70 #define MAX_SIZE_HEADER_NAME 256
71 #define MAX_SIZE_HEADER_VALUE 2048
73 #define LOG_HTTP_DEFAULT 0
74 #define LOG_HTTP_EXTENDED 1
75 #define LOG_HTTP_REQUEST 2
76 #define LOG_HTTP_ARRAY 4
77 #define LOG_HTTP_REQ_HEADERS 8
78 #define LOG_HTTP_RES_HEADERS 16
163 {
"accept_range",
"accept-range", 0 },
165 {
"allow",
"allow", 0 },
166 {
"connection",
"connection", 0 },
167 {
"content_encoding",
"content-encoding", 0 },
168 {
"content_language",
"content-language", 0 },
169 {
"content_length",
"content-length", 0 },
170 {
"content_location",
"content-location", 0 },
171 {
"content_md5",
"content-md5", 0 },
172 {
"content_range",
"content-range", 0 },
173 {
"content_type",
"content-type", 0 },
174 {
"date",
"date", 0 },
175 {
"etag",
"etags", 0 },
176 {
"expires",
"expires", 0 },
177 {
"last_modified",
"last-modified", 0 },
178 {
"link",
"link", 0 },
179 {
"location",
"location", 0 },
180 {
"proxy_authenticate",
"proxy-authenticate", 0 },
182 {
"refresh",
"refresh", 0 },
183 {
"retry_after",
"retry-after", 0 },
184 {
"server",
"server", 0 },
185 {
"set_cookie",
"set-cookie", 0 },
186 {
"trailer",
"trailer", 0 },
187 {
"transfer_encoding",
"transfer-encoding", 0 },
188 {
"upgrade",
"upgrade", 0 },
189 {
"vary",
"vary", 0 },
190 {
"warning",
"warning", 0 },
191 {
"www_authenticate",
"www-authenticate", 0 },
197 static void EveHttpLogJSONBasic(SCJsonBuilder *js, htp_tx_t *tx)
200 if (htp_tx_request_hostname(tx) != NULL) {
201 SCJbSetStringFromBytes(js,
"hostname", bstr_ptr(htp_tx_request_hostname(tx)),
202 (uint32_t)bstr_len(htp_tx_request_hostname(tx)));
211 if (htp_tx_request_port_number(tx) >= 0) {
212 SCJbSetUint(js,
"http_port", htp_tx_request_port_number(tx));
216 if (htp_tx_request_uri(tx) != NULL) {
217 SCJbSetStringFromBytes(js,
"url", bstr_ptr(htp_tx_request_uri(tx)),
218 (uint32_t)bstr_len(htp_tx_request_uri(tx)));
221 if (htp_tx_request_headers(tx) != NULL) {
223 const htp_header_t *h_user_agent = htp_tx_request_header(tx,
"user-agent");
224 if (h_user_agent != NULL) {
225 SCJbSetStringFromBytes(js,
"http_user_agent", htp_header_value_ptr(h_user_agent),
226 (uint32_t)htp_header_value_len(h_user_agent));
230 const htp_header_t *h_x_forwarded_for = htp_tx_request_header(tx,
"x-forwarded-for");
231 if (h_x_forwarded_for != NULL) {
232 SCJbSetStringFromBytes(js,
"xff", htp_header_value_ptr(h_x_forwarded_for),
233 (uint32_t)htp_header_value_len(h_x_forwarded_for));
238 if (htp_tx_response_headers(tx) != NULL) {
239 const htp_header_t *h_content_type = htp_tx_response_header(tx,
"content-type");
240 if (h_content_type != NULL) {
241 const size_t size = htp_header_value_len(h_content_type) * 2 + 1;
244 htp_header_value_len(h_content_type),
string, size);
245 char *p = strchr(
string,
';');
248 SCJbSetString(js,
"http_content_type",
string);
250 const htp_header_t *h_content_range = htp_tx_response_header(tx,
"content-range");
251 if (h_content_range != NULL) {
252 SCJbOpenObject(js,
"content_range");
253 SCJbSetStringFromBytes(js,
"raw", htp_header_value_ptr(h_content_range),
254 (uint32_t)htp_header_value_len(h_content_range));
255 HTTPContentRange crparsed;
257 if (crparsed.start >= 0)
258 SCJbSetUint(js,
"start", crparsed.start);
259 if (crparsed.end >= 0)
260 SCJbSetUint(js,
"end", crparsed.end);
261 if (crparsed.size >= 0)
262 SCJbSetUint(js,
"size", crparsed.size);
269 static void EveHttpLogJSONExtended(SCJsonBuilder *js, htp_tx_t *tx)
272 const htp_header_t *h_referer = NULL;
273 if (htp_tx_request_headers(tx) != NULL) {
274 h_referer = htp_tx_request_header(tx,
"referer");
276 if (h_referer != NULL) {
277 SCJbSetStringFromBytes(js,
"http_refer", htp_header_value_ptr(h_referer),
278 (uint32_t)htp_header_value_len(h_referer));
282 if (htp_tx_request_method(tx) != NULL) {
283 SCJbSetStringFromBytes(js,
"http_method", bstr_ptr(htp_tx_request_method(tx)),
284 (uint32_t)bstr_len(htp_tx_request_method(tx)));
288 if (htp_tx_request_protocol(tx) != NULL) {
289 SCJbSetStringFromBytes(js,
"protocol", bstr_ptr(htp_tx_request_protocol(tx)),
290 (uint32_t)bstr_len(htp_tx_request_protocol(tx)));
294 const int resp = htp_tx_response_status_number(tx);
296 SCJbSetUint(js,
"status", (uint32_t)resp);
297 }
else if (htp_tx_response_status(tx) != NULL) {
298 SCJbSetStringFromBytes(js,
"status_string", bstr_ptr(htp_tx_response_status(tx)),
299 (uint32_t)bstr_len(htp_tx_response_status(tx)));
302 const htp_header_t *h_location = htp_tx_response_header(tx,
"location");
303 if (h_location != NULL) {
304 SCJbSetStringFromBytes(js,
"redirect", htp_header_value_ptr(h_location),
305 (uint32_t)htp_header_value_len(h_location));
309 SCJbSetUint(js,
"length", htp_tx_response_message_len(tx));
312 static void EveHttpLogJSONHeaders(
313 SCJsonBuilder *js, uint32_t direction, htp_tx_t *tx,
LogHttpFileCtx *http_ctx)
316 : htp_tx_response_headers(tx);
319 size_t n = htp_headers_size(headers);
320 SCJsonBuilderMark mark = { 0, 0, 0 };
321 SCJbGetMark(js, &mark);
322 bool array_empty =
true;
324 for (
size_t i = 0; i < n; i++) {
325 const htp_header_t *h = htp_headers_get_index(headers, i);
326 if ((http_ctx->
flags & direction) == 0 && http_ctx->
fields != 0) {
329 if ((http_ctx->
fields & (1ULL << f)) != 0) {
349 ? htp_header_name_len(h)
351 memcpy(
name, htp_header_name_ptr(h), size_name);
352 name[size_name] =
'\0';
353 SCJbSetString(js,
"name",
name);
355 ? htp_header_value_len(h)
357 memcpy(value, htp_header_value_ptr(h), size_value);
358 value[size_value] =
'\0';
359 SCJbSetString(js,
"value", value);
363 SCJbRestoreMark(js, &mark);
370 static void BodyPrintableBuffer(SCJsonBuilder *js,
HtpBody *body,
const char *key)
374 const uint8_t *body_data;
375 uint32_t body_data_len;
376 uint64_t body_offset;
379 &body_data_len, &body_offset) == 0) {
383 uint8_t printable_buf[body_data_len + 1];
386 SCJbSetString(js, key, (
char *)printable_buf);
399 BodyPrintableBuffer(js, &htud->
request_body,
"http_request_body_printable");
400 BodyPrintableBuffer(js, &htud->
response_body,
"http_response_body_printable");
406 static void BodyBase64Buffer(SCJsonBuilder *js,
HtpBody *body,
const char *key)
409 const uint8_t *body_data;
410 uint32_t body_data_len;
411 uint64_t body_offset;
414 &body_data_len, &body_offset) == 0) {
418 SCJbSetBase64(js, key, body_data, body_data_len);
430 BodyBase64Buffer(js, &htud->
request_body,
"http_request_body");
431 BodyBase64Buffer(js, &htud->
response_body,
"http_response_body");
438 static void EveHttpLogJSON(
JsonHttpLogThread *aft, SCJsonBuilder *js, htp_tx_t *tx, uint64_t tx_id)
441 SCJbOpenObject(js,
"http");
443 EveHttpLogJSONBasic(js, tx);
445 EveHttpLogJSONExtended(js, tx);
454 static int JsonHttpLogger(
ThreadVars *
tv,
void *thread_data,
const Packet *p,
Flow *f,
void *alstate,
void *txptr, uint64_t tx_id)
458 htp_tx_t *tx = txptr;
466 SCLogDebug(
"got a HTTP request and now logging !!");
468 EveHttpLogJSON(jhl, js, tx, tx_id);
481 SCJbSetString(js,
"xff", buffer);
485 SCJbSetString(js,
"dest_ip", buffer);
487 SCJbSetString(js,
"src_ip", buffer);
506 EveHttpLogJSONBasic(js, tx);
507 EveHttpLogJSONExtended(js, tx);
515 static void OutputHttpLogDeinitSub(
OutputCtx *output_ctx)
533 memset(http_ctx, 0x00,
sizeof(*http_ctx));
547 if (extended != NULL) {
554 if (all_headers != NULL) {
555 if (strncmp(all_headers,
"both", 4) == 0) {
558 }
else if (strncmp(all_headers,
"request", 7) == 0) {
560 }
else if (strncmp(all_headers,
"response", 8) == 0) {
568 SCLogWarning(
"No need for custom as dump-all-headers is already present");
576 http_ctx->
fields |= (1ULL << f);
586 if (http_ctx->
xff_cfg != NULL) {
593 output_ctx->
data = http_ctx;
594 output_ctx->
DeInit = OutputHttpLogDeinitSub;
599 result.
ctx = output_ctx;
604 static TmEcode JsonHttpLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
612 SCLogDebug(
"Error getting context for EveLogHTTP. \"initdata\" argument NULL");
652 OutputHttpLogInitSub,
ALPROTO_HTTP1, JsonHttpLogger, JsonHttpLogThreadInit,
653 JsonHttpLogThreadDeinit);