suricata
output-json-frame.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Logs frames in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "detect.h"
29 #include "flow.h"
30 #include "conf.h"
31 
32 #include "threads.h"
33 #include "tm-threads.h"
34 #include "threadvars.h"
35 #include "util-debug.h"
36 
37 #include "util-logopenfile.h"
38 #include "util-misc.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 
42 #include "detect-parse.h"
43 #include "detect-engine.h"
44 #include "detect-engine-mpm.h"
45 #include "detect-reference.h"
46 #include "detect-metadata.h"
47 #include "app-layer-parser.h"
48 #include "app-layer-frames.h"
49 #include "app-layer-dnp3.h"
50 #include "app-layer-htp.h"
51 #include "app-layer-htp-xff.h"
52 #include "app-layer-ftp.h"
54 #include "stream-tcp.h"
55 
56 #include "output.h"
57 #include "output-json.h"
58 #include "output-json-frame.h"
59 
60 #include "util-byte.h"
61 #include "util-privs.h"
62 #include "util-print.h"
63 #include "util-proto-name.h"
64 #include "util-optimize.h"
65 #include "util-buffer.h"
66 #include "util-validate.h"
67 
68 #define MODULE_NAME "JsonFrameLog"
69 
70 #define JSON_STREAM_BUFFER_SIZE 4096
71 
72 typedef struct FrameJsonOutputCtx_ {
74  uint16_t flags;
78 
79 typedef struct JsonFrameLogThread_ {
84 
85 #if 0 // TODO see if this is useful in some way
86 static inline bool NeedsAsHex(uint8_t c)
87 {
88  if (!isprint(c))
89  return true;
90 
91  switch (c) {
92  case '/':
93  case ';':
94  case ':':
95  case '\\':
96  case ' ':
97  case '|':
98  case '"':
99  case '`':
100  case '\'':
101  return true;
102  }
103  return false;
104 }
105 
106 static void PayloadAsHex(const uint8_t *data, uint32_t data_len, char *str, size_t str_len)
107 {
108  bool hex = false;
109  for (uint32_t i = 0; i < data_len; i++) {
110  if (NeedsAsHex(data[i])) {
111  char hex_str[4];
112  snprintf(hex_str, sizeof(hex_str), "%s%02X", !hex ? "|" : " ", data[i]);
113  strlcat(str, hex_str, str_len);
114  hex = true;
115  } else {
116  char p_str[3];
117  snprintf(p_str, sizeof(p_str), "%s%c", hex ? "|" : "", data[i]);
118  strlcat(str, p_str, str_len);
119  hex = false;
120  }
121  }
122  if (hex) {
123  strlcat(str, "|", str_len);
124  }
125 }
126 #endif
127 
128 static void FrameAddPayloadTCP(JsonBuilder *js, const TcpStream *stream, const Frame *frame)
129 {
130  uint32_t sb_data_len = 0;
131  const uint8_t *data = NULL;
132  uint64_t data_offset = 0;
133 
134  // TODO consider ACK'd
135 
136  if (frame->offset < STREAM_BASE_OFFSET(stream)) {
137  if (StreamingBufferGetData(&stream->sb, &data, &sb_data_len, &data_offset) == 0) {
138  SCLogDebug("NO DATA1");
139  return;
140  }
141  } else {
142  data_offset = (uint64_t)frame->offset;
143  SCLogDebug("data_offset %" PRIu64, data_offset);
145  &stream->sb, &data, &sb_data_len, (uint64_t)data_offset) == 0) {
146  SCLogDebug("NO DATA1");
147  return;
148  }
149  }
150  if (data == NULL || sb_data_len == 0) {
151  SCLogDebug("NO DATA2");
152  return;
153  }
154 
155  if (frame->len >= 0) {
156  sb_data_len = MIN(frame->len, (int32_t)sb_data_len);
157  }
158  SCLogDebug("frame data_offset %" PRIu64 ", data_len %u frame len %" PRIi64, data_offset,
159  sb_data_len, frame->len);
160 
161  bool complete = false;
162  if (frame->len > 0) {
163  const uint64_t frame_re = frame->offset + (uint64_t)frame->len;
164  const uint64_t data_re = data_offset + sb_data_len;
165  complete = frame_re <= data_re;
166  }
167  jb_set_bool(js, "complete", complete);
168 
169  uint32_t data_len = MIN(sb_data_len, 256);
170  jb_set_base64(js, "payload", data, data_len);
171 
172  uint8_t printable_buf[data_len + 1];
173  uint32_t o = 0;
174  PrintStringsToBuffer(printable_buf, &o, data_len + 1, data, data_len);
175  printable_buf[data_len] = '\0';
176  jb_set_string(js, "payload_printable", (char *)printable_buf);
177 #if 0
178  char pretty_buf[data_len * 4 + 1];
179  pretty_buf[0] = '\0';
180  PayloadAsHex(data, data_len, pretty_buf, data_len * 4 + 1);
181  jb_set_string(js, "payload_hex", pretty_buf);
182 #endif
183 }
184 
185 static void FrameAddPayloadUDP(JsonBuilder *js, const Packet *p, const Frame *frame)
186 {
188  if (frame->offset >= p->payload_len)
189  return;
190 
191  uint32_t frame_len;
192  if (frame->len == -1) {
193  frame_len = p->payload_len - frame->offset;
194  } else {
195  frame_len = (uint32_t)frame->len;
196  }
197  if (frame->offset + frame_len > p->payload_len) {
198  frame_len = p->payload_len - frame->offset;
199  JB_SET_FALSE(js, "complete");
200  } else {
201  JB_SET_TRUE(js, "complete");
202  }
203  const uint8_t *data = p->payload + frame->offset;
204  const uint32_t data_len = frame_len;
205 
206  const uint32_t log_data_len = MIN(data_len, 256);
207  jb_set_base64(js, "payload", data, log_data_len);
208 
209  uint8_t printable_buf[log_data_len + 1];
210  uint32_t o = 0;
211  PrintStringsToBuffer(printable_buf, &o, log_data_len + 1, data, log_data_len);
212  printable_buf[log_data_len] = '\0';
213  jb_set_string(js, "payload_printable", (char *)printable_buf);
214 #if 0
215  char pretty_buf[data_len * 4 + 1];
216  pretty_buf[0] = '\0';
217  PayloadAsHex(data, data_len, pretty_buf, data_len * 4 + 1);
218  jb_set_string(js, "payload_hex", pretty_buf);
219 #endif
220 }
221 
222 // TODO separate between stream_offset and frame_offset
223 /** \brief log a single frame
224  * \note ipproto argument is passed to assist static code analyzers
225  */
226 void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, const Flow *f,
227  const TcpStream *stream, const Packet *p, JsonBuilder *jb)
228 {
229  DEBUG_VALIDATE_BUG_ON(ipproto != p->proto);
230  DEBUG_VALIDATE_BUG_ON(ipproto != f->proto);
231 
232  jb_open_object(jb, "frame");
233  if (frame->type == FRAME_STREAM_TYPE) {
234  jb_set_string(jb, "type", "stream");
235  } else {
236  jb_set_string(jb, "type", AppLayerParserGetFrameNameById(ipproto, f->alproto, frame->type));
237  }
238  jb_set_uint(jb, "id", frame->id);
239  jb_set_string(jb, "direction", PKT_IS_TOSERVER(p) ? "toserver" : "toclient");
240 
241  if (ipproto == IPPROTO_TCP) {
242  DEBUG_VALIDATE_BUG_ON(stream == NULL);
243  jb_set_uint(jb, "stream_offset", frame->offset);
244 
245  if (frame->len < 0) {
246  uint64_t usable = StreamTcpGetUsable(stream, true);
247  uint64_t len = usable - frame->offset;
248  jb_set_uint(jb, "length", len);
249  } else {
250  jb_set_uint(jb, "length", frame->len);
251  }
252  FrameAddPayloadTCP(jb, stream, frame);
253  } else {
254  jb_set_uint(jb, "length", frame->len);
255  FrameAddPayloadUDP(jb, p, frame);
256  }
257  if (frame->flags & FRAME_FLAG_TX_ID_SET) {
258  jb_set_uint(jb, "tx_id", frame->tx_id);
259  }
260  jb_close(jb);
261 }
262 
263 static int FrameJsonUdp(
264  JsonFrameLogThread *aft, const Packet *p, Flow *f, FramesContainer *frames_container)
265 {
266  FrameJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
267 
268  Frames *frames;
269  if (PKT_IS_TOSERVER(p)) {
270  frames = &frames_container->toserver;
271  } else {
272  frames = &frames_container->toclient;
273  }
274 
275  for (uint32_t idx = 0; idx < frames->cnt; idx++) {
276  Frame *frame = FrameGetByIndex(frames, idx);
277  if (frame == NULL || frame->flags & FRAME_FLAG_LOGGED)
278  continue;
279 
280  /* First initialize the address info (5-tuple). */
282  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
283 
284  JsonBuilder *jb =
285  CreateEveHeader(p, LOG_DIR_PACKET, "frame", &addr, json_output_ctx->eve_ctx);
286  if (unlikely(jb == NULL))
287  return TM_ECODE_OK;
288 
289  jb_set_string(jb, "app_proto", AppProtoToString(f->alproto));
290  FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb);
291  OutputJsonBuilderBuffer(jb, aft->ctx);
292  jb_free(jb);
293  frame->flags |= FRAME_FLAG_LOGGED;
294  }
295  return TM_ECODE_OK;
296 }
297 
298 static int FrameJson(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p)
299 {
300  FrameJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
301 
302  BUG_ON(p->flow == NULL);
303 
304  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
305  if (frames_container == NULL)
306  return TM_ECODE_OK;
307 
308  if (p->proto == IPPROTO_UDP) {
309  return FrameJsonUdp(aft, p, p->flow, frames_container);
310  }
311 
312  BUG_ON(p->proto != IPPROTO_TCP);
313  BUG_ON(p->flow->protoctx == NULL);
314 
315  /* TODO can we set these EOF flags once per packet? We have them in detect, tx, file, filedata,
316  * etc */
317  const bool last_pseudo = (p->flowflags & FLOW_PKT_LAST_PSEUDO) != 0;
318  Frames *frames;
319  TcpSession *ssn = p->flow->protoctx;
320  bool eof = (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
321  TcpStream *stream;
322  if (PKT_IS_TOSERVER(p)) {
323  stream = &ssn->client;
324  frames = &frames_container->toserver;
325  SCLogDebug("TOSERVER base %" PRIu64 ", app %" PRIu64, STREAM_BASE_OFFSET(stream),
326  STREAM_APP_PROGRESS(stream));
328  } else {
329  stream = &ssn->server;
330  frames = &frames_container->toclient;
332  }
333  eof |= last_pseudo;
334  SCLogDebug("eof %s", eof ? "true" : "false");
335 
336  for (uint32_t idx = 0; idx < frames->cnt; idx++) {
337  Frame *frame = FrameGetByIndex(frames, idx);
338  if (frame != NULL) {
339  if (frame->flags & FRAME_FLAG_LOGGED)
340  continue;
341 
342  int64_t abs_offset = (int64_t)frame->offset + (int64_t)STREAM_BASE_OFFSET(stream);
343  int64_t win = STREAM_APP_PROGRESS(stream) - abs_offset;
344 
345  if (!eof && win < frame->len && win < 2500) {
346  SCLogDebug("frame id %" PRIi64 " len %" PRIi64 ", win %" PRIi64
347  ", skipping logging",
348  frame->id, frame->len, win);
349  continue;
350  }
351 
352  /* First initialize the address info (5-tuple). */
354  JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
355 
356  JsonBuilder *jb =
357  CreateEveHeader(p, LOG_DIR_PACKET, "frame", &addr, json_output_ctx->eve_ctx);
358  if (unlikely(jb == NULL))
359  return TM_ECODE_OK;
360 
361  jb_set_string(jb, "app_proto", AppProtoToString(p->flow->alproto));
362  FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb);
363  OutputJsonBuilderBuffer(jb, aft->ctx);
364  jb_free(jb);
365  frame->flags |= FRAME_FLAG_LOGGED;
366  } else if (frame != NULL) {
367  SCLogDebug("frame %p id %" PRIi64, frame, frame->id);
368  }
369  }
370  return TM_ECODE_OK;
371 }
372 
373 static int JsonFrameLogger(ThreadVars *tv, void *thread_data, const Packet *p)
374 {
375  JsonFrameLogThread *aft = thread_data;
376  return FrameJson(tv, aft, p);
377 }
378 
379 static int JsonFrameLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
380 {
381  if (p->flow == NULL || p->flow->alproto == ALPROTO_UNKNOWN)
382  return FALSE;
383 
384  if ((p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) && p->flow->alparser != NULL) {
385  FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
386  if (frames_container == NULL)
387  return FALSE;
388 
389  Frames *frames;
390  if (PKT_IS_TOSERVER(p)) {
391  frames = &frames_container->toserver;
392  } else {
393  frames = &frames_container->toclient;
394  }
395  return (frames->cnt != 0);
396  }
397  return FALSE;
398 }
399 
400 static TmEcode JsonFrameLogThreadInit(ThreadVars *t, const void *initdata, void **data)
401 {
403  if (unlikely(aft == NULL))
404  return TM_ECODE_FAILED;
405 
406  if (initdata == NULL) {
407  SCLogDebug("Error getting context for EveLogFrame. \"initdata\" argument NULL");
408  goto error_exit;
409  }
410 
411  /** Use the Output Context (file pointer and mutex) */
412  FrameJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
413 
414  aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
415  if (aft->payload_buffer == NULL) {
416  goto error_exit;
417  }
418  aft->ctx = CreateEveThreadCtx(t, json_output_ctx->eve_ctx);
419  if (!aft->ctx) {
420  goto error_exit;
421  }
422 
423  aft->json_output_ctx = json_output_ctx;
424 
425  *data = (void *)aft;
426  return TM_ECODE_OK;
427 
428 error_exit:
429  if (aft->payload_buffer != NULL) {
431  }
432  SCFree(aft);
433  return TM_ECODE_FAILED;
434 }
435 
436 static TmEcode JsonFrameLogThreadDeinit(ThreadVars *t, void *data)
437 {
438  JsonFrameLogThread *aft = (JsonFrameLogThread *)data;
439  if (aft == NULL) {
440  return TM_ECODE_OK;
441  }
442 
444  FreeEveThreadCtx(aft->ctx);
445 
446  /* clear memory */
447  memset(aft, 0, sizeof(JsonFrameLogThread));
448 
449  SCFree(aft);
450  return TM_ECODE_OK;
451 }
452 
453 static void JsonFrameLogDeInitCtxSub(OutputCtx *output_ctx)
454 {
455  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
456 
457  FrameJsonOutputCtx *json_output_ctx = (FrameJsonOutputCtx *)output_ctx->data;
458 
459  if (json_output_ctx != NULL) {
460  SCFree(json_output_ctx);
461  }
462  SCFree(output_ctx);
463 }
464 
465 /**
466  * \brief Create a new LogFileCtx for "fast" output style.
467  * \param conf The configuration node for this output.
468  * \return A LogFileCtx pointer on success, NULL on failure.
469  */
470 static OutputInitResult JsonFrameLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
471 {
472  OutputInitResult result = { NULL, false };
473  OutputJsonCtx *ajt = parent_ctx->data;
474  FrameJsonOutputCtx *json_output_ctx = NULL;
475 
476  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
477  if (unlikely(output_ctx == NULL))
478  return result;
479 
480  json_output_ctx = SCMalloc(sizeof(FrameJsonOutputCtx));
481  if (unlikely(json_output_ctx == NULL)) {
482  goto error;
483  }
484  memset(json_output_ctx, 0, sizeof(FrameJsonOutputCtx));
485 
486  json_output_ctx->file_ctx = ajt->file_ctx;
487  json_output_ctx->eve_ctx = ajt;
488 
489  output_ctx->data = json_output_ctx;
490  output_ctx->DeInit = JsonFrameLogDeInitCtxSub;
491 
493 
494  result.ctx = output_ctx;
495  result.ok = true;
496  return result;
497 
498 error:
499  if (json_output_ctx != NULL) {
500  SCFree(json_output_ctx);
501  }
502  if (output_ctx != NULL) {
503  SCFree(output_ctx);
504  }
505 
506  return result;
507 }
508 
510 {
511  OutputRegisterPacketSubModule(LOGGER_JSON_FRAME, "eve-log", MODULE_NAME, "eve-log.frame",
512  JsonFrameLogInitCtxSub, JsonFrameLogger, JsonFrameLogCondition, JsonFrameLogThreadInit,
513  JsonFrameLogThreadDeinit, NULL);
514 }
util-byte.h
tm-threads.h
FrameJsonLogOneFrame
void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, const Flow *f, const TcpStream *stream, const Packet *p, JsonBuilder *jb)
log a single frame
Definition: output-json-frame.c:226
Packet_::proto
uint8_t proto
Definition: decode.h:451
TcpStream_
Definition: stream-tcp-private.h:106
len
uint8_t len
Definition: app-layer-dnp3.h:2
detect-engine.h
Frame::tx_id
uint64_t tx_id
Definition: app-layer-frames.h:54
stream-tcp.h
FLOW_PKT_LAST_PSEUDO
#define FLOW_PKT_LAST_PSEUDO
Definition: flow.h:227
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FrameJsonOutputCtx_::flags
uint16_t flags
Definition: output-json-frame.c:74
JsonFrameLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition: output-json-frame.c:82
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
FrameJsonOutputCtx
struct FrameJsonOutputCtx_ FrameJsonOutputCtx
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
Flow_::proto
uint8_t proto
Definition: flow.h:365
FrameJsonOutputCtx_
Definition: output-json-frame.c:72
Packet_::payload
uint8_t * payload
Definition: decode.h:574
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:74
threads.h
Frame::offset
uint64_t offset
Definition: app-layer-frames.h:51
OutputJsonCtx_
Definition: output-json.h:81
Frame
Definition: app-layer-frames.h:45
Flow_
Flow data structure.
Definition: flow.h:343
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:74
LogFileCtx_
Definition: util-logopenfile.h:72
output-json-frame.h
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:934
Frames::cnt
uint16_t cnt
Definition: app-layer-frames.h:61
Frame::id
int64_t id
Definition: app-layer-frames.h:53
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29
FrameGetByIndex
Frame * FrameGetByIndex(Frames *frames, const uint32_t idx)
Definition: app-layer-frames.c:106
StreamingBufferGetData
int StreamingBufferGetData(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t *stream_offset)
Definition: util-streaming-buffer.c:1603
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:89
FrameJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-frame.c:73
MIN
#define MIN(x, y)
Definition: suricata-common.h:386
Frames
Definition: app-layer-frames.h:60
FramesContainer
Definition: app-layer-frames.h:73
util-privs.h
StreamingBufferGetDataAtOffset
int StreamingBufferGetDataAtOffset(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t offset)
Definition: util-streaming-buffer.c:1620
app-layer-ftp.h
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:460
APP_LAYER_PARSER_EOF_TS
#define APP_LAYER_PARSER_EOF_TS
Definition: app-layer-parser.h:39
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:85
Flow_::protoctx
void * protoctx
Definition: flow.h:433
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:575
util-unittest.h
util-unittest-helper.h
OutputCtx_::data
void * data
Definition: tm-modules.h:87
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:84
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:230
StreamTcpGetUsable
uint64_t StreamTcpGetUsable(const TcpStream *stream, const bool eof)
Definition: stream-tcp-reassemble.c:424
OutputCtx_
Definition: tm-modules.h:84
app-layer-htp-xff.h
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:292
OutputJsonThreadCtx_
Definition: output-json.h:89
detect-reference.h
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:467
app-layer-htp.h
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:75
util-debug.h
FrameJsonOutputCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition: output-json-frame.c:76
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:252
AppLayerParserGetFrameNameById
const char * AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
Definition: app-layer-parser.c:1625
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
MODULE_NAME
#define MODULE_NAME
Definition: output-json-frame.c:68
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
app-layer-dnp3.h
output-json.h
FRAME_FLAG_TX_ID_SET
#define FRAME_FLAG_TX_ID_SET
Definition: app-layer-frames.h:38
STREAM_BASE_OFFSET
#define STREAM_BASE_OFFSET(stream)
Definition: stream-tcp-private.h:144
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:796
util-print.h
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
JB_SET_TRUE
#define JB_SET_TRUE(jb, key)
Definition: rust.h:39
OutputInitResult_::ok
bool ok
Definition: output.h:48
app-layer-parser.h
JsonFrameLogThread_::json_output_ctx
FrameJsonOutputCtx * json_output_ctx
Definition: output-json-frame.c:81
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:295
FrameJsonOutputCtx_::payload_buffer_size
uint32_t payload_buffer_size
Definition: output-json-frame.c:75
FALSE
#define FALSE
Definition: suricata-common.h:34
JsonAddrInfo_
Definition: output-json.h:49
Packet_
Definition: decode.h:429
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:183
APP_LAYER_PARSER_EOF_TC
#define APP_LAYER_PARSER_EOF_TC
Definition: app-layer-parser.h:40
conf.h
JsonFrameLogThread_
Definition: output-json-frame.c:79
Frame::len
int64_t len
Definition: app-layer-frames.h:52
TmEcode
TmEcode
Definition: tm-threads-common.h:83
util-proto-name.h
MemBuffer_
Definition: util-buffer.h:27
Frame::flags
uint8_t flags
Definition: app-layer-frames.h:47
JsonFrameLogThread_::payload_buffer
MemBuffer * payload_buffer
Definition: output-json-frame.c:80
JsonFrameLogRegister
void JsonFrameLogRegister(void)
Definition: output-json-frame.c:509
OutputInitResult_
Definition: output.h:46
app-layer-frames.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:466
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
Frame::type
uint8_t type
Definition: app-layer-frames.h:46
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:90
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:216
detect-metadata.h
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:87
TcpStream_::sb
StreamingBuffer sb
Definition: stream-tcp-private.h:135
util-classification-config.h
FrameConfigEnableAll
void FrameConfigEnableAll(void)
Definition: app-layer-frames.c:45
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:295
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
JB_SET_FALSE
#define JB_SET_FALSE(jb, key)
Definition: rust.h:40
util-optimize.h
threadvars.h
util-validate.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
FRAME_STREAM_TYPE
#define FRAME_STREAM_TYPE
Definition: app-layer-frames.h:30
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:294
str
#define str(s)
Definition: suricata-common.h:286
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
util-logopenfile.h
FRAME_FLAG_LOGGED
#define FRAME_FLAG_LOGGED
Definition: app-layer-frames.h:42
detect-parse.h
util-buffer.h
JsonFrameLogThread
struct JsonFrameLogThread_ JsonFrameLogThread
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:82
LOGGER_JSON_FRAME
@ LOGGER_JSON_FRAME
Definition: suricata-common.h:486
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:473
STREAM_APP_PROGRESS
#define STREAM_APP_PROGRESS(stream)
Definition: stream-tcp-private.h:145
TcpSession_
Definition: stream-tcp-private.h:283
util-misc.h
flow.h
AppLayerParserStateIssetFlag
uint16_t AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition: app-layer-parser.c:1806
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:104
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
output.h