suricata
output-json-metadata.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Logs vars in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "threads.h"
34 #include "tm-threads.h"
35 #include "threadvars.h"
36 #include "util-debug.h"
37 
38 #include "util-misc.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 
42 #include "detect-parse.h"
43 #include "detect-engine.h"
44 #include "detect-engine-mpm.h"
45 #include "detect-reference.h"
46 #include "app-layer-parser.h"
47 #include "app-layer-dnp3.h"
48 #include "app-layer-htp.h"
49 #include "app-layer-htp-xff.h"
50 #include "util-classification-config.h"
51 #include "util-syslog.h"
52 #include "util-logopenfile.h"
53 
54 #include "output.h"
55 #include "output-json.h"
56 #include "output-json-metadata.h"
57 
58 #include "util-byte.h"
59 #include "util-privs.h"
60 #include "util-print.h"
61 #include "util-proto-name.h"
62 #include "util-optimize.h"
63 #include "util-buffer.h"
64 #include "util-crypt.h"
65 
66 #define MODULE_NAME "JsonMetadataLog"
67 
68 typedef struct MetadataJsonOutputCtx_ {
69  LogFileCtx* file_ctx;
70  OutputJsonCommonSettings cfg;
71 } MetadataJsonOutputCtx;
72 
73 typedef struct JsonMetadataLogThread_ {
74  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
75  LogFileCtx* file_ctx;
76  MemBuffer *json_buffer;
77  MetadataJsonOutputCtx* json_output_ctx;
78 } JsonMetadataLogThread;
79 
80 static int MetadataJson(ThreadVars *tv, JsonMetadataLogThread *aft, const Packet *p)
81 {
82  JsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, "metadata", NULL);
83  if (unlikely(js == NULL))
84  return TM_ECODE_OK;
85 
86  EveAddCommonOptions(&aft->json_output_ctx->cfg, p, p->flow, js);
87  OutputJsonBuilderBuffer(js, aft->file_ctx, &aft->json_buffer);
88 
89  return TM_ECODE_OK;
90 }
91 
92 static int JsonMetadataLogger(ThreadVars *tv, void *thread_data, const Packet *p)
93 {
94  JsonMetadataLogThread *aft = thread_data;
95 
96  return MetadataJson(tv, aft, p);
97 }
98 
99 static int JsonMetadataLogCondition(ThreadVars *tv, const Packet *p)
100 {
101  if (p->pktvar) {
102  return TRUE;
103  }
104  return FALSE;
105 }
106 
107 static TmEcode JsonMetadataLogThreadInit(ThreadVars *t, const void *initdata, void **data)
108 {
109  JsonMetadataLogThread *aft = SCCalloc(1, sizeof(JsonMetadataLogThread));
110  if (unlikely(aft == NULL))
111  return TM_ECODE_FAILED;
112 
113  if(initdata == NULL) {
114  SCLogDebug("Error getting context for EveLogMetadata. \"initdata\" argument NULL");
115  goto error_exit;
116  }
117 
118  aft->json_buffer = MemBufferCreateNew(JSON_OUTPUT_BUFFER_SIZE);
119  if (aft->json_buffer == NULL) {
120  goto error_exit;
121  }
122 
123  /** Use the Output Context (file pointer and mutex) */
124  MetadataJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
125  aft->file_ctx = LogFileEnsureExists(json_output_ctx->file_ctx, t->id);
126  if (!aft->file_ctx) {
127  goto error_exit;
128  }
129  aft->json_output_ctx = json_output_ctx;
130 
131  *data = (void *)aft;
132  return TM_ECODE_OK;
133 
134 error_exit:
135  if (aft->json_buffer != NULL) {
136  MemBufferFree(aft->json_buffer);
137  }
138  SCFree(aft);
139  return TM_ECODE_FAILED;
140 }
141 
142 static TmEcode JsonMetadataLogThreadDeinit(ThreadVars *t, void *data)
143 {
144  JsonMetadataLogThread *aft = (JsonMetadataLogThread *)data;
145  if (aft == NULL) {
146  return TM_ECODE_OK;
147  }
148 
149  MemBufferFree(aft->json_buffer);
150 
151  /* clear memory */
152  memset(aft, 0, sizeof(JsonMetadataLogThread));
153 
154  SCFree(aft);
155  return TM_ECODE_OK;
156 }
157 
158 static void JsonMetadataLogDeInitCtxSub(OutputCtx *output_ctx)
159 {
160  SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
161 
162  MetadataJsonOutputCtx *json_output_ctx = (MetadataJsonOutputCtx *) output_ctx->data;
163 
164  if (json_output_ctx != NULL) {
165  SCFree(json_output_ctx);
166  }
167  SCFree(output_ctx);
168 }
169 
170 /**
171  * \brief Create a new LogFileCtx for "fast" output style.
172  * \param conf The configuration node for this output.
173  * \return A LogFileCtx pointer on success, NULL on failure.
174  */
175 static OutputInitResult JsonMetadataLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
176 {
177  OutputInitResult result = { NULL, false };
178  OutputJsonCtx *ajt = parent_ctx->data;
179  MetadataJsonOutputCtx *json_output_ctx = NULL;
180 
181  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
182  if (unlikely(output_ctx == NULL))
183  return result;
184 
185  json_output_ctx = SCMalloc(sizeof(MetadataJsonOutputCtx));
186  if (unlikely(json_output_ctx == NULL)) {
187  goto error;
188  }
189  memset(json_output_ctx, 0, sizeof(MetadataJsonOutputCtx));
190 
191  json_output_ctx->file_ctx = ajt->file_ctx;
192  json_output_ctx->cfg = ajt->cfg;
193  /* override config setting as this logger is about metadata */
194  json_output_ctx->cfg.include_metadata = true;
195 
196  output_ctx->data = json_output_ctx;
197  output_ctx->DeInit = JsonMetadataLogDeInitCtxSub;
198 
199  result.ctx = output_ctx;
200  result.ok = true;
201  return result;
202 
203 error:
204  if (json_output_ctx != NULL) {
205  SCFree(json_output_ctx);
206  }
207  if (output_ctx != NULL) {
208  SCFree(output_ctx);
209  }
210 
211  return result;
212 }
213 
214 void JsonMetadataLogRegister (void)
215 {
216  OutputRegisterPacketSubModule(LOGGER_JSON_METADATA, "eve-log", MODULE_NAME,
217  "eve-log.metadata", JsonMetadataLogInitCtxSub, JsonMetadataLogger,
218  JsonMetadataLogCondition, JsonMetadataLogThreadInit,
219  JsonMetadataLogThreadDeinit, NULL);
220 
221  /* Kept for compatibility. */
222  OutputRegisterPacketSubModule(LOGGER_JSON_METADATA, "eve-log", MODULE_NAME,
223  "eve-log.vars", JsonMetadataLogInitCtxSub, JsonMetadataLogger,
224  JsonMetadataLogCondition, JsonMetadataLogThreadInit,
225  JsonMetadataLogThreadDeinit, NULL);
226 }
util-byte.h
tm-threads.h
detect-engine.h
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:104
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
JsonMetadataLogThread_::json_output_ctx
MetadataJsonOutputCtx * json_output_ctx
Definition: output-json-metadata.c:77
JSON_OUTPUT_BUFFER_SIZE
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:63
threads.h
OutputJsonCtx_
Definition: output-json.h:101
OutputJsonCommonSettings_
Definition: output-json.h:91
util-syslog.h
LogFileCtx_
Definition: util-logopenfile.h:60
JsonMetadataLogThread_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-metadata.c:75
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:978
util-privs.h
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, JsonBuilder *js)
Definition: output-json.c:444
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
MetadataJsonOutputCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json-metadata.c:70
util-unittest.h
util-unittest-helper.h
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
OutputCtx_
Definition: tm-modules.h:78
app-layer-htp-xff.h
detect-reference.h
app-layer-htp.h
util-debug.h
Packet_::pktvar
PktVar * pktvar
Definition: decode.h:499
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:44
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr)
Definition: output-json.c:846
JsonMetadataLogThread_
Definition: output-json-metadata.c:73
app-layer-dnp3.h
output-json.h
MetadataJsonOutputCtx_
Definition: output-json-metadata.c:68
util-print.h
detect-engine-mpm.h
util-crypt.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
LogFileEnsureExists
LogFileCtx * LogFileEnsureExists(LogFileCtx *parent_ctx, int thread_id)
LogFileEnsureExists() Ensure a log file context for the thread exists.
Definition: util-logopenfile.c:659
OutputInitResult_::ok
bool ok
Definition: output.h:45
app-layer-parser.h
TRUE
#define TRUE
Definition: suricata-common.h:33
ThreadVars_::id
int id
Definition: threadvars.h:87
FALSE
#define FALSE
Definition: suricata-common.h:34
MODULE_NAME
#define MODULE_NAME
Definition: output-json-metadata.c:66
Packet_
Definition: decode.h:414
JsonMetadataLogThread
struct JsonMetadataLogThread_ JsonMetadataLogThread
conf.h
TmEcode
TmEcode
Definition: tm-threads-common.h:79
util-proto-name.h
MemBuffer_
Definition: util-buffer.h:27
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:92
OutputInitResult_
Definition: output.h:43
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
LOGGER_JSON_METADATA
@ LOGGER_JSON_METADATA
Definition: suricata-common.h:490
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:214
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
util-classification-config.h
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
JsonMetadataLogRegister
void JsonMetadataLogRegister(void)
Definition: output-json-metadata.c:214
util-optimize.h
threadvars.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
output-json-metadata.h
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
util-logopenfile.h
detect-parse.h
util-buffer.h
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:102
JsonMetadataLogThread_::json_buffer
MemBuffer * json_buffer
Definition: output-json-metadata.c:76
MetadataJsonOutputCtx
struct MetadataJsonOutputCtx_ MetadataJsonOutputCtx
util-misc.h
flow.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
debug.h
output.h
MetadataJsonOutputCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json-metadata.c:69