suricata
output-json.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs detection and monitoring events in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "flow.h"
29 #include "conf.h"
30 
31 #include "util-debug.h"
32 #include "util-time.h"
33 #include "util-var-name.h"
34 #include "util-macset.h"
35 
36 #include "util-unittest.h"
37 #include "util-unittest-helper.h"
38 
39 #include "detect-engine.h"
41 #include "util-syslog.h"
42 
43 /* Internal output plugins */
44 #include "output-eve-syslog.h"
45 #include "output-eve-null.h"
46 
47 #include "output.h"
48 #include "output-json.h"
49 
50 #include "util-byte.h"
51 #include "util-print.h"
52 #include "util-proto-name.h"
53 #include "util-optimize.h"
54 #include "util-buffer.h"
55 #include "util-logopenfile.h"
56 #include "util-log-redis.h"
57 #include "util-device-private.h"
58 #include "util-validate.h"
59 
60 #include "flow-var.h"
61 #include "flow-bit.h"
62 #include "flow-storage.h"
63 
65 
66 #define DEFAULT_LOG_FILENAME "eve.json"
67 #define MODULE_NAME "OutputJSON"
68 
69 #define MAX_JSON_SIZE 2048
70 
71 static void OutputJsonDeInitCtx(OutputCtx *);
72 static void CreateEveCommunityFlowId(SCJsonBuilder *js, const Flow *f, const uint16_t seed);
73 static int CreateJSONEther(
74  SCJsonBuilder *parent, const Packet *p, const Flow *f, enum SCOutputJsonLogDirection dir);
75 
76 static const char *TRAFFIC_ID_PREFIX = "traffic/id/";
77 static const char *TRAFFIC_LABEL_PREFIX = "traffic/label/";
78 static size_t traffic_id_prefix_len = 0;
79 static size_t traffic_label_prefix_len = 0;
80 
82 
83 void OutputJsonRegister (void)
84 {
86 
87  traffic_id_prefix_len = strlen(TRAFFIC_ID_PREFIX);
88  traffic_label_prefix_len = strlen(TRAFFIC_LABEL_PREFIX);
89 
90  // Register output file types that use the new eve filetype registration
91  // API.
94 }
95 
96 json_t *SCJsonString(const char *val)
97 {
98  if (val == NULL){
99  return NULL;
100  }
101  json_t * retval = json_string(val);
102  char retbuf[MAX_JSON_SIZE] = {0};
103  if (retval == NULL) {
104  uint32_t u = 0;
105  uint32_t offset = 0;
106  for (u = 0; u < strlen(val); u++) {
107  if (isprint(val[u])) {
108  PrintBufferData(retbuf, &offset, MAX_JSON_SIZE-1, "%c",
109  val[u]);
110  } else {
112  "\\x%02X", val[u]);
113  }
114  }
115  retbuf[offset] = '\0';
116  retval = json_string(retbuf);
117  }
118  return retval;
119 }
120 
121 /* Default Sensor ID value */
122 static int64_t sensor_id = -1; /* -1 = not defined */
123 
124 void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
125 {
126  SCJbSetStringFromBytes(jb, "filename", ff->name, ff->name_len);
127 
128  if (ff->sid_cnt > 0) {
129  SCJbOpenArray(jb, "sid");
130  for (uint32_t i = 0; ff->sid != NULL && i < ff->sid_cnt; i++) {
131  SCJbAppendUint(jb, ff->sid[i]);
132  }
133  SCJbClose(jb);
134  }
135 
136 #ifdef HAVE_MAGIC
137  if (ff->magic)
138  SCJbSetString(jb, "magic", (char *)ff->magic);
139 #endif
140  SCJbSetBool(jb, "gaps", ff->flags & FILE_HAS_GAPS);
141  switch (ff->state) {
142  case FILE_STATE_CLOSED:
143  JB_SET_STRING(jb, "state", "CLOSED");
144  if (ff->flags & FILE_MD5) {
145  SCJbSetHex(jb, "md5", (uint8_t *)ff->md5, (uint32_t)sizeof(ff->md5));
146  }
147  if (ff->flags & FILE_SHA1) {
148  SCJbSetHex(jb, "sha1", (uint8_t *)ff->sha1, (uint32_t)sizeof(ff->sha1));
149  }
150  break;
152  JB_SET_STRING(jb, "state", "TRUNCATED");
153  break;
154  case FILE_STATE_ERROR:
155  JB_SET_STRING(jb, "state", "ERROR");
156  break;
157  default:
158  JB_SET_STRING(jb, "state", "UNKNOWN");
159  break;
160  }
161 
162  if (ff->flags & FILE_SHA256) {
163  SCJbSetHex(jb, "sha256", (uint8_t *)ff->sha256, (uint32_t)sizeof(ff->sha256));
164  }
165 
166  if (flags & FILE_STORED) {
167  JB_SET_TRUE(jb, "stored");
168  SCJbSetUint(jb, "file_id", ff->file_store_id);
169  } else {
170  JB_SET_FALSE(jb, "stored");
171  if (flags & FILE_STORE) {
172  JB_SET_TRUE(jb, "storing");
173  }
174  }
175 
176  SCJbSetUint(jb, "size", FileTrackedSize(ff));
177  if (ff->end > 0) {
178  SCJbSetUint(jb, "start", ff->start);
179  SCJbSetUint(jb, "end", ff->end);
180  }
181  SCJbSetUint(jb, "tx_id", tx_id);
182 }
183 
184 static void EveAddPacketVars(const Packet *p, SCJsonBuilder *js_vars)
185 {
186  if (p == NULL || p->pktvar == NULL) {
187  return;
188  }
189  PktVar *pv = p->pktvar;
190  bool open = false;
191  while (pv != NULL) {
192  if (pv->key || pv->id > 0) {
193  if (!open) {
194  SCJbOpenArray(js_vars, "pktvars");
195  open = true;
196  }
197  SCJbStartObject(js_vars);
198 
199  if (pv->key != NULL) {
200  uint32_t offset = 0;
201  uint8_t keybuf[pv->key_len + 1];
202  PrintStringsToBuffer(keybuf, &offset, pv->key_len + 1, pv->key, pv->key_len);
203  uint32_t len = pv->value_len;
204  uint8_t printable_buf[len + 1];
205  offset = 0;
206  PrintStringsToBuffer(printable_buf, &offset, len + 1, pv->value, pv->value_len);
207  SCJbSetString(js_vars, (char *)keybuf, (char *)printable_buf);
208  } else {
209  const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR);
210  uint32_t len = pv->value_len;
211  uint8_t printable_buf[len + 1];
212  uint32_t offset = 0;
213  PrintStringsToBuffer(printable_buf, &offset, len + 1, pv->value, pv->value_len);
214  SCJbSetString(js_vars, varname, (char *)printable_buf);
215  }
216  SCJbClose(js_vars);
217  }
218  pv = pv->next;
219  }
220  if (open) {
221  SCJbClose(js_vars);
222  }
223 }
224 
225 /**
226  * \brief Check if string s has prefix prefix.
227  *
228  * \retval true if string has prefix
229  * \retval false if string does not have prefix
230  *
231  * TODO: Move to file with other string handling functions.
232  */
233 static bool SCStringHasPrefix(const char *s, const char *prefix)
234 {
235  if (strncmp(s, prefix, strlen(prefix)) == 0) {
236  return true;
237  }
238  return false;
239 }
240 
241 static void EveAddFlowVars(const Flow *f, SCJsonBuilder *js_root, SCJsonBuilder **js_traffic)
242 {
243  if (f == NULL || f->flowvar == NULL) {
244  return;
245  }
246  SCJsonBuilder *js_flowvars = NULL;
247  SCJsonBuilder *js_traffic_id = NULL;
248  SCJsonBuilder *js_traffic_label = NULL;
249  SCJsonBuilder *js_flowints = NULL;
250  SCJsonBuilder *js_flowbits = NULL;
251  GenericVar *gv = f->flowvar;
252  while (gv != NULL) {
253  if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) {
254  FlowVar *fv = (FlowVar *)gv;
255  if (fv->datatype == FLOWVAR_TYPE_STR && fv->key == NULL) {
256  const char *varname = VarNameStoreLookupById(fv->idx,
258  if (varname) {
259  if (js_flowvars == NULL) {
260  js_flowvars = SCJbNewArray();
261  if (js_flowvars == NULL)
262  break;
263  }
264 
265  uint32_t len = fv->data.fv_str.value_len;
266  uint8_t printable_buf[len + 1];
267  uint32_t offset = 0;
268  PrintStringsToBuffer(printable_buf, &offset, len + 1, fv->data.fv_str.value,
269  fv->data.fv_str.value_len);
270 
271  SCJbStartObject(js_flowvars);
272  SCJbSetString(js_flowvars, varname, (char *)printable_buf);
273  SCJbClose(js_flowvars);
274  }
275  } else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) {
276  if (js_flowvars == NULL) {
277  js_flowvars = SCJbNewArray();
278  if (js_flowvars == NULL)
279  break;
280  }
281 
282  uint8_t keybuf[fv->keylen + 1];
283  uint32_t offset = 0;
284  PrintStringsToBuffer(keybuf, &offset, fv->keylen + 1, fv->key, fv->keylen);
285 
286  uint32_t len = fv->data.fv_str.value_len;
287  uint8_t printable_buf[len + 1];
288  offset = 0;
289  PrintStringsToBuffer(printable_buf, &offset, len + 1, fv->data.fv_str.value,
290  fv->data.fv_str.value_len);
291 
292  SCJbStartObject(js_flowvars);
293  SCJbSetString(js_flowvars, (const char *)keybuf, (char *)printable_buf);
294  SCJbClose(js_flowvars);
295  } else if (fv->datatype == FLOWVAR_TYPE_INT) {
296  const char *varname = VarNameStoreLookupById(fv->idx,
298  if (varname) {
299  if (js_flowints == NULL) {
300  js_flowints = SCJbNewObject();
301  if (js_flowints == NULL)
302  break;
303  }
304  SCJbSetUint(js_flowints, varname, fv->data.fv_int.value);
305  }
306 
307  }
308  } else if (gv->type == DETECT_FLOWBITS) {
309  FlowBit *fb = (FlowBit *)gv;
310  const char *varname = VarNameStoreLookupById(fb->idx,
312  if (varname) {
313  if (SCStringHasPrefix(varname, TRAFFIC_ID_PREFIX)) {
314  if (js_traffic_id == NULL) {
315  js_traffic_id = SCJbNewArray();
316  if (unlikely(js_traffic_id == NULL)) {
317  break;
318  }
319  }
320  SCJbAppendString(js_traffic_id, &varname[traffic_id_prefix_len]);
321  } else if (SCStringHasPrefix(varname, TRAFFIC_LABEL_PREFIX)) {
322  if (js_traffic_label == NULL) {
323  js_traffic_label = SCJbNewArray();
324  if (unlikely(js_traffic_label == NULL)) {
325  break;
326  }
327  }
328  SCJbAppendString(js_traffic_label, &varname[traffic_label_prefix_len]);
329  } else {
330  if (js_flowbits == NULL) {
331  js_flowbits = SCJbNewArray();
332  if (unlikely(js_flowbits == NULL))
333  break;
334  }
335  SCJbAppendString(js_flowbits, varname);
336  }
337  }
338  }
339  gv = gv->next;
340  }
341  if (js_flowbits) {
342  SCJbClose(js_flowbits);
343  SCJbSetObject(js_root, "flowbits", js_flowbits);
344  SCJbFree(js_flowbits);
345  }
346  if (js_flowints) {
347  SCJbClose(js_flowints);
348  SCJbSetObject(js_root, "flowints", js_flowints);
349  SCJbFree(js_flowints);
350  }
351  if (js_flowvars) {
352  SCJbClose(js_flowvars);
353  SCJbSetObject(js_root, "flowvars", js_flowvars);
354  SCJbFree(js_flowvars);
355  }
356 
357  if (js_traffic_id != NULL || js_traffic_label != NULL) {
358  *js_traffic = SCJbNewObject();
359  if (likely(*js_traffic != NULL)) {
360  if (js_traffic_id != NULL) {
361  SCJbClose(js_traffic_id);
362  SCJbSetObject(*js_traffic, "id", js_traffic_id);
363  SCJbFree(js_traffic_id);
364  }
365  if (js_traffic_label != NULL) {
366  SCJbClose(js_traffic_label);
367  SCJbSetObject(*js_traffic, "label", js_traffic_label);
368  SCJbFree(js_traffic_label);
369  }
370  SCJbClose(*js_traffic);
371  }
372  }
373 }
374 
375 void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
376 {
377  if ((p && p->pktvar) || (f && f->flowvar)) {
378  SCJsonBuilder *js_vars = SCJbNewObject();
379  if (js_vars) {
380  if (f && f->flowvar) {
381  SCJsonBuilder *js_traffic = NULL;
382  EveAddFlowVars(f, js_vars, &js_traffic);
383  if (js_traffic != NULL) {
384  SCJbSetObject(js, "traffic", js_traffic);
385  SCJbFree(js_traffic);
386  }
387  }
388  if (p && p->pktvar) {
389  EveAddPacketVars(p, js_vars);
390  }
391  SCJbClose(js_vars);
392  SCJbSetObject(js, "metadata", js_vars);
393  SCJbFree(js_vars);
394  }
395  }
396 }
397 
398 void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f,
399  SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
400 {
401  if (cfg->include_suricata_version) {
402  SCJbSetString(js, "suricata_version", PROG_VER);
403  }
404  if (cfg->include_metadata) {
405  EveAddMetadata(p, f, js);
406  }
407  if (cfg->include_ethernet) {
408  CreateJSONEther(js, p, f, dir);
409  }
410  if (cfg->include_community_id && f != NULL) {
411  CreateEveCommunityFlowId(js, f, cfg->community_id_seed);
412  }
413  if (f != NULL && f->tenant_id > 0) {
414  SCJbSetUint(js, "tenant_id", f->tenant_id);
415  }
416 }
417 
418 /**
419  * \brief Jsonify a packet
420  *
421  * \param p Packet
422  * \param js JSON object
423  * \param max_length If non-zero, restricts the number of packet data bytes handled.
424  */
425 void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
426 {
427  uint32_t max_len = max_length == 0 ? GET_PKT_LEN(p) : max_length;
428  SCJbSetBase64(js, "packet", GET_PKT_DATA(p), max_len);
429 
430  if (!SCJbOpenObject(js, "packet_info")) {
431  return;
432  }
433  if (!SCJbSetUint(js, "linktype", p->datalink)) {
434  SCJbClose(js);
435  return;
436  }
437 
438  const char *dl_name = DatalinkValueToName(p->datalink);
439 
440  // Intentionally ignore the return value from SCJbSetString and proceed
441  // so the jb object is closed
442  (void)SCJbSetString(js, "linktype_name", dl_name == NULL ? "n/a" : dl_name);
443 
444  SCJbClose(js);
445 }
446 
447 /** \brief jsonify tcp flags field
448  * Only add 'true' fields in an attempt to keep things reasonably compact.
449  */
450 void EveTcpFlags(const uint8_t flags, SCJsonBuilder *js)
451 {
452  if (flags & TH_SYN)
453  JB_SET_TRUE(js, "syn");
454  if (flags & TH_FIN)
455  JB_SET_TRUE(js, "fin");
456  if (flags & TH_RST)
457  JB_SET_TRUE(js, "rst");
458  if (flags & TH_PUSH)
459  JB_SET_TRUE(js, "psh");
460  if (flags & TH_ACK)
461  JB_SET_TRUE(js, "ack");
462  if (flags & TH_URG)
463  JB_SET_TRUE(js, "urg");
464  if (flags & TH_ECN)
465  JB_SET_TRUE(js, "ecn");
466  if (flags & TH_CWR)
467  JB_SET_TRUE(js, "cwr");
468 }
469 
471 {
472  char srcip[46] = {0}, dstip[46] = {0};
473  Port sp, dp;
474 
475  switch (dir) {
476  case LOG_DIR_PACKET:
477  if (PacketIsIPv4(p)) {
478  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
479  srcip, sizeof(srcip));
480  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
481  dstip, sizeof(dstip));
482  } else if (PacketIsIPv6(p)) {
483  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
484  srcip, sizeof(srcip));
485  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
486  dstip, sizeof(dstip));
487  } else {
488  /* Not an IP packet so don't do anything */
489  return;
490  }
491  sp = p->sp;
492  dp = p->dp;
493  break;
494  case LOG_DIR_FLOW:
496  if ((PKT_IS_TOSERVER(p))) {
497  if (PacketIsIPv4(p)) {
498  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
499  srcip, sizeof(srcip));
500  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
501  dstip, sizeof(dstip));
502  } else if (PacketIsIPv6(p)) {
503  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
504  srcip, sizeof(srcip));
505  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
506  dstip, sizeof(dstip));
507  }
508  sp = p->sp;
509  dp = p->dp;
510  } else {
511  if (PacketIsIPv4(p)) {
512  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
513  srcip, sizeof(srcip));
514  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
515  dstip, sizeof(dstip));
516  } else if (PacketIsIPv6(p)) {
517  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
518  srcip, sizeof(srcip));
519  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
520  dstip, sizeof(dstip));
521  }
522  sp = p->dp;
523  dp = p->sp;
524  }
525  break;
527  if ((PKT_IS_TOCLIENT(p))) {
528  if (PacketIsIPv4(p)) {
529  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
530  srcip, sizeof(srcip));
531  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
532  dstip, sizeof(dstip));
533  } else if (PacketIsIPv6(p)) {
534  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
535  srcip, sizeof(srcip));
536  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
537  dstip, sizeof(dstip));
538  }
539  sp = p->sp;
540  dp = p->dp;
541  } else {
542  if (PacketIsIPv4(p)) {
543  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
544  srcip, sizeof(srcip));
545  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
546  dstip, sizeof(dstip));
547  } else if (PacketIsIPv6(p)) {
548  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
549  srcip, sizeof(srcip));
550  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
551  dstip, sizeof(dstip));
552  }
553  sp = p->dp;
554  dp = p->sp;
555  }
556  break;
557  default:
559  return;
560  }
561 
562  strlcpy(addr->src_ip, srcip, JSON_ADDR_LEN);
563  strlcpy(addr->dst_ip, dstip, JSON_ADDR_LEN);
564 
565  switch (p->proto) {
566  case IPPROTO_UDP:
567  case IPPROTO_TCP:
568  case IPPROTO_SCTP:
569  addr->sp = sp;
570  addr->dp = dp;
571  addr->log_port = true;
572  break;
573  default:
574  addr->log_port = false;
575  break;
576  }
577 
578  if (SCProtoNameValid(PacketGetIPProto(p))) {
579  strlcpy(addr->proto, known_proto[PacketGetIPProto(p)], sizeof(addr->proto));
580  } else {
581  snprintf(addr->proto, sizeof(addr->proto), "%" PRIu32, PacketGetIPProto(p));
582  }
583 }
584 
585 #define COMMUNITY_ID_BUF_SIZE 64
586 
587 static bool CalculateCommunityFlowIdv4(const Flow *f,
588  const uint16_t seed, unsigned char *base64buf)
589 {
590  struct {
591  uint16_t seed;
592  uint32_t src;
593  uint32_t dst;
594  uint8_t proto;
595  uint8_t pad0;
596  uint16_t sp;
597  uint16_t dp;
598  } __attribute__((__packed__)) ipv4;
599 
600  uint32_t src = f->src.addr_data32[0];
601  uint32_t dst = f->dst.addr_data32[0];
602  uint16_t sp = f->sp;
603  if (f->proto == IPPROTO_ICMP)
604  sp = f->icmp_s.type;
605  sp = htons(sp);
606  uint16_t dp = f->dp;
607  if (f->proto == IPPROTO_ICMP)
608  dp = f->icmp_d.type;
609  dp = htons(dp);
610 
611  ipv4.seed = htons(seed);
612  if (ntohl(src) < ntohl(dst) || (src == dst && sp < dp)) {
613  ipv4.src = src;
614  ipv4.dst = dst;
615  ipv4.sp = sp;
616  ipv4.dp = dp;
617  } else {
618  ipv4.src = dst;
619  ipv4.dst = src;
620  ipv4.sp = dp;
621  ipv4.dp = sp;
622  }
623  ipv4.proto = f->proto;
624  ipv4.pad0 = 0;
625 
626  uint8_t hash[20];
627  if (SCSha1HashBuffer((const uint8_t *)&ipv4, sizeof(ipv4), hash, sizeof(hash)) == 1) {
628  strlcpy((char *)base64buf, "1:", COMMUNITY_ID_BUF_SIZE);
629  unsigned long out_len = COMMUNITY_ID_BUF_SIZE - 2;
630  if (SCBase64Encode(hash, sizeof(hash), base64buf + 2, &out_len) == SC_BASE64_OK) {
631  return true;
632  }
633  }
634  return false;
635 }
636 
637 static bool CalculateCommunityFlowIdv6(const Flow *f,
638  const uint16_t seed, unsigned char *base64buf)
639 {
640  struct {
641  uint16_t seed;
642  uint32_t src[4];
643  uint32_t dst[4];
644  uint8_t proto;
645  uint8_t pad0;
646  uint16_t sp;
647  uint16_t dp;
648  } __attribute__((__packed__)) ipv6;
649 
650  uint16_t sp = f->sp;
651  if (f->proto == IPPROTO_ICMPV6)
652  sp = f->icmp_s.type;
653  sp = htons(sp);
654  uint16_t dp = f->dp;
655  if (f->proto == IPPROTO_ICMPV6)
656  dp = f->icmp_d.type;
657  dp = htons(dp);
658 
659  ipv6.seed = htons(seed);
660  int cmp_r = memcmp(&f->src, &f->dst, sizeof(f->src));
661  if ((cmp_r < 0) || (cmp_r == 0 && sp < dp)) {
662  memcpy(&ipv6.src, &f->src.addr_data32, 16);
663  memcpy(&ipv6.dst, &f->dst.addr_data32, 16);
664  ipv6.sp = sp;
665  ipv6.dp = dp;
666  } else {
667  memcpy(&ipv6.src, &f->dst.addr_data32, 16);
668  memcpy(&ipv6.dst, &f->src.addr_data32, 16);
669  ipv6.sp = dp;
670  ipv6.dp = sp;
671  }
672  ipv6.proto = f->proto;
673  ipv6.pad0 = 0;
674 
675  uint8_t hash[20];
676  if (SCSha1HashBuffer((const uint8_t *)&ipv6, sizeof(ipv6), hash, sizeof(hash)) == 1) {
677  strlcpy((char *)base64buf, "1:", COMMUNITY_ID_BUF_SIZE);
678  unsigned long out_len = COMMUNITY_ID_BUF_SIZE - 2;
679  if (SCBase64Encode(hash, sizeof(hash), base64buf + 2, &out_len) == SC_BASE64_OK) {
680  return true;
681  }
682  }
683  return false;
684 }
685 
686 static void CreateEveCommunityFlowId(SCJsonBuilder *js, const Flow *f, const uint16_t seed)
687 {
688  unsigned char buf[COMMUNITY_ID_BUF_SIZE];
689  if (f->flags & FLOW_IPV4) {
690  if (CalculateCommunityFlowIdv4(f, seed, buf)) {
691  SCJbSetString(js, "community_id", (const char *)buf);
692  }
693  } else if (f->flags & FLOW_IPV6) {
694  if (CalculateCommunityFlowIdv6(f, seed, buf)) {
695  SCJbSetString(js, "community_id", (const char *)buf);
696  }
697  }
698 }
699 
700 void CreateEveFlowId(SCJsonBuilder *js, const Flow *f)
701 {
702  if (f == NULL) {
703  return;
704  }
705  int64_t flow_id = FlowGetId(f);
706  SCJbSetUint(js, "flow_id", flow_id);
707  if (f->parent_id) {
708  SCJbSetUint(js, "parent_id", f->parent_id);
709  }
710 }
711 
712 void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
713 {
714  char eth_addr[19];
715  (void) snprintf(eth_addr, 19, "%02x:%02x:%02x:%02x:%02x:%02x",
716  val[0], val[1], val[2], val[3], val[4], val[5]);
717  if (is_array) {
718  SCJbAppendString(js, eth_addr);
719  } else {
720  SCJbSetString(js, key, eth_addr);
721  }
722 }
723 
724 /* only required to traverse the MAC address set */
725 typedef struct JSONMACAddrInfo {
726  SCJsonBuilder *src, *dst;
728 
729 static int MacSetIterateToJSON(uint8_t *val, MacSetSide side, void *data)
730 {
731  JSONMACAddrInfo *info = (JSONMACAddrInfo*) data;
732  if (side == MAC_SET_DST) {
733  JSONFormatAndAddMACAddr(info->dst, NULL, val, true);
734  } else {
735  JSONFormatAndAddMACAddr(info->src, NULL, val, true);
736  }
737  return 0;
738 }
739 
740 static int CreateJSONEther(
741  SCJsonBuilder *js, const Packet *p, const Flow *f, enum SCOutputJsonLogDirection dir)
742 {
743  if (p != NULL) {
744  /* this is a packet context, so we need to add scalar fields */
745  if (PacketIsEthernet(p)) {
746  const EthernetHdr *ethh = PacketGetEthernet(p);
747  SCJbOpenObject(js, "ether");
748  SCJbSetUint(js, "ether_type", ethh->eth_type);
749  const uint8_t *src;
750  const uint8_t *dst;
751  switch (dir) {
753  // fallthrough
754  case LOG_DIR_FLOW:
755  if (PKT_IS_TOCLIENT(p)) {
756  src = ethh->eth_dst;
757  dst = ethh->eth_src;
758  } else {
759  src = ethh->eth_src;
760  dst = ethh->eth_dst;
761  }
762  break;
764  if (PKT_IS_TOSERVER(p)) {
765  src = ethh->eth_dst;
766  dst = ethh->eth_src;
767  } else {
768  src = ethh->eth_src;
769  dst = ethh->eth_dst;
770  }
771  break;
772  case LOG_DIR_PACKET:
773  default:
774  src = ethh->eth_src;
775  dst = ethh->eth_dst;
776  break;
777  }
778  JSONFormatAndAddMACAddr(js, "src_mac", src, false);
779  JSONFormatAndAddMACAddr(js, "dest_mac", dst, false);
780  SCJbClose(js);
781  } else if (f != NULL) {
782  /* When pseudopackets do not have associated ethernet metadata,
783  use the first set of mac addresses stored with their flow.
784  The first set of macs should come from the flow's first packet,
785  providing the most fitting representation of the event's ethernet. */
787  if (ms != NULL && MacSetSize(ms) > 0) {
788  uint8_t *src = MacSetGetFirst(ms, MAC_SET_SRC);
789  uint8_t *dst = MacSetGetFirst(ms, MAC_SET_DST);
790  if (dst != NULL && src != NULL) {
791  SCJbOpenObject(js, "ether");
792  JSONFormatAndAddMACAddr(js, "src_mac", src, false);
793  JSONFormatAndAddMACAddr(js, "dest_mac", dst, false);
794  SCJbClose(js);
795  }
796  }
797  }
798  } else if (f != NULL) {
799  /* we are creating an ether object in a flow context, so we need to
800  append to arrays */
802  if (ms != NULL && MacSetSize(ms) > 0) {
803  SCJbOpenObject(js, "ether");
804  JSONMACAddrInfo info;
805  info.dst = SCJbNewArray();
806  info.src = SCJbNewArray();
807  int ret = MacSetForEach(ms, MacSetIterateToJSON, &info);
808  if (unlikely(ret != 0)) {
809  /* should not happen, JSONFlowAppendMACAddrs is sane */
810  SCJbFree(info.dst);
811  SCJbFree(info.src);
812  SCJbClose(js);
813  return ret;
814  }
815  SCJbClose(info.dst);
816  SCJbClose(info.src);
817  /* case is handling netflow too so may need to revert */
818  if (dir == LOG_DIR_FLOW_TOCLIENT) {
819  SCJbSetObject(js, "dest_macs", info.src);
820  SCJbSetObject(js, "src_macs", info.dst);
821  } else {
823  SCJbSetObject(js, "dest_macs", info.dst);
824  SCJbSetObject(js, "src_macs", info.src);
825  }
826  SCJbFree(info.dst);
827  SCJbFree(info.src);
828  SCJbClose(js);
829  }
830  }
831  return 0;
832 }
833 
834 SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir,
835  const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
836 {
837  char timebuf[64];
838  const Flow *f = (const Flow *)p->flow;
839 
840  SCJsonBuilder *js = SCJbNewObject();
841  if (unlikely(js == NULL)) {
842  return NULL;
843  }
844 
845  CreateIsoTimeString(p->ts, timebuf, sizeof(timebuf));
846 
847  SCJbSetString(js, "timestamp", timebuf);
848 
849  CreateEveFlowId(js, f);
850 
851  /* sensor id */
852  if (sensor_id >= 0) {
853  SCJbSetUint(js, "sensor_id", sensor_id);
854  }
855 
856  /* input interface */
857  if (p->livedev) {
858  SCJbSetString(js, "in_iface", p->livedev->dev);
859  }
860 
861  /* pcap_cnt */
862  if (p->pcap_cnt != 0) {
863  SCJbSetUint(js, "pcap_cnt", p->pcap_cnt);
864  }
865 
866  if (event_type) {
867  SCJbSetString(js, "event_type", event_type);
868  }
869 
870  /* vlan */
871  if (p->vlan_idx > 0) {
872  SCJbOpenArray(js, "vlan");
873  SCJbAppendUint(js, p->vlan_id[0]);
874  if (p->vlan_idx > 1) {
875  SCJbAppendUint(js, p->vlan_id[1]);
876  }
877  if (p->vlan_idx > 2) {
878  SCJbAppendUint(js, p->vlan_id[2]);
879  }
880  SCJbClose(js);
881  }
882 
883  /* 5-tuple */
884  JsonAddrInfo addr_info = json_addr_info_zero;
885  if (addr == NULL) {
886  JsonAddrInfoInit(p, dir, &addr_info);
887  addr = &addr_info;
888  }
889  if (addr->src_ip[0] != '\0') {
890  SCJbSetString(js, "src_ip", addr->src_ip);
891  }
892  if (addr->log_port) {
893  SCJbSetUint(js, "src_port", addr->sp);
894  }
895  if (addr->dst_ip[0] != '\0') {
896  SCJbSetString(js, "dest_ip", addr->dst_ip);
897  }
898  if (addr->log_port) {
899  SCJbSetUint(js, "dest_port", addr->dp);
900  }
901  if (addr->proto[0] != '\0') {
902  SCJbSetString(js, "proto", addr->proto);
903  }
904 
905  /* ip version */
906  if (PacketIsIPv4(p)) {
907  SCJbSetUint(js, "ip_v", 4);
908  } else if (PacketIsIPv6(p)) {
909  SCJbSetUint(js, "ip_v", 6);
910  }
911 
912  /* icmp */
913  switch (p->proto) {
914  case IPPROTO_ICMP:
915  if (PacketIsICMPv4(p)) {
916  SCJbSetUint(js, "icmp_type", p->icmp_s.type);
917  SCJbSetUint(js, "icmp_code", p->icmp_s.code);
918  }
919  break;
920  case IPPROTO_ICMPV6:
921  if (PacketIsICMPv6(p)) {
922  SCJbSetUint(js, "icmp_type", PacketGetICMPv6(p)->type);
923  SCJbSetUint(js, "icmp_code", PacketGetICMPv6(p)->code);
924  }
925  break;
926  }
927 
928  SCJbSetString(js, "pkt_src", PktSrcToString(p->pkt_src));
929 
930  if (eve_ctx != NULL) {
931  EveAddCommonOptions(&eve_ctx->cfg, p, f, js, dir);
932  }
933 
934  return js;
935 }
936 
937 SCJsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir,
938  const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
939 {
940  SCJsonBuilder *js = CreateEveHeader(p, dir, event_type, addr, eve_ctx);
941  if (unlikely(js == NULL))
942  return NULL;
943 
944  /* tx id for correlation with other events */
945  SCJbSetUint(js, "tx_id", tx_id);
946 
947  return js;
948 }
949 
950 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
951 {
952  OutputJSONMemBufferWrapper *wrapper = data;
953  MemBuffer **memb = wrapper->buffer;
954 
955  if (MEMBUFFER_OFFSET(*memb) + size >= MEMBUFFER_SIZE(*memb)) {
956  MemBufferExpand(memb, wrapper->expand_by);
957  }
958 
959  DEBUG_VALIDATE_BUG_ON(size > UINT32_MAX);
960  MemBufferWriteRaw((*memb), (const uint8_t *)str, (uint32_t)size);
961  return 0;
962 }
963 
964 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
965 {
966  if (file_ctx->sensor_name) {
967  json_object_set_new(js, "host",
968  json_string(file_ctx->sensor_name));
969  }
970 
971  if (file_ctx->is_pcap_offline) {
972  json_object_set_new(js, "pcap_filename", json_string(PcapFileGetFilename()));
973  }
974 
975  if (file_ctx->prefix) {
976  MemBufferWriteRaw((*buffer), (const uint8_t *)file_ctx->prefix, file_ctx->prefix_len);
977  }
978 
979  OutputJSONMemBufferWrapper wrapper = {
980  .buffer = buffer,
981  .expand_by = JSON_OUTPUT_BUFFER_SIZE
982  };
983 
984  int r = json_dump_callback(js, OutputJSONMemBufferCallback, &wrapper,
985  file_ctx->json_flags);
986  if (r != 0)
987  return TM_ECODE_OK;
988 
989  LogFileWrite(file_ctx, *buffer);
990  return 0;
991 }
992 
994 {
995  LogFileCtx *file_ctx = ctx->file_ctx;
996  LogFileFlush(file_ctx);
997 }
998 
1000  ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
1001 {
1002  LogFileCtx *file_ctx = ctx->file_ctx;
1003  MemBuffer **buffer = &ctx->buffer;
1004  if (file_ctx->sensor_name) {
1005  SCJbSetString(js, "host", file_ctx->sensor_name);
1006  }
1007 
1008  if (file_ctx->is_pcap_offline) {
1009  SCJbSetString(js, "pcap_filename", PcapFileGetFilename());
1010  }
1011 
1012  SCEveRunCallbacks(tv, p, f, js);
1013 
1014  SCJbClose(js);
1015 
1016  MemBufferReset(*buffer);
1017 
1018  if (file_ctx->prefix) {
1019  MemBufferWriteRaw((*buffer), (const uint8_t *)file_ctx->prefix, file_ctx->prefix_len);
1020  }
1021 
1022  size_t jslen = SCJbLen(js);
1023  DEBUG_VALIDATE_BUG_ON(SCJbLen(js) > UINT32_MAX);
1024  size_t remaining = MEMBUFFER_SIZE(*buffer) - MEMBUFFER_OFFSET(*buffer);
1025  if (jslen >= remaining) {
1026  size_t expand_by = jslen + 1 - remaining;
1027  if (MemBufferExpand(buffer, (uint32_t)expand_by) < 0) {
1028  if (!ctx->too_large_warning) {
1029  /* Log a warning once, and include enough of the log
1030  * message to hopefully identify the event_type. */
1031  char partial[120];
1032  size_t partial_len = MIN(sizeof(partial), jslen);
1033  memcpy(partial, SCJbPtr(js), partial_len - 1);
1034  partial[partial_len - 1] = '\0';
1035  SCLogWarning("Formatted JSON EVE record too large, will be dropped: %s", partial);
1036  ctx->too_large_warning = true;
1037  }
1038  return;
1039  }
1040  }
1041 
1042  MemBufferWriteRaw((*buffer), SCJbPtr(js), (uint32_t)jslen);
1043  LogFileWrite(file_ctx, *buffer);
1044 }
1045 
1046 static inline enum LogFileType FileTypeFromConf(const char *typestr)
1047 {
1048  enum LogFileType log_filetype = LOGFILE_TYPE_NOTSET;
1049 
1050  if (typestr == NULL) {
1051  log_filetype = LOGFILE_TYPE_FILE;
1052  } else if (strcmp(typestr, "file") == 0 || strcmp(typestr, "regular") == 0) {
1053  log_filetype = LOGFILE_TYPE_FILE;
1054  } else if (strcmp(typestr, "unix_dgram") == 0) {
1055  log_filetype = LOGFILE_TYPE_UNIX_DGRAM;
1056  } else if (strcmp(typestr, "unix_stream") == 0) {
1057  log_filetype = LOGFILE_TYPE_UNIX_STREAM;
1058  } else if (strcmp(typestr, "redis") == 0) {
1059 #ifdef HAVE_LIBHIREDIS
1060  log_filetype = LOGFILE_TYPE_REDIS;
1061 #else
1062  FatalError("redis JSON output option is not compiled");
1063 #endif
1064  }
1065  SCLogDebug("type %s, file type value %d", typestr, log_filetype);
1066  return log_filetype;
1067 }
1068 
1069 static int LogFileTypePrepare(
1070  OutputJsonCtx *json_ctx, enum LogFileType log_filetype, SCConfNode *conf)
1071 {
1072 
1073  if (log_filetype == LOGFILE_TYPE_FILE || log_filetype == LOGFILE_TYPE_UNIX_DGRAM ||
1074  log_filetype == LOGFILE_TYPE_UNIX_STREAM) {
1075  if (SCConfLogOpenGeneric(conf, json_ctx->file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
1076  return -1;
1077  }
1078  }
1079 #ifdef HAVE_LIBHIREDIS
1080  else if (log_filetype == LOGFILE_TYPE_REDIS) {
1081  SCLogRedisInit();
1082  SCConfNode *redis_node = SCConfNodeLookupChild(conf, "redis");
1083  if (!json_ctx->file_ctx->sensor_name) {
1084  char hostname[1024];
1085  gethostname(hostname, 1023);
1086  json_ctx->file_ctx->sensor_name = SCStrdup(hostname);
1087  }
1088  if (json_ctx->file_ctx->sensor_name == NULL) {
1089  return -1;
1090  }
1091 
1092  if (SCConfLogOpenRedis(redis_node, json_ctx->file_ctx) < 0) {
1093  return -1;
1094  }
1095  }
1096 #endif
1097  else if (log_filetype == LOGFILE_TYPE_FILETYPE) {
1098  if (json_ctx->file_ctx->threaded) {
1099  /* Prepare for threaded log output. */
1100  if (!SCLogOpenThreadedFile(NULL, NULL, json_ctx->file_ctx)) {
1101  return -1;
1102  }
1103  }
1104  if (json_ctx->filetype->Init(conf, json_ctx->file_ctx->threaded,
1105  &json_ctx->file_ctx->filetype.init_data) < 0) {
1106  return -1;
1107  }
1108  if (json_ctx->filetype->ThreadInit) {
1109  if (json_ctx->filetype->ThreadInit(json_ctx->file_ctx->filetype.init_data, 0,
1110  &json_ctx->file_ctx->filetype.thread_data) < 0) {
1111  return -1;
1112  }
1113  }
1114  json_ctx->file_ctx->filetype.filetype = json_ctx->filetype;
1115  }
1116 
1117  return 0;
1118 }
1119 
1120 /**
1121  * \brief Create a new LogFileCtx for "fast" output style.
1122  * \param conf The configuration node for this output.
1123  * \return A LogFileCtx pointer on success, NULL on failure.
1124  */
1126 {
1127  OutputInitResult result = { NULL, false };
1128  OutputCtx *output_ctx = NULL;
1129 
1130  OutputJsonCtx *json_ctx = SCCalloc(1, sizeof(OutputJsonCtx));
1131  if (unlikely(json_ctx == NULL)) {
1132  SCLogDebug("could not create new OutputJsonCtx");
1133  return result;
1134  }
1135 
1136  /* First lookup a sensor-name value in this outputs configuration
1137  * node (deprecated). If that fails, lookup the global one. */
1138  const char *sensor_name = SCConfNodeLookupChildValue(conf, "sensor-name");
1139  if (sensor_name != NULL) {
1140  SCLogWarning("Found deprecated eve-log setting \"sensor-name\". "
1141  "Please set sensor-name globally.");
1142  }
1143  else {
1144  (void)SCConfGet("sensor-name", &sensor_name);
1145  }
1146 
1147  json_ctx->file_ctx = LogFileNewCtx();
1148  if (unlikely(json_ctx->file_ctx == NULL)) {
1149  SCLogDebug("AlertJsonInitCtx: Could not create new LogFileCtx");
1150  goto error_exit;
1151  }
1152 
1153  if (sensor_name) {
1154  json_ctx->file_ctx->sensor_name = SCStrdup(sensor_name);
1155  if (json_ctx->file_ctx->sensor_name == NULL) {
1156  goto error_exit;
1157  }
1158  } else {
1159  json_ctx->file_ctx->sensor_name = NULL;
1160  }
1161 
1162  output_ctx = SCCalloc(1, sizeof(OutputCtx));
1163  if (unlikely(output_ctx == NULL)) {
1164  goto error_exit;
1165  }
1166 
1167  output_ctx->data = json_ctx;
1168  output_ctx->DeInit = OutputJsonDeInitCtx;
1169 
1170  if (conf) {
1171  const char *output_s = SCConfNodeLookupChildValue(conf, "filetype");
1172  // Backwards compatibility
1173  if (output_s == NULL) {
1174  output_s = SCConfNodeLookupChildValue(conf, "type");
1175  }
1176 
1177  enum LogFileType log_filetype = FileTypeFromConf(output_s);
1178  if (log_filetype == LOGFILE_TYPE_NOTSET) {
1179  SCEveFileType *filetype = SCEveFindFileType(output_s);
1180  if (filetype != NULL) {
1181  log_filetype = LOGFILE_TYPE_FILETYPE;
1182  json_ctx->filetype = filetype;
1183  } else
1184  FatalError("Invalid JSON output option: %s", output_s);
1185  }
1186 
1187  const char *prefix = SCConfNodeLookupChildValue(conf, "prefix");
1188  if (prefix != NULL)
1189  {
1190  SCLogInfo("Using prefix '%s' for JSON messages", prefix);
1191  json_ctx->file_ctx->prefix = SCStrdup(prefix);
1192  if (json_ctx->file_ctx->prefix == NULL)
1193  {
1194  FatalError("Failed to allocate memory for eve-log.prefix setting.");
1195  }
1196  json_ctx->file_ctx->prefix_len = (uint32_t)strlen(prefix);
1197  }
1198 
1199  /* Threaded file output */
1200  const SCConfNode *threaded = SCConfNodeLookupChild(conf, "threaded");
1201  if (threaded && threaded->val && SCConfValIsTrue(threaded->val)) {
1202  SCLogConfig("Threaded EVE logging configured");
1203  json_ctx->file_ctx->threaded = true;
1204  } else {
1205  json_ctx->file_ctx->threaded = false;
1206  }
1207  if (LogFileTypePrepare(json_ctx, log_filetype, conf) < 0) {
1208  goto error_exit;
1209  }
1210 
1211  const char *sensor_id_s = SCConfNodeLookupChildValue(conf, "sensor-id");
1212  if (sensor_id_s != NULL) {
1213  if (StringParseUint64((uint64_t *)&sensor_id, 10, 0, sensor_id_s) < 0) {
1214  FatalError("Failed to initialize JSON output, "
1215  "invalid sensor-id: %s",
1216  sensor_id_s);
1217  }
1218  }
1219 
1220  /* Check if top-level metadata should be logged. */
1221  const SCConfNode *metadata = SCConfNodeLookupChild(conf, "metadata");
1222  if (metadata && metadata->val && SCConfValIsFalse(metadata->val)) {
1223  SCLogConfig("Disabling eve metadata logging.");
1224  json_ctx->cfg.include_metadata = false;
1225  } else {
1226  json_ctx->cfg.include_metadata = true;
1227  }
1228 
1229  /* Check if ethernet information should be logged. */
1230  const SCConfNode *ethernet = SCConfNodeLookupChild(conf, "ethernet");
1231  if (ethernet && ethernet->val && SCConfValIsTrue(ethernet->val)) {
1232  SCLogConfig("Enabling Ethernet MAC address logging.");
1233  json_ctx->cfg.include_ethernet = true;
1234  } else {
1235  json_ctx->cfg.include_ethernet = false;
1236  }
1237 
1238  const SCConfNode *suriver = SCConfNodeLookupChild(conf, "suricata-version");
1239  if (suriver && suriver->val && SCConfValIsTrue(suriver->val)) {
1240  SCLogConfig("Enabling Suricata version logging.");
1241  json_ctx->cfg.include_suricata_version = true;
1242  } else {
1243  json_ctx->cfg.include_suricata_version = false;
1244  }
1245 
1246  /* See if we want to enable the community id */
1247  const SCConfNode *community_id = SCConfNodeLookupChild(conf, "community-id");
1248  if (community_id && community_id->val && SCConfValIsTrue(community_id->val)) {
1249  SCLogConfig("Enabling eve community_id logging.");
1250  json_ctx->cfg.include_community_id = true;
1251  } else {
1252  json_ctx->cfg.include_community_id = false;
1253  }
1254  const char *cid_seed = SCConfNodeLookupChildValue(conf, "community-id-seed");
1255  if (cid_seed != NULL) {
1256  if (StringParseUint16(&json_ctx->cfg.community_id_seed,
1257  10, 0, cid_seed) < 0)
1258  {
1259  FatalError("Failed to initialize JSON output, "
1260  "invalid community-id-seed: %s",
1261  cid_seed);
1262  }
1263  }
1264 
1265  /* Do we have a global eve xff configuration? */
1266  const SCConfNode *xff = SCConfNodeLookupChild(conf, "xff");
1267  if (xff != NULL) {
1268  json_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
1269  if (likely(json_ctx->xff_cfg != NULL)) {
1270  HttpXFFGetCfg(conf, json_ctx->xff_cfg);
1271  }
1272  }
1273 
1274  const char *pcapfile_s = SCConfNodeLookupChildValue(conf, "pcap-file");
1275  if (pcapfile_s != NULL && SCConfValIsTrue(pcapfile_s)) {
1276  json_ctx->file_ctx->is_pcap_offline =
1278  }
1279  json_ctx->file_ctx->type = log_filetype;
1280  }
1281 
1282  SCLogDebug("returning output_ctx %p", output_ctx);
1283 
1284  result.ctx = output_ctx;
1285  result.ok = true;
1286  return result;
1287 
1288 error_exit:
1289  if (json_ctx->file_ctx) {
1290  if (json_ctx->file_ctx->prefix) {
1291  SCFree(json_ctx->file_ctx->prefix);
1292  }
1293  LogFileFreeCtx(json_ctx->file_ctx);
1294  }
1295  SCFree(json_ctx);
1296 
1297  if (output_ctx) {
1298  SCFree(output_ctx);
1299  }
1300  return result;
1301 }
1302 
1303 static void OutputJsonDeInitCtx(OutputCtx *output_ctx)
1304 {
1305  OutputJsonCtx *json_ctx = (OutputJsonCtx *)output_ctx->data;
1306  LogFileCtx *logfile_ctx = json_ctx->file_ctx;
1307  if (logfile_ctx->dropped) {
1308  SCLogWarning("%" PRIu64 " events were dropped due to slow or "
1309  "disconnected socket",
1310  logfile_ctx->dropped);
1311  }
1312  if (json_ctx->xff_cfg != NULL) {
1313  SCFree(json_ctx->xff_cfg);
1314  }
1315  LogFileFreeCtx(logfile_ctx);
1316  SCFree(json_ctx);
1317  SCFree(output_ctx);
1318 }
PKT_IS_TOCLIENT
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:239
util-device-private.h
util-byte.h
MacSetSide
MacSetSide
Definition: util-macset.h:28
Packet_::proto
uint8_t proto
Definition: decode.h:514
OutputJsonFlush
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
Definition: output-json.c:993
pad0
uint8_t pad0
Definition: decode-template.h:1
FlowVar_::data
union FlowVar_::@114 data
SCOutputJsonLogDirection
SCOutputJsonLogDirection
Definition: output-eve-bindgen.h:31
len
uint8_t len
Definition: app-layer-dnp3.h:2
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:551
detect-engine.h
LOGFILE_TYPE_REDIS
@ LOGFILE_TYPE_REDIS
Definition: util-logopenfile.h:42
LogFileCtx_::sensor_name
char * sensor_name
Definition: util-logopenfile.h:115
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:79
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
CreateIsoTimeString
void CreateIsoTimeString(const SCTime_t ts, char *str, size_t size)
Definition: util-time.c:209
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:78
HttpXFFGetCfg
void HttpXFFGetCfg(SCConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:202
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:52
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:692
MemBufferExpand
int MemBufferExpand(MemBuffer **buffer, uint32_t expand_by)
expand membuffer by size of 'expand_by'
Definition: util-buffer.c:60
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:270
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:617
Flow_::proto
uint8_t proto
Definition: flow.h:378
FlowVarTypeStr::value_len
uint16_t value_len
Definition: flow-var.h:40
LogFileFlush
void LogFileFlush(LogFileCtx *file_ctx)
Definition: util-logopenfile.c:971
FLOWVAR_TYPE_STR
#define FLOWVAR_TYPE_STR
Definition: flow-var.h:33
CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:834
JSON_OUTPUT_BUFFER_SIZE
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:56
TH_RST
#define TH_RST
Definition: decode-tcp.h:36
util-macset.h
OutputJsonCtx_
Definition: output-json.h:75
LogFileCtx_::json_flags
size_t json_flags
Definition: util-logopenfile.h:150
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:520
Flow_
Flow data structure.
Definition: flow.h:356
File_::state
FileState state
Definition: util-file.h:82
OutputJsonCommonSettings_
Definition: output-json.h:64
TH_FIN
#define TH_FIN
Definition: decode-tcp.h:34
util-syslog.h
ctx
struct Thresholds ctx
LogFileCtx_
Definition: util-logopenfile.h:72
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
Packet_::icmp_s
struct Packet_::@23::@30 icmp_s
SCConfGet
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:350
PktVar_::next
struct PktVar_ * next
Definition: decode.h:306
FILE_STORE
#define FILE_STORE
Definition: util-file.h:55
File_::file_store_id
uint32_t file_store_id
Definition: util-file.h:85
FlowVar_::fv_str
FlowVarTypeStr fv_str
Definition: flow-var.h:58
FlowVar_::keylen
FlowVarKeyLenType keylen
Definition: flow-var.h:52
LOGFILE_TYPE_NOTSET
@ LOGFILE_TYPE_NOTSET
Definition: util-logopenfile.h:45
SCProtoNameValid
bool SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
Definition: util-proto-name.c:453
EveTcpFlags
void EveTcpFlags(const uint8_t flags, SCJsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
Definition: output-json.c:450
output-eve-null.h
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
flow-bit.h
util-var-name.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:408
util-log-redis.h
LOG_DIR_FLOW_TOSERVER
@ LOG_DIR_FLOW_TOSERVER
Definition: output-eve-bindgen.h:35
COMMUNITY_ID_BUF_SIZE
#define COMMUNITY_ID_BUF_SIZE
Definition: output-json.c:585
OutputJsonCommonSettings_::include_community_id
bool include_community_id
Definition: output-json.h:66
SCConfValIsFalse
int SCConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:576
OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition: output-json.h:60
known_proto
const char * known_proto[256]
Definition: util-proto-name.c:40
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:999
FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition: util-file.h:73
proto
uint8_t proto
Definition: decode-template.h:0
CreateEveFlowId
void CreateEveFlowId(SCJsonBuilder *js, const Flow *f)
Definition: output-json.c:700
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:824
Flow_::dp
Port dp
Definition: flow.h:372
JSONMACAddrInfo::dst
SCJsonBuilder * dst
Definition: output-json.c:726
FLOWVAR_TYPE_INT
#define FLOWVAR_TYPE_INT
Definition: flow-var.h:34
JSONMACAddrInfo
struct JSONMACAddrInfo JSONMACAddrInfo
File_::sha1
uint8_t sha1[SC_SHA1_LEN]
Definition: util-file.h:96
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:204
util-unittest.h
SCJsonString
json_t * SCJsonString(const char *val)
Definition: output-json.c:96
OutputJsonCommonSettings_::include_suricata_version
bool include_suricata_version
Definition: output-json.h:68
util-unittest-helper.h
OutputCtx_::data
void * data
Definition: tm-modules.h:87
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:195
OutputJsonRegister
void OutputJsonRegister(void)
Definition: output-json.c:83
OutputCtx_
Definition: tm-modules.h:84
RUNMODE_UNIX_SOCKET
@ RUNMODE_UNIX_SOCKET
Definition: runmodes.h:42
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
OutputJsonThreadCtx_
Definition: output-json.h:83
Packet_::datalink
int datalink
Definition: decode.h:630
File_::name_len
uint16_t name_len
Definition: util-file.h:81
FlowVar_::fv_int
FlowVarTypeInt fv_int
Definition: flow-var.h:59
__attribute__
enum @12 __attribute__
DNP3 application header.
LogFileCtx_::filetype
LogFileTypeCtx filetype
Definition: util-logopenfile.h:91
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:470
Flow_::dst
FlowAddress dst
Definition: flow.h:359
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:45
File_::md5
uint8_t md5[SC_MD5_LEN]
Definition: util-file.h:94
SCRunmodeGet
SCRunMode SCRunmodeGet(void)
Get the current run mode.
Definition: suricata.c:266
LogFileWrite
int LogFileWrite(LogFileCtx *file_ctx, MemBuffer *buffer)
Definition: util-logopenfile.c:977
util-debug.h
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition: rust.h:26
Packet_::pktvar
PktVar * pktvar
Definition: decode.h:588
GenericVar_::next
struct GenericVar_ * next
Definition: util-var.h:55
GET_IPV4_DST_ADDR_PTR
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:199
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:238
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: output-json.c:66
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
Definition: output-json.c:398
File_::end
uint64_t end
Definition: util-file.h:106
DETECT_FLOWINT
@ DETECT_FLOWINT
Definition: detect-engine-register.h:62
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
LogFileCtx_::prefix_len
uint32_t prefix_len
Definition: util-logopenfile.h:132
DETECT_FLOWVAR
@ DETECT_FLOWVAR
Definition: detect-engine-register.h:60
Packet_::ts
SCTime_t ts
Definition: decode.h:546
output-json.h
FlowVar_::idx
uint32_t idx
Definition: flow-var.h:53
JSONMACAddrInfo
Definition: output-json.c:725
PktVar_::value
uint8_t * value
Definition: decode.h:312
OutputRegisterModule
void OutputRegisterModule(const char *, const char *, OutputInitFunc)
OutputJsonInitCtx
OutputInitResult OutputJsonInitCtx(SCConfNode *conf)
Create a new LogFileCtx for "fast" output style.
Definition: output-json.c:1125
util-print.h
FlowVar_::key
uint8_t * key
Definition: flow-var.h:61
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:209
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:231
Packet_::sp
Port sp
Definition: decode.h:499
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:326
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:827
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
util-time.h
JB_SET_TRUE
#define JB_SET_TRUE(jb, key)
Definition: rust.h:27
OutputInitResult_::ok
bool ok
Definition: output.h:48
LiveDevice_::dev
char * dev
Definition: util-device-private.h:33
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:250
PktVar_::key
uint8_t * key
Definition: decode.h:311
SyslogInitialize
void SyslogInitialize(void)
Definition: output-eve-syslog.c:99
LogFileCtx_::type
enum LogFileType type
Definition: util-logopenfile.h:103
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-eve-bindgen.h:33
LOGFILE_TYPE_FILE
@ LOGFILE_TYPE_FILE
Definition: util-logopenfile.h:39
MAC_SET_DST
@ MAC_SET_DST
Definition: util-macset.h:30
JsonAddrInfo_::log_port
bool log_port
Definition: output-json.h:48
JsonAddrInfo_
Definition: output-json.h:41
source-pcap-file-helper.h
NullLogInitialize
void NullLogInitialize(void)
Definition: output-eve-null.c:66
Packet_
Definition: decode.h:492
EveFileInfo
void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
Definition: output-json.c:124
OutputJSONMemBufferWrapper_
Definition: output-json.h:59
type
uint16_t type
Definition: decode-vlan.c:106
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:208
MacSet_
Definition: util-macset.c:45
conf.h
JSONFormatAndAddMACAddr
void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
Definition: output-json.c:712
Port
uint16_t Port
Definition: decode.h:218
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:609
File_::name
uint8_t * name
Definition: util-file.h:88
TH_ECN
#define TH_ECN
Definition: decode-tcp.h:41
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
LOGFILE_TYPE_UNIX_DGRAM
@ LOGFILE_TYPE_UNIX_DGRAM
Definition: util-logopenfile.h:40
MacSetGetFlowStorageID
FlowStorageId MacSetGetFlowStorageID(void)
Definition: util-macset.c:115
LogFileTypeCtx_::thread_data
void * thread_data
Definition: util-logopenfile.h:68
SCLogOpenThreadedFile
bool SCLogOpenThreadedFile(const char *log_path, const char *append, LogFileCtx *parent_ctx)
Definition: util-logopenfile.c:361
util-proto-name.h
OutputJsonCommonSettings_::include_ethernet
bool include_ethernet
Definition: output-json.h:67
File_::sid
uint32_t * sid
Definition: util-file.h:108
LOGFILE_TYPE_UNIX_STREAM
@ LOGFILE_TYPE_UNIX_STREAM
Definition: util-logopenfile.h:41
EvePacket
void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
Jsonify a packet.
Definition: output-json.c:425
MemBuffer_
Definition: util-buffer.h:27
File_::sid_cnt
uint32_t sid_cnt
Definition: util-file.h:109
TH_URG
#define TH_URG
Definition: decode-tcp.h:39
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:225
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
Definition: output-json.c:375
FlowVarTypeInt_::value
uint32_t value
Definition: flow-var.h:45
Flow_::src
FlowAddress src
Definition: flow.h:359
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:489
SCEveFileType_::Init
int(* Init)(const SCConfNode *conf, const bool threaded, void **init_data)
Function to initialize this filetype.
Definition: output-eve.h:104
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:65
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:46
MAC_SET_SRC
@ MAC_SET_SRC
Definition: util-macset.h:29
File_::flags
uint16_t flags
Definition: util-file.h:80
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:796
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:71
File_
Definition: util-file.h:79
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
flow-storage.h
OutputInitResult_
Definition: output.h:46
FlowVarTypeStr::value
uint8_t * value
Definition: flow-var.h:39
Packet_::flow
struct Flow_ * flow
Definition: decode.h:537
StringParseUint64
int StringParseUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:308
VAR_TYPE_FLOW_BIT
@ VAR_TYPE_FLOW_BIT
Definition: util-var.h:36
GET_IPV4_SRC_ADDR_PTR
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:198
PrintBufferData
#define PrintBufferData(buf, buf_offset_ptr, buf_size,...)
Definition: util-print.h:27
TH_SYN
#define TH_SYN
Definition: decode-tcp.h:35
flags
uint8_t flags
Definition: decode-gre.h:0
OutputJSONMemBufferWrapper_::expand_by
uint32_t expand_by
Definition: output-json.h:61
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:44
FLOW_IPV6
#define FLOW_IPV6
Definition: flow.h:102
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:90
LogFileTypeCtx_::init_data
void * init_data
Definition: util-logopenfile.h:67
VarNameStoreLookupById
const char * VarNameStoreLookupById(const uint32_t id, const enum VarTypes type)
find name for id+type at packet time.
Definition: util-var-name.c:298
MacSetSize
int MacSetSize(const MacSet *ms)
Definition: util-macset.c:247
GenericVar_
Definition: util-var.h:51
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:37
Flow_::icmp_d
struct Flow_::@121::@127 icmp_d
FILE_STORED
#define FILE_STORED
Definition: util-file.h:56
FILE_MD5
#define FILE_MD5
Definition: util-file.h:48
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:906
output-eve-syslog.h
util-classification-config.h
CreateEveHeaderWithTxId
SCJsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
Definition: output-json.c:937
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:503
Flow_::parent_id
int64_t parent_id
Definition: flow.h:430
FlowBit_::idx
uint32_t idx
Definition: flow-bit.h:33
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:59
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
File_::sha256
uint8_t sha256[SC_SHA256_LEN]
Definition: util-file.h:98
File_::start
uint64_t start
Definition: util-file.h:105
JB_SET_FALSE
#define JB_SET_FALSE(jb, key)
Definition: rust.h:28
util-optimize.h
util-validate.h
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:42
FlowBit_
Definition: flow-bit.h:30
str
#define str(s)
Definition: suricata-common.h:308
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(SCConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:466
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:203
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:602
util-logopenfile.h
MacSetGetFirst
uint8_t * MacSetGetFirst(const MacSet *ms, MacSetSide side)
Definition: util-macset.c:234
MEMBUFFER_SIZE
#define MEMBUFFER_SIZE(mem_buffer)
Get the MemBuffers current size.
Definition: util-buffer.h:61
Flow_::flags
uint32_t flags
Definition: flow.h:421
src
uint16_t src
Definition: app-layer-dnp3.h:5
util-buffer.h
TH_CWR
#define TH_CWR
Definition: decode-tcp.h:43
VAR_TYPE_FLOW_VAR
@ VAR_TYPE_FLOW_VAR
Definition: util-var.h:38
MacSetForEach
int MacSetForEach(const MacSet *ms, MacSetIteratorFunc IterFunc, void *data)
Definition: util-macset.c:221
LogFileCtx_::prefix
char * prefix
Definition: util-logopenfile.h:131
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:43
VAR_TYPE_FLOW_INT
@ VAR_TYPE_FLOW_INT
Definition: util-var.h:37
LogFileCtx_::is_pcap_offline
bool is_pcap_offline
Definition: util-logopenfile.h:156
PcapFileGetFilename
const char * PcapFileGetFilename(void)
Definition: source-pcap-file-helper.c:118
GenericVar_::type
uint16_t type
Definition: util-var.h:52
PktVar_::value_len
uint16_t value_len
Definition: decode.h:310
MAX_JSON_SIZE
#define MAX_JSON_SIZE
Definition: output-json.c:69
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:76
OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition: output-json.c:950
JSONMACAddrInfo::src
SCJsonBuilder * src
Definition: output-json.c:726
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:964
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:50
LogFileType
LogFileType
Definition: util-logopenfile.h:38
MemBufferWriteRaw
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.c:115
SCEveFindFileType
SCEveFileType * SCEveFindFileType(const char *name)
Definition: output-eve.c:82
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-eve-bindgen.h:32
LOG_DIR_FLOW_TOCLIENT
@ LOG_DIR_FLOW_TOCLIENT
Definition: output-eve-bindgen.h:34
PktVar_
Definition: decode.h:304
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:519
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:1217
SCEveFileType_::ThreadInit
int(* ThreadInit)(const void *init_data, const ThreadId thread_id, void **thread_data)
Initialize thread specific data.
Definition: output-eve.h:125
Flow_::sp
Port sp
Definition: flow.h:361
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
PROG_VER
#define PROG_VER
Definition: suricata.h:76
LogFileTypeCtx_::filetype
SCEveFileType * filetype
Definition: util-logopenfile.h:66
OutputJsonCommonSettings_::community_id_seed
uint16_t community_id_seed
Definition: output-json.h:69
flow.h
MEMBUFFER_OFFSET
#define MEMBUFFER_OFFSET(mem_buffer)
Get the MemBuffers current offset.
Definition: util-buffer.h:56
Packet_::dp
Port dp
Definition: decode.h:507
PktVar_::key_len
uint16_t key_len
Definition: decode.h:309
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition: runmodes.h:30
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCConfNode_
Definition: conf.h:37
flow-var.h
SCConfNode_::val
char * val
Definition: conf.h:39
FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition: util-file.h:75
FlowVar_
Definition: flow-var.h:49
Flow_::icmp_s
struct Flow_::@119::@125 icmp_s
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Flow_::tenant_id
uint32_t tenant_id
Definition: flow.h:416
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:33
LOGFILE_TYPE_FILETYPE
@ LOGFILE_TYPE_FILETYPE
Definition: util-logopenfile.h:44
FlowVar_::datatype
uint8_t datatype
Definition: flow-var.h:51
FILE_HAS_GAPS
#define FILE_HAS_GAPS
Definition: util-file.h:59
output.h
PktVar_::id
uint32_t id
Definition: decode.h:305
SCEveRunCallbacks
void SCEveRunCallbacks(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *jb)
Definition: output-eve.c:53
LogFileCtx_::threaded
bool threaded
Definition: util-logopenfile.h:98
MODULE_NAME
#define MODULE_NAME
Definition: output-json.c:67
SCEveFileType_
Structure used to define an EVE output file type plugin.
Definition: output-eve.h:74
OutputJsonCtx_::filetype
SCEveFileType * filetype
Definition: output-json.h:80