70 #define MAX_SIZE_HEADER_NAME 256
71 #define MAX_SIZE_HEADER_VALUE 2048
73 #define LOG_HTTP_DEFAULT 0
74 #define LOG_HTTP_EXTENDED 1
75 #define LOG_HTTP_REQUEST 2
76 #define LOG_HTTP_ARRAY 4
77 #define LOG_HTTP_REQ_HEADERS 8
78 #define LOG_HTTP_RES_HEADERS 16
163 {
"accept_range",
"accept-range", 0 },
165 {
"allow",
"allow", 0 },
166 {
"connection",
"connection", 0 },
167 {
"content_encoding",
"content-encoding", 0 },
168 {
"content_language",
"content-language", 0 },
169 {
"content_length",
"content-length", 0 },
170 {
"content_location",
"content-location", 0 },
171 {
"content_md5",
"content-md5", 0 },
172 {
"content_range",
"content-range", 0 },
173 {
"content_type",
"content-type", 0 },
174 {
"date",
"date", 0 },
175 {
"etag",
"etags", 0 },
176 {
"expires",
"expires", 0 },
177 {
"last_modified",
"last-modified", 0 },
178 {
"link",
"link", 0 },
179 {
"location",
"location", 0 },
180 {
"proxy_authenticate",
"proxy-authenticate", 0 },
182 {
"refresh",
"refresh", 0 },
183 {
"retry_after",
"retry-after", 0 },
184 {
"server",
"server", 0 },
185 {
"set_cookie",
"set-cookie", 0 },
186 {
"trailer",
"trailer", 0 },
187 {
"transfer_encoding",
"transfer-encoding", 0 },
188 {
"upgrade",
"upgrade", 0 },
189 {
"vary",
"vary", 0 },
190 {
"warning",
"warning", 0 },
191 {
"www_authenticate",
"www-authenticate", 0 },
197 static void EveHttpLogJSONBasic(JsonBuilder *js, htp_tx_t *tx)
200 if (tx->request_hostname != NULL) {
201 jb_set_string_from_bytes(
202 js,
"hostname", bstr_ptr(tx->request_hostname), bstr_len(tx->request_hostname));
211 if (tx->request_port_number >= 0) {
212 jb_set_uint(js,
"http_port", tx->request_port_number);
216 if (tx->request_uri != NULL) {
217 jb_set_string_from_bytes(js,
"url", bstr_ptr(tx->request_uri), bstr_len(tx->request_uri));
220 if (tx->request_headers != NULL) {
222 htp_header_t *h_user_agent = htp_table_get_c(tx->request_headers,
"user-agent");
223 if (h_user_agent != NULL) {
224 jb_set_string_from_bytes(js,
"http_user_agent", bstr_ptr(h_user_agent->value),
225 bstr_len(h_user_agent->value));
229 htp_header_t *h_x_forwarded_for = htp_table_get_c(tx->request_headers,
"x-forwarded-for");
230 if (h_x_forwarded_for != NULL) {
231 jb_set_string_from_bytes(js,
"xff", bstr_ptr(h_x_forwarded_for->value),
232 bstr_len(h_x_forwarded_for->value));
237 if (tx->response_headers != NULL) {
238 htp_header_t *h_content_type = htp_table_get_c(tx->response_headers,
"content-type");
239 if (h_content_type != NULL) {
240 const size_t size = bstr_len(h_content_type->value) * 2 + 1;
242 BytesToStringBuffer(bstr_ptr(h_content_type->value), bstr_len(h_content_type->value),
string, size);
243 char *p = strchr(
string,
';');
246 jb_set_string(js,
"http_content_type",
string);
248 htp_header_t *h_content_range = htp_table_get_c(tx->response_headers,
"content-range");
249 if (h_content_range != NULL) {
250 jb_open_object(js,
"content_range");
251 jb_set_string_from_bytes(
252 js,
"raw", bstr_ptr(h_content_range->value), bstr_len(h_content_range->value));
253 HTTPContentRange crparsed;
255 if (crparsed.start >= 0)
256 jb_set_uint(js,
"start", crparsed.start);
257 if (crparsed.end >= 0)
258 jb_set_uint(js,
"end", crparsed.end);
259 if (crparsed.size >= 0)
260 jb_set_uint(js,
"size", crparsed.size);
267 static void EveHttpLogJSONExtended(JsonBuilder *js, htp_tx_t *tx)
270 htp_header_t *h_referer = NULL;
271 if (tx->request_headers != NULL) {
272 h_referer = htp_table_get_c(tx->request_headers,
"referer");
274 if (h_referer != NULL) {
275 jb_set_string_from_bytes(
276 js,
"http_refer", bstr_ptr(h_referer->value), bstr_len(h_referer->value));
280 if (tx->request_method != NULL) {
281 jb_set_string_from_bytes(
282 js,
"http_method", bstr_ptr(tx->request_method), bstr_len(tx->request_method));
286 if (tx->request_protocol != NULL) {
287 jb_set_string_from_bytes(
288 js,
"protocol", bstr_ptr(tx->request_protocol), bstr_len(tx->request_protocol));
294 const int resp = tx->response_status_number;
296 jb_set_uint(js,
"status", (uint32_t)resp);
297 }
else if (tx->response_status != NULL) {
298 const size_t status_size = bstr_len(tx->response_status) * 2 + 1;
299 char status_string[status_size];
301 status_string, status_size);
302 unsigned int val = strtoul(status_string, NULL, 10);
303 jb_set_uint(js,
"status", val);
306 htp_header_t *h_location = htp_table_get_c(tx->response_headers,
"location");
307 if (h_location != NULL) {
308 jb_set_string_from_bytes(
309 js,
"redirect", bstr_ptr(h_location->value), bstr_len(h_location->value));
313 jb_set_uint(js,
"length", tx->response_message_len);
316 static void EveHttpLogJSONHeaders(
317 JsonBuilder *js, uint32_t direction, htp_tx_t *tx,
LogHttpFileCtx *http_ctx)
320 tx->request_headers : tx->response_headers;
323 size_t n = htp_table_size(headers);
324 JsonBuilderMark mark = { 0, 0, 0 };
325 jb_get_mark(js, &mark);
326 bool array_empty =
true;
328 for (
size_t i = 0; i < n; i++) {
329 htp_header_t *h = htp_table_get_index(headers, i, NULL);
330 if ((http_ctx->
flags & direction) == 0 && http_ctx->
fields != 0) {
333 if ((http_ctx->
fields & (1ULL << f)) != 0) {
339 if (bstr_cmp_c_nocase(h->name,
http_fields[f].htp_field) == 0) {
354 memcpy(name, bstr_ptr(h->name), size_name);
355 name[size_name] =
'\0';
356 jb_set_string(js,
"name", name);
359 memcpy(value, bstr_ptr(h->value), size_value);
360 value[size_value] =
'\0';
361 jb_set_string(js,
"value", value);
365 jb_restore_mark(js, &mark);
372 static void BodyPrintableBuffer(JsonBuilder *js,
HtpBody *body,
const char *key)
376 const uint8_t *body_data;
377 uint32_t body_data_len;
378 uint64_t body_offset;
381 &body_data_len, &body_offset) == 0) {
385 uint8_t printable_buf[body_data_len + 1];
387 sizeof(printable_buf),
388 body_data, body_data_len);
390 jb_set_string(js, key, (
char *)printable_buf);
403 BodyPrintableBuffer(js, &htud->
request_body,
"http_request_body_printable");
404 BodyPrintableBuffer(js, &htud->
response_body,
"http_response_body_printable");
410 static void BodyBase64Buffer(JsonBuilder *js,
HtpBody *body,
const char *key)
413 const uint8_t *body_data;
414 uint32_t body_data_len;
415 uint64_t body_offset;
418 &body_data_len, &body_offset) == 0) {
422 jb_set_base64(js, key, body_data, body_data_len);
434 BodyBase64Buffer(js, &htud->
request_body,
"http_request_body");
435 BodyBase64Buffer(js, &htud->
response_body,
"http_response_body");
442 static void EveHttpLogJSON(
JsonHttpLogThread *aft, JsonBuilder *js, htp_tx_t *tx, uint64_t tx_id)
445 jb_open_object(js,
"http");
447 EveHttpLogJSONBasic(js, tx);
449 EveHttpLogJSONExtended(js, tx);
458 static int JsonHttpLogger(
ThreadVars *
tv,
void *thread_data,
const Packet *p,
Flow *f,
void *alstate,
void *txptr, uint64_t tx_id)
462 htp_tx_t *tx = txptr;
470 SCLogDebug(
"got a HTTP request and now logging !!");
472 EveHttpLogJSON(jhl, js, tx, tx_id);
485 jb_set_string(js,
"xff", buffer);
489 jb_set_string(js,
"dest_ip", buffer);
491 jb_set_string(js,
"src_ip", buffer);
510 EveHttpLogJSONBasic(js, tx);
511 EveHttpLogJSONExtended(js, tx);
519 static void OutputHttpLogDeinitSub(
OutputCtx *output_ctx)
537 memset(http_ctx, 0x00,
sizeof(*http_ctx));
551 if (extended != NULL) {
558 if (all_headers != NULL) {
559 if (strncmp(all_headers,
"both", 4) == 0) {
562 }
else if (strncmp(all_headers,
"request", 7) == 0) {
564 }
else if (strncmp(all_headers,
"response", 8) == 0) {
572 SCLogWarning(
"No need for custom as dump-all-headers is already present");
580 http_ctx->
fields |= (1ULL << f);
590 if (http_ctx->
xff_cfg != NULL) {
597 output_ctx->
data = http_ctx;
598 output_ctx->
DeInit = OutputHttpLogDeinitSub;
603 result.
ctx = output_ctx;
608 static TmEcode JsonHttpLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
616 SCLogDebug(
"Error getting context for EveLogHTTP. \"initdata\" argument NULL");
656 OutputHttpLogInitSub,
ALPROTO_HTTP1, JsonHttpLogger, JsonHttpLogThreadInit,
657 JsonHttpLogThreadDeinit, NULL);