70 #define MAX_SIZE_HEADER_NAME 256
71 #define MAX_SIZE_HEADER_VALUE 2048
73 #define LOG_HTTP_DEFAULT 0
74 #define LOG_HTTP_EXTENDED 1
75 #define LOG_HTTP_REQUEST 2
76 #define LOG_HTTP_ARRAY 4
77 #define LOG_HTTP_REQ_HEADERS 8
78 #define LOG_HTTP_RES_HEADERS 16
163 {
"accept_range",
"accept-range", 0 },
165 {
"allow",
"allow", 0 },
166 {
"connection",
"connection", 0 },
167 {
"content_encoding",
"content-encoding", 0 },
168 {
"content_language",
"content-language", 0 },
169 {
"content_length",
"content-length", 0 },
170 {
"content_location",
"content-location", 0 },
171 {
"content_md5",
"content-md5", 0 },
172 {
"content_range",
"content-range", 0 },
173 {
"content_type",
"content-type", 0 },
174 {
"date",
"date", 0 },
175 {
"etag",
"etags", 0 },
176 {
"expires",
"expires", 0 },
177 {
"last_modified",
"last-modified", 0 },
178 {
"link",
"link", 0 },
179 {
"location",
"location", 0 },
180 {
"proxy_authenticate",
"proxy-authenticate", 0 },
182 {
"refresh",
"refresh", 0 },
183 {
"retry_after",
"retry-after", 0 },
184 {
"server",
"server", 0 },
185 {
"set_cookie",
"set-cookie", 0 },
186 {
"trailer",
"trailer", 0 },
187 {
"transfer_encoding",
"transfer-encoding", 0 },
188 {
"upgrade",
"upgrade", 0 },
189 {
"vary",
"vary", 0 },
190 {
"warning",
"warning", 0 },
191 {
"www_authenticate",
"www-authenticate", 0 },
197 static void EveHttpLogJSONBasic(JsonBuilder *js, htp_tx_t *tx)
200 if (tx->request_hostname != NULL) {
201 jb_set_string_from_bytes(js,
"hostname", bstr_ptr(tx->request_hostname),
202 (uint32_t)bstr_len(tx->request_hostname));
211 if (tx->request_port_number >= 0) {
212 jb_set_uint(js,
"http_port", tx->request_port_number);
216 if (tx->request_uri != NULL) {
217 jb_set_string_from_bytes(
218 js,
"url", bstr_ptr(tx->request_uri), (uint32_t)bstr_len(tx->request_uri));
221 if (tx->request_headers != NULL) {
223 htp_header_t *h_user_agent = htp_table_get_c(tx->request_headers,
"user-agent");
224 if (h_user_agent != NULL) {
225 jb_set_string_from_bytes(js,
"http_user_agent", bstr_ptr(h_user_agent->value),
226 (uint32_t)bstr_len(h_user_agent->value));
230 htp_header_t *h_x_forwarded_for = htp_table_get_c(tx->request_headers,
"x-forwarded-for");
231 if (h_x_forwarded_for != NULL) {
232 jb_set_string_from_bytes(js,
"xff", bstr_ptr(h_x_forwarded_for->value),
233 (uint32_t)bstr_len(h_x_forwarded_for->value));
238 if (tx->response_headers != NULL) {
239 htp_header_t *h_content_type = htp_table_get_c(tx->response_headers,
"content-type");
240 if (h_content_type != NULL) {
241 const size_t size = bstr_len(h_content_type->value) * 2 + 1;
243 BytesToStringBuffer(bstr_ptr(h_content_type->value), bstr_len(h_content_type->value),
string, size);
244 char *p = strchr(
string,
';');
247 jb_set_string(js,
"http_content_type",
string);
249 htp_header_t *h_content_range = htp_table_get_c(tx->response_headers,
"content-range");
250 if (h_content_range != NULL) {
251 jb_open_object(js,
"content_range");
252 jb_set_string_from_bytes(js,
"raw", bstr_ptr(h_content_range->value),
253 (uint32_t)bstr_len(h_content_range->value));
254 HTTPContentRange crparsed;
256 if (crparsed.start >= 0)
257 jb_set_uint(js,
"start", crparsed.start);
258 if (crparsed.end >= 0)
259 jb_set_uint(js,
"end", crparsed.end);
260 if (crparsed.size >= 0)
261 jb_set_uint(js,
"size", crparsed.size);
268 static void EveHttpLogJSONExtended(JsonBuilder *js, htp_tx_t *tx)
271 htp_header_t *h_referer = NULL;
272 if (tx->request_headers != NULL) {
273 h_referer = htp_table_get_c(tx->request_headers,
"referer");
275 if (h_referer != NULL) {
276 jb_set_string_from_bytes(
277 js,
"http_refer", bstr_ptr(h_referer->value), (uint32_t)bstr_len(h_referer->value));
281 if (tx->request_method != NULL) {
282 jb_set_string_from_bytes(js,
"http_method", bstr_ptr(tx->request_method),
283 (uint32_t)bstr_len(tx->request_method));
287 if (tx->request_protocol != NULL) {
288 jb_set_string_from_bytes(js,
"protocol", bstr_ptr(tx->request_protocol),
289 (uint32_t)bstr_len(tx->request_protocol));
295 const int resp = tx->response_status_number;
297 jb_set_uint(js,
"status", (uint32_t)resp);
298 }
else if (tx->response_status != NULL) {
299 jb_set_string_from_bytes(js,
"status_string", bstr_ptr(tx->response_status),
300 (uint32_t)bstr_len(tx->response_status));
303 htp_header_t *h_location = htp_table_get_c(tx->response_headers,
"location");
304 if (h_location != NULL) {
305 jb_set_string_from_bytes(
306 js,
"redirect", bstr_ptr(h_location->value), (uint32_t)bstr_len(h_location->value));
310 jb_set_uint(js,
"length", tx->response_message_len);
313 static void EveHttpLogJSONHeaders(
314 JsonBuilder *js, uint32_t direction, htp_tx_t *tx,
LogHttpFileCtx *http_ctx)
317 tx->request_headers : tx->response_headers;
320 size_t n = htp_table_size(headers);
321 JsonBuilderMark mark = { 0, 0, 0 };
322 jb_get_mark(js, &mark);
323 bool array_empty =
true;
325 for (
size_t i = 0; i < n; i++) {
326 htp_header_t *h = htp_table_get_index(headers, i, NULL);
327 if ((http_ctx->
flags & direction) == 0 && http_ctx->
fields != 0) {
330 if ((http_ctx->
fields & (1ULL << f)) != 0) {
336 if (bstr_cmp_c_nocase(h->name,
http_fields[f].htp_field) == 0) {
351 memcpy(name, bstr_ptr(h->name), size_name);
352 name[size_name] =
'\0';
353 jb_set_string(js,
"name", name);
356 memcpy(value, bstr_ptr(h->value), size_value);
357 value[size_value] =
'\0';
358 jb_set_string(js,
"value", value);
362 jb_restore_mark(js, &mark);
369 static void BodyPrintableBuffer(JsonBuilder *js,
HtpBody *body,
const char *key)
373 const uint8_t *body_data;
374 uint32_t body_data_len;
375 uint64_t body_offset;
378 &body_data_len, &body_offset) == 0) {
382 uint8_t printable_buf[body_data_len + 1];
385 jb_set_string(js, key, (
char *)printable_buf);
398 BodyPrintableBuffer(js, &htud->
request_body,
"http_request_body_printable");
399 BodyPrintableBuffer(js, &htud->
response_body,
"http_response_body_printable");
405 static void BodyBase64Buffer(JsonBuilder *js,
HtpBody *body,
const char *key)
408 const uint8_t *body_data;
409 uint32_t body_data_len;
410 uint64_t body_offset;
413 &body_data_len, &body_offset) == 0) {
417 jb_set_base64(js, key, body_data, body_data_len);
429 BodyBase64Buffer(js, &htud->
request_body,
"http_request_body");
430 BodyBase64Buffer(js, &htud->
response_body,
"http_response_body");
437 static void EveHttpLogJSON(
JsonHttpLogThread *aft, JsonBuilder *js, htp_tx_t *tx, uint64_t tx_id)
440 jb_open_object(js,
"http");
442 EveHttpLogJSONBasic(js, tx);
444 EveHttpLogJSONExtended(js, tx);
453 static int JsonHttpLogger(
ThreadVars *
tv,
void *thread_data,
const Packet *p,
Flow *f,
void *alstate,
void *txptr, uint64_t tx_id)
457 htp_tx_t *tx = txptr;
465 SCLogDebug(
"got a HTTP request and now logging !!");
467 EveHttpLogJSON(jhl, js, tx, tx_id);
480 jb_set_string(js,
"xff", buffer);
484 jb_set_string(js,
"dest_ip", buffer);
486 jb_set_string(js,
"src_ip", buffer);
505 EveHttpLogJSONBasic(js, tx);
506 EveHttpLogJSONExtended(js, tx);
514 static void OutputHttpLogDeinitSub(
OutputCtx *output_ctx)
532 memset(http_ctx, 0x00,
sizeof(*http_ctx));
546 if (extended != NULL) {
553 if (all_headers != NULL) {
554 if (strncmp(all_headers,
"both", 4) == 0) {
557 }
else if (strncmp(all_headers,
"request", 7) == 0) {
559 }
else if (strncmp(all_headers,
"response", 8) == 0) {
567 SCLogWarning(
"No need for custom as dump-all-headers is already present");
575 http_ctx->
fields |= (1ULL << f);
585 if (http_ctx->
xff_cfg != NULL) {
592 output_ctx->
data = http_ctx;
593 output_ctx->
DeInit = OutputHttpLogDeinitSub;
598 result.
ctx = output_ctx;
603 static TmEcode JsonHttpLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
611 SCLogDebug(
"Error getting context for EveLogHTTP. \"initdata\" argument NULL");
651 OutputHttpLogInitSub,
ALPROTO_HTTP1, JsonHttpLogger, JsonHttpLogThreadInit,
652 JsonHttpLogThreadDeinit);