158  if (input_offset > cbd->last_re) {
160  cbd->payload, "[%" PRIu64 " bytes missing]", input_offset - cbd->last_re);
161  }
162 
163  if (write_size > 0) {
164  uint32_t written = MemBufferWriteRaw(cbd->payload, input, write_size);
165  if (written < write_size)
166  done = 1;
167  }
168  cbd->last_re = input_offset + write_size;
169  return done;
170 }
171 
172 /** \internal
173  * \brief try to log frame's stream data into payload/payload_printable
174  */
175 static void FrameAddPayloadTCP(Flow *f, const TcpSession *ssn, const TcpStream *stream,
176  const Frame *frame, JsonBuilder *jb, MemBuffer *buffer)
177 {
178  MemBufferReset(buffer);
179 
180  /* consider all data, ACK'd and non-ACK'd */
181  const uint64_t stream_data_re = StreamDataRightEdge(stream, true);
182  bool complete = false;
183  if (frame->len >= 0 && frame->offset + (uint64_t)frame->len <= stream_data_re) {
184  complete = true;
185  }
186 
187  struct FrameJsonStreamDataCallbackData cbd = {
188  .payload = buffer, .frame = frame, .last_re = frame->offset
189  };
190  uint64_t unused = 0;
192  ssn, stream, FrameJsonStreamDataCallback, &cbd, frame->offset, &unused, false);
193  /* if we have all data, but didn't log until the end of the frame, we have a gap at the
194  * end of the frame
195  * TODO what about not logging due to buffer full? */
196  if (complete && frame->len >= 0 && cbd.last_re < frame->offset + (uint64_t)frame->len) {
197  MemBufferWriteString(cbd.payload, "[%" PRIu64 " bytes missing]",
198  (frame->offset + (uint64_t)frame->len) - cbd.last_re);
199  }
200 
201  if (cbd.payload->offset) {
202  jb_set_base64(jb, "payload", cbd.payload->buffer, cbd.payload->offset);
203  uint8_t printable_buf[cbd.payload->offset + 1];
204  uint32_t offset = 0;
205  PrintStringsToBuffer(printable_buf, &offset, cbd.payload->offset + 1, cbd.payload->buffer,
206  cbd.payload->offset);
207  jb_set_string(jb, "payload_printable", (char *)printable_buf);
208  jb_set_bool(jb, "complete", complete);
209  }
210 }
211 
212 static void FrameAddPayloadUDP(JsonBuilder *js, const Packet *p, const Frame *frame)
213 {
215  if (frame->offset >= p->payload_len)
216  return;
217 
218  uint32_t frame_len;
219  if (frame->len == -1) {
220  frame_len = (uint32_t)(p->payload_len - frame->offset);
221  } else {
222  frame_len = (uint32_t)frame->len;
223  }
224  if (frame->offset + frame_len > p->payload_len) {
225  frame_len = (uint32_t)(p->payload_len - frame->offset);
226  JB_SET_FALSE(js, "complete");
227  } else {
228  JB_SET_TRUE(js, "complete");
229  }
230  const uint8_t *data = p->payload + frame->offset;
231  const uint32_t data_len = frame_len;
232 
233  const uint32_t log_data_len = MIN(data_len, 256);
234  jb_set_base64(js, "payload", data, log_data_len);
235 
236  uint8_t printable_buf[log_data_len + 1];
237  uint32_t o = 0;
238  PrintStringsToBuffer(printable_buf, &o, log_data_len + 1, data, log_data_len);
239  printable_buf[log_data_len] = '\0';
240  jb_set_string(js, "payload_printable", (char *)printable_buf);
241 #if 0
242  char pretty_buf[data_len * 4 + 1];
243  pretty_buf[0] = '\0';
244  PayloadAsHex(data, data_len, pretty_buf, data_len * 4 + 1);
245  jb_set_string(js, "payload_hex", pretty_buf);
246 #endif
247 }
248 
249 // TODO separate between stream_offset and frame_offset
250 /** \brief log a single frame
251  * \note ipproto argument is passed to assist static code analyzers
252  */
253 void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, Flow *f,
254  const TcpStream *stream, const Packet *p, JsonBuilder *jb, MemBuffer *buffer)
255 {
256  DEBUG_VALIDATE_BUG_ON(ipproto != p->proto);
257  DEBUG_VALIDATE_BUG_ON(ipproto != f->proto);
258 
259  jb_open_object(jb, "frame");
260  if (frame->type == FRAME_STREAM_TYPE) {
261  jb_set_string(jb, "type", "stream");
262  } else {
263  jb_set_string(jb, "type", AppLayerParserGetFrameNameById(ipproto, f->alproto, frame->type));
264  }
265  jb_set_uint(jb, "id", frame->id);
266  jb_set_string(jb, "direction", PKT_IS_TOSERVER(p) ? "toserver" : "toclient");
267 
268  if (ipproto == IPPROTO_TCP) {
269  DEBUG_VALIDATE_BUG_ON(stream == NULL);
270  jb_set_uint(jb, "stream_offset", frame->offset);
271 
272  if (frame->len < 0) {
273  uint64_t usable = StreamTcpGetUsable(stream, true);
274  uint64_t len = usable - frame->offset;
275  jb_set_uint(jb, "length", len);
276  } else {
277  jb_set_uint(jb, "length", frame->len);
278  }
279  FrameAddPayloadTCP(f, f->protoctx, stream, frame, jb, buffer);
280  } else {
281  jb_set_uint(jb, "length", frame->len);
282  FrameAddPayloadUDP(jb, p, frame);
283  }
285  jb_set_uint(jb, "tx_id", frame->tx_id);
286  }
287  jb_close(jb);
288 }
289 
290 static int FrameJsonUdp(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p, Flow *f,
291  FramesContainer *frames_container)
292 {
293  FrameJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
294 
295  Frames *frames;
296  if (PKT_IS_TOSERVER(p)) {
297  frames = &frames_container->toserver;
298  } else {
299  frames = &frames_container->toclient;
300  }
301 
302  for (uint32_t idx = 0; idx < frames->cnt; idx++) {
303  Frame *frame = FrameGetByIndex(frames, idx);
304  if (frame == NULL || frame->flags & FRAME_FLAG_LOGGED)
305  continue;
306 
307  /* First initialize the address info (5-tuple). */
309  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
310 
311  JsonBuilder *jb =
312  CreateEveHeader(p, LOG_DIR_PACKET, "frame", &addr, json_output_ctx->eve_ctx);
313  if (unlikely(jb == NULL))
314  return TM_ECODE_OK;
315 
316  jb_set_string(jb, "app_proto", AppProtoToString(f->alproto));
317  FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb, aft->payload_buffer);
318  OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
319  jb_free(jb);
321  }
322  return TM_ECODE_OK;
323 }
324 
325 static int FrameJson(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p)
326 {
327  FrameJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
328 
329  BUG_ON(p->flow == NULL);
330 
331  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
332  if (frames_container == NULL)
333  return TM_ECODE_OK;
334 
335  if (p->proto == IPPROTO_UDP) {
336  return FrameJsonUdp(tv, aft, p, p->flow, frames_container);
337  }
338 
339  BUG_ON(p->proto != IPPROTO_TCP);
340  BUG_ON(p->flow->protoctx == NULL);
341 
342  /* TODO can we set these EOF flags once per packet? We have them in detect, tx, file, filedata,
343  * etc */
344  const bool last_pseudo = (p->flowflags & FLOW_PKT_LAST_PSEUDO) != 0;
345  Frames *frames;
346  TcpSession *ssn = p->flow->protoctx;
347  bool eof = (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
348  TcpStream *stream;
349  if (PKT_IS_TOSERVER(p)) {
350  stream = &ssn->client;
351  frames = &frames_container->toserver;
352  SCLogDebug("TOSERVER base %" PRIu64 ", app %" PRIu64, STREAM_BASE_OFFSET(stream),
353  STREAM_APP_PROGRESS(stream));
355  } else {
356  stream = &ssn->server;
357  frames = &frames_container->toclient;
359  }
360  eof |= last_pseudo;
361  SCLogDebug("eof %s", eof ? "true" : "false");
362 
363  for (uint32_t idx = 0; idx < frames->cnt; idx++) {
364  Frame *frame = FrameGetByIndex(frames, idx);
365  if (frame != NULL) {
367  continue;
368 
369  int64_t abs_offset = (int64_t)frame->offset + (int64_t)STREAM_BASE_OFFSET(stream);
370  int64_t win = STREAM_APP_PROGRESS(stream) - abs_offset;
371 
372  /* skip frame if threshold not yet reached, esp if frame length is
373  * still unknown. */
374  if (!eof && ((frame->len == -1) || (win < frame->len)) && win < 2500) {
375  SCLogDebug("frame id %" PRIi64 " len %" PRIi64 ", win %" PRIi64
376  ", skipping logging",
377  frame->id, frame->len, win);
378  continue;
379  }
380 
381  /* First initialize the address info (5-tuple). */
383  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
384 
385  JsonBuilder *jb =
386  CreateEveHeader(p, LOG_DIR_PACKET, "frame", &addr, json_output_ctx->eve_ctx);
387  if (unlikely(jb == NULL))
388  return TM_ECODE_OK;
389 
390  jb_set_string(jb, "app_proto", AppProtoToString(p->flow->alproto));
391  FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb, aft->payload_buffer);
392  OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
393  jb_free(jb);
395  }
396  }
397  return TM_ECODE_OK;
398 }
399 
400 static int JsonFrameLogger(ThreadVars *tv, void *thread_data, const Packet *p)
401 {
402  JsonFrameLogThread *aft = thread_data;
403  return FrameJson(tv, aft, p);
404 }
405 
406 static bool JsonFrameLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
407 {
408  if (p->flow == NULL || p->flow->alproto == ALPROTO_UNKNOWN)
409  return false;
410 
411  if ((p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) && p->flow->alparser != NULL) {
412  if (p->proto == IPPROTO_TCP) {
413  if ((PKT_IS_PSEUDOPKT(p) || (p->flow->flags & FLOW_TS_APP_UPDATED)) &&
414  PKT_IS_TOSERVER(p)) {
415  // fallthrough
416  } else if ((PKT_IS_PSEUDOPKT(p) || (p->flow->flags & FLOW_TC_APP_UPDATED)) &&
417  PKT_IS_TOCLIENT(p)) {
418  // fallthrough
419  } else {
420  return false;
421  }
422  }
423 
424  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
425  if (frames_container == NULL)
426  return false;
427 
428  Frames *frames;
429  if (PKT_IS_TOSERVER(p)) {
430  frames = &frames_container->toserver;
431  } else {
432  frames = &frames_container->toclient;
433  }
434  return (frames->cnt != 0);
435  }
436  return false;
437 }
438 
439 static TmEcode JsonFrameLogThreadInit(ThreadVars *t, const void *initdata, void **data)
440 {
442  if (unlikely(aft == NULL))
443  return TM_ECODE_FAILED;
444 
445  if (initdata == NULL) {
446  SCLogDebug("Error getting context for EveLogFrame. \"initdata\" argument NULL");
447  goto error_exit;
448  }
449 
450  /** Use the Output Context (file pointer and mutex) */
451  FrameJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
452 
453  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
454  if (aft->payload_buffer == NULL) {
455  goto error_exit;
456  }
457  aft->ctx = CreateEveThreadCtx(t, json_output_ctx->eve_ctx);
458  if (!aft->ctx) {
459  goto error_exit;
460  }
461 
462  aft->json_output_ctx = json_output_ctx;
463 
464  *data = (void *)aft;
465  return TM_ECODE_OK;
466 
467 error_exit:
468  if (aft->payload_buffer != NULL) {
470  }
471  SCFree(aft);
472  return TM_ECODE_FAILED;
473 }
474 
475 static TmEcode JsonFrameLogThreadDeinit(ThreadVars *t, void *data)
476 {
477  JsonFrameLogThread *aft = (JsonFrameLogThread *)data;
478  if (aft == NULL) {
479  return TM_ECODE_OK;
480  }
481 
483  FreeEveThreadCtx(aft->ctx);
484 
485  /* clear memory */
486  memset(aft, 0, sizeof(JsonFrameLogThread));
487 
488  SCFree(aft);
489  return TM_ECODE_OK;
490 }
491 
492 static void JsonFrameLogDeInitCtxSub(OutputCtx *output_ctx)
493 {
494  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
495 
496  FrameJsonOutputCtx *json_output_ctx = (FrameJsonOutputCtx *)output_ctx->data;
497 
498  if (json_output_ctx != NULL) {
499  SCFree(json_output_ctx);
500  }
501  SCFree(output_ctx);
502 }
503 
504 /**
505  * \brief Create a new LogFileCtx for "fast" output style.
506  * \param conf The configuration node for this output.
507  * \return A LogFileCtx pointer on success, NULL on failure.
508  */
509 static OutputInitResult JsonFrameLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
510 {
511  OutputInitResult result = { NULL, false };
512  OutputJsonCtx *ajt = parent_ctx->data;
513  FrameJsonOutputCtx *json_output_ctx = NULL;
514 
515  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
516  if (unlikely(output_ctx == NULL))
517  return result;
518 
519  json_output_ctx = SCCalloc(1, sizeof(FrameJsonOutputCtx));
520  if (unlikely(json_output_ctx == NULL)) {
521  goto error;
522  }
523 
524  uint32_t payload_buffer_size = 4096;
525  if (conf != NULL) {
526  const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
527  if (payload_buffer_value != NULL) {
528  uint32_t value;
529  if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
530  SCLogError("Error parsing payload-buffer-size \"%s\"", payload_buffer_value);
531  goto error;
532  }
533  payload_buffer_size = value;
534  }
535  }
536 
537  json_output_ctx->file_ctx = ajt->file_ctx;
538  json_output_ctx->eve_ctx = ajt;
539  json_output_ctx->payload_buffer_size = payload_buffer_size;
540 
541  output_ctx->data = json_output_ctx;
542  output_ctx->DeInit = JsonFrameLogDeInitCtxSub;
543 
545 
546  result.ctx = output_ctx;
547  result.ok = true;
548  return result;
549 
550 error:
551  if (json_output_ctx != NULL) {
552  SCFree(json_output_ctx);
553  }
554  if (output_ctx != NULL) {
555  SCFree(output_ctx);
556  }
557 
558  return result;
559 }
560 
562 {
563  OutputRegisterPacketSubModule(LOGGER_JSON_FRAME, "eve-log", MODULE_NAME, "eve-log.frame",
564  JsonFrameLogInitCtxSub, JsonFrameLogger, JsonFrameLogCondition, JsonFrameLogThreadInit,
565  JsonFrameLogThreadDeinit);
566 }
PKT_IS_TOCLIENT
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:235
util-byte.h
tm-threads.h
FrameJsonStreamDataCallbackData::frame
const Frame * frame
Definition: output-json-frame.c:128
Packet_::proto
uint8_t proto
Definition: decode.h:498
TcpStream_
Definition: stream-tcp-private.h:106
len
uint8_t len
Definition: app-layer-dnp3.h:2
detect-engine.h
Frame::tx_id
uint64_t tx_id
Definition: app-layer-frames.h:52
MemBuffer_::buffer
uint8_t buffer[]
Definition: util-buffer.h:30
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1321
stream-tcp.h
FLOW_PKT_LAST_PSEUDO
#define FLOW_PKT_LAST_PSEUDO
Definition: flow.h:241
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Register a packet output sub-module.
Definition: output.c:206
FrameJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-frame.c:72
JsonFrameLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-frame.c:80
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
FrameJsonOutputCtx
struct FrameJsonOutputCtx_ FrameJsonOutputCtx
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
Flow_::proto
uint8_t proto
Definition: flow.h:378
FrameJsonOutputCtx_
Definition: output-json-frame.c:70
Packet_::payload
uint8_t * payload
Definition: decode.h:574
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:72
threads.h
Frame::offset
uint64_t offset
Definition: app-layer-frames.h:49
OutputJsonCtx_
Definition: output-json.h:81
Frame
Definition: app-layer-frames.h:43
Flow_
Flow data structure.
Definition: flow.h:356
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:75
FLOW_TC_APP_UPDATED
#define FLOW_TC_APP_UPDATED
Definition: flow.h:119
LogFileCtx_
Definition: util-logopenfile.h:72
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:958
output-json-frame.h
Frames::cnt
uint16_t cnt
Definition: app-layer-frames.h:59
Frame::id
int64_t id
Definition: app-layer-frames.h:51
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29
FrameGetByIndex
Frame * FrameGetByIndex(Frames *frames, const uint32_t idx)
Definition: app-layer-frames.c:134
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
FrameJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-frame.c:71
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
Frames
Definition: app-layer-frames.h:58
FramesContainer
Definition: app-layer-frames.h:71
util-privs.h
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:507
APP_LAYER_PARSER_EOF_TS
#define APP_LAYER_PARSER_EOF_TS
Definition: app-layer-parser.h:39
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
Flow_::protoctx
void * protoctx
Definition: flow.h:446
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:575
util-unittest.h
MemBuffer_::offset
uint32_t offset
Definition: util-buffer.h:29
util-unittest-helper.h
OutputCtx_::data
void * data
Definition: tm-modules.h:87
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:194
StreamTcpGetUsable
uint64_t StreamTcpGetUsable(const TcpStream *stream, const bool eof)
Definition: stream-tcp-reassemble.c:427
OutputCtx_
Definition: tm-modules.h:84
app-layer-htp-xff.h
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:294
OutputJsonThreadCtx_
Definition: output-json.h:89
detect-reference.h
FrameJsonStreamDataCallbackData
Definition: output-json-frame.c:126
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:480
app-layer-htp.h
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:73
util-debug.h
FrameJsonOutputCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-frame.c:74
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:234
AppLayerParserGetFrameNameById
const char * AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
Definition: app-layer-parser.c:1588
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
MODULE_NAME
#define MODULE_NAME
Definition: output-json-frame.c:68
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
app-layer-dnp3.h
output-json.h
FRAME_FLAG_TX_ID_SET
#define FRAME_FLAG_TX_ID_SET
Definition: app-layer-frames.h:36
STREAM_BASE_OFFSET
#define STREAM_BASE_OFFSET(stream)
Definition: stream-tcp-private.h:144
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:806
util-print.h
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
FrameJsonStreamDataCallbackData::payload
MemBuffer * payload
Definition: output-json-frame.c:127
JB_SET_TRUE
#define JB_SET_TRUE(jb, key)
Definition: rust.h:27
OutputInitResult_::ok
bool ok
Definition: output.h:48
app-layer-parser.h
JsonFrameLogThread_::json_output_ctx
FrameJsonOutputCtx * json_output_ctx
Definition: output-json-frame.c:79
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
FrameJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-frame.c:73
JsonAddrInfo_
Definition: output-json.h:47
Packet_
Definition: decode.h:476
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:173
APP_LAYER_PARSER_EOF_TC
#define APP_LAYER_PARSER_EOF_TC
Definition: app-layer-parser.h:40
conf.h
JsonFrameLogThread_
Definition: output-json-frame.c:77
Frame::len
int64_t len
Definition: app-layer-frames.h:50
TmEcode
TmEcode
Definition: tm-threads-common.h:79
util-proto-name.h
MemBuffer_
Definition: util-buffer.h:27
Frame::flags
uint8_t flags
Definition: app-layer-frames.h:45
JsonFrameLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-frame.c:78
JsonFrameLogRegister
void JsonFrameLogRegister(void)
Definition: output-json-frame.c:561
OutputInitResult_
Definition: output.h:46
app-layer-frames.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:515
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:37
Frame::type
uint8_t type
Definition: app-layer-frames.h:44
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:90
detect-metadata.h
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:86
FLOW_TS_APP_UPDATED
#define FLOW_TS_APP_UPDATED
Definition: flow.h:118
util-classification-config.h
FrameConfigEnableAll
void FrameConfigEnableAll(void)
Definition: app-layer-frames.c:45
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:297
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
JB_SET_FALSE
#define JB_SET_FALSE(jb, key)
Definition: rust.h:28
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:173
util-optimize.h
threadvars.h
util-validate.h
FRAME_STREAM_TYPE
#define FRAME_STREAM_TYPE
Definition: app-layer-frames.h:30
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:296
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
util-logopenfile.h
Flow_::flags
uint32_t flags
Definition: flow.h:426
FRAME_FLAG_LOGGED
#define FRAME_FLAG_LOGGED
Definition: app-layer-frames.h:40
detect-parse.h
util-buffer.h
FrameJsonLogOneFrame
void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, Flow *f, const TcpStream *stream, const Packet *p, JsonBuilder *jb, MemBuffer *buffer)
log a single frame
Definition: output-json-frame.c:253
JsonFrameLogThread
struct JsonFrameLogThread_ JsonFrameLogThread
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:82
LOGGER_JSON_FRAME
@ LOGGER_JSON_FRAME
Definition: suricata-common.h:492
StreamDataRightEdge
uint64_t StreamDataRightEdge(const TcpStream *stream, const bool eof)
Definition: stream-tcp-reassemble.c:418
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
MemBufferWriteRaw
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.c:115
MemBufferWriteString
void MemBufferWriteString(MemBuffer *dst, const char *fmt,...)
Definition: util-buffer.c:130
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:459
STREAM_APP_PROGRESS
#define STREAM_APP_PROGRESS(stream)
Definition: stream-tcp-private.h:145
TcpSession_
Definition: stream-tcp-private.h:283
util-misc.h
flow.h
AppLayerParserStateIssetFlag
uint16_t AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1767
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
StreamReassembleLog
int StreamReassembleLog(const TcpSession *ssn, const TcpStream *stream, StreamReassembleRawFunc Callback, void *cb_data, const uint64_t progress_in, uint64_t *progress_out, const bool eof)
Definition: stream-tcp-reassemble.c:1969
FrameJsonStreamDataCallbackData::last_re
uint64_t last_re
Definition: output-json-frame.c:129
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
output.h
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:809