suricata
output-json.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs detection and monitoring events in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "flow.h"
29 #include "conf.h"
30 
31 #include "util-debug.h"
32 #include "util-time.h"
33 #include "util-var-name.h"
34 #include "util-macset.h"
35 
36 #include "util-unittest.h"
37 #include "util-unittest-helper.h"
38 
39 #include "detect-engine.h"
40 #include "util-classification-config.h"
41 #include "util-syslog.h"
42 
43 /* Internal output plugins */
44 #include "output-eve-syslog.h"
45 #include "output-eve-null.h"
46 
47 #include "output.h"
48 #include "output-json.h"
49 
50 #include "util-byte.h"
51 #include "util-print.h"
52 #include "util-proto-name.h"
53 #include "util-optimize.h"
54 #include "util-buffer.h"
55 #include "util-logopenfile.h"
56 #include "util-log-redis.h"
57 #include "util-device-private.h"
58 #include "util-validate.h"
59 
60 #include "flow-var.h"
61 #include "flow-bit.h"
62 #include "flow-storage.h"
63 
64 #include "source-pcap-file-helper.h"
65 
66 #define DEFAULT_LOG_FILENAME "eve.json"
67 #define MODULE_NAME "OutputJSON"
68 
69 #define MAX_JSON_SIZE 2048
70 
71 static void OutputJsonDeInitCtx(OutputCtx *);
72 static void CreateEveCommunityFlowId(SCJsonBuilder *js, const Flow *f, const uint16_t seed);
73 static int CreateJSONEther(
74  SCJsonBuilder *parent, const Packet *p, const Flow *f, enum SCOutputJsonLogDirection dir);
75 
76 static const char *TRAFFIC_ID_PREFIX = "traffic/id/";
77 static const char *TRAFFIC_LABEL_PREFIX = "traffic/label/";
78 static size_t traffic_id_prefix_len = 0;
79 static size_t traffic_label_prefix_len = 0;
80 
81 const JsonAddrInfo json_addr_info_zero;
82 
83 void OutputJsonRegister (void)
84 {
85  OutputRegisterModule(MODULE_NAME, "eve-log", OutputJsonInitCtx);
86 
87  traffic_id_prefix_len = strlen(TRAFFIC_ID_PREFIX);
88  traffic_label_prefix_len = strlen(TRAFFIC_LABEL_PREFIX);
89 
90  // Register output file types that use the new eve filetype registration
91  // API.
92  SyslogInitialize();
93  NullLogInitialize();
94 }
95 
96 json_t *SCJsonString(const char *val)
97 {
98  if (val == NULL){
99  return NULL;
100  }
101  json_t * retval = json_string(val);
102  char retbuf[MAX_JSON_SIZE] = {0};
103  if (retval == NULL) {
104  uint32_t u = 0;
105  uint32_t offset = 0;
106  for (u = 0; u < strlen(val); u++) {
107  if (isprint(val[u])) {
108  PrintBufferData(retbuf, &offset, MAX_JSON_SIZE-1, "%c",
109  val[u]);
110  } else {
111  PrintBufferData(retbuf, &offset, MAX_JSON_SIZE-1,
112  "\\x%02X", val[u]);
113  }
114  }
115  retbuf[offset] = '\0';
116  retval = json_string(retbuf);
117  }
118  return retval;
119 }
120 
121 /* Default Sensor ID value */
122 static int64_t sensor_id = -1; /* -1 = not defined */
123 
124 void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
125 {
126  SCJbSetStringFromBytes(jb, "filename", ff->name, ff->name_len);
127 
128  if (ff->sid_cnt > 0) {
129  SCJbOpenArray(jb, "sid");
130  for (uint32_t i = 0; ff->sid != NULL && i < ff->sid_cnt; i++) {
131  SCJbAppendUint(jb, ff->sid[i]);
132  }
133  SCJbClose(jb);
134  }
135 
136 #ifdef HAVE_MAGIC
137  if (ff->magic)
138  SCJbSetString(jb, "magic", (char *)ff->magic);
139 #endif
140  SCJbSetBool(jb, "gaps", ff->flags & FILE_HAS_GAPS);
141  switch (ff->state) {
142  case FILE_STATE_CLOSED:
143  JB_SET_STRING(jb, "state", "CLOSED");
144  if (ff->flags & FILE_MD5) {
145  SCJbSetHex(jb, "md5", (uint8_t *)ff->md5, (uint32_t)sizeof(ff->md5));
146  }
147  if (ff->flags & FILE_SHA1) {
148  SCJbSetHex(jb, "sha1", (uint8_t *)ff->sha1, (uint32_t)sizeof(ff->sha1));
149  }
150  break;
151  case FILE_STATE_TRUNCATED:
152  JB_SET_STRING(jb, "state", "TRUNCATED");
153  break;
154  case FILE_STATE_ERROR:
155  JB_SET_STRING(jb, "state", "ERROR");
156  break;
157  default:
158  JB_SET_STRING(jb, "state", "UNKNOWN");
159  break;
160  }
161 
162  if (ff->flags & FILE_SHA256) {
163  SCJbSetHex(jb, "sha256", (uint8_t *)ff->sha256, (uint32_t)sizeof(ff->sha256));
164  }
165 
166  if (flags & FILE_STORED) {
167  JB_SET_TRUE(jb, "stored");
168  SCJbSetUint(jb, "file_id", ff->file_store_id);
169  } else {
170  JB_SET_FALSE(jb, "stored");
171  if (flags & FILE_STORE) {
172  JB_SET_TRUE(jb, "storing");
173  }
174  }
175 
176  SCJbSetUint(jb, "size", FileTrackedSize(ff));
177  if (ff->end > 0) {
178  SCJbSetUint(jb, "start", ff->start);
179  SCJbSetUint(jb, "end", ff->end);
180  }
181  SCJbSetUint(jb, "tx_id", tx_id);
182 }
183 
184 static void EveAddPacketVars(const Packet *p, SCJsonBuilder *js_vars)
185 {
186  if (p == NULL || p->pktvar == NULL) {
187  return;
188  }
189  PktVar *pv = p->pktvar;
190  bool open = false;
191  while (pv != NULL) {
192  if (pv->key || pv->id > 0) {
193  if (!open) {
194  SCJbOpenArray(js_vars, "pktvars");
195  open = true;
196  }
197  SCJbStartObject(js_vars);
198 
199  if (pv->key != NULL) {
200  uint32_t offset = 0;
201  DEBUG_VALIDATE_BUG_ON(pv->key_len > UINT16_MAX);
202  uint8_t keybuf[pv->key_len + 1];
203  PrintStringsToBuffer(keybuf, &offset, pv->key_len + 1, pv->key, pv->key_len);
204  SCJbSetPrintAsciiString(js_vars, (char *)keybuf, pv->value, pv->value_len);
205  } else {
206  const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR);
207  SCJbSetPrintAsciiString(js_vars, varname, pv->value, pv->value_len);
208  }
209  SCJbClose(js_vars);
210  }
211  pv = pv->next;
212  }
213  if (open) {
214  SCJbClose(js_vars);
215  }
216 }
217 
218 /**
219  * \brief Check if string s has prefix prefix.
220  *
221  * \retval true if string has prefix
222  * \retval false if string does not have prefix
223  *
224  * TODO: Move to file with other string handling functions.
225  */
226 static bool SCStringHasPrefix(const char *s, const char *prefix)
227 {
228  if (strncmp(s, prefix, strlen(prefix)) == 0) {
229  return true;
230  }
231  return false;
232 }
233 
234 static void EveAddFlowVars(const Flow *f, SCJsonBuilder *js_root, SCJsonBuilder **js_traffic)
235 {
236  if (f == NULL || f->flowvar == NULL) {
237  return;
238  }
239  SCJsonBuilder *js_flowvars = NULL;
240  SCJsonBuilder *js_traffic_id = NULL;
241  SCJsonBuilder *js_traffic_label = NULL;
242  SCJsonBuilder *js_flowints = NULL;
243  SCJsonBuilder *js_entropyvals = NULL;
244  SCJsonBuilder *js_flowbits = NULL;
245  GenericVar *gv = f->flowvar;
246  while (gv != NULL) {
247  if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) {
248  FlowVar *fv = (FlowVar *)gv;
249  if (fv->datatype == FLOWVAR_TYPE_STR && fv->key == NULL) {
250  const char *varname = VarNameStoreLookupById(fv->idx,
251  VAR_TYPE_FLOW_VAR);
252  if (varname) {
253  if (js_flowvars == NULL) {
254  js_flowvars = SCJbNewArray();
255  if (js_flowvars == NULL)
256  break;
257  }
258 
259  SCJbStartObject(js_flowvars);
260  SCJbSetPrintAsciiString(
261  js_flowvars, varname, fv->data.fv_str.value, fv->data.fv_str.value_len);
262  SCJbClose(js_flowvars);
263  }
264  } else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) {
265  if (js_flowvars == NULL) {
266  js_flowvars = SCJbNewArray();
267  if (js_flowvars == NULL)
268  break;
269  }
270 
271  // fv->keylen is uint16
272  uint8_t keybuf[fv->keylen + 1];
273  uint32_t offset = 0;
274  PrintStringsToBuffer(keybuf, &offset, fv->keylen + 1, fv->key, fv->keylen);
275 
276  SCJbStartObject(js_flowvars);
277  SCJbSetPrintAsciiString(js_flowvars, (const char *)keybuf, fv->data.fv_str.value,
278  fv->data.fv_str.value_len);
279  SCJbClose(js_flowvars);
280  } else if (fv->datatype == FLOWVAR_TYPE_FLOAT) {
281  const char *varname = VarNameStoreLookupById(fv->idx, VAR_TYPE_FLOW_FLOAT);
282  if (varname) {
283  if (js_entropyvals == NULL) {
284  js_entropyvals = SCJbNewObject();
285  if (js_entropyvals == NULL)
286  break;
287  }
288  SCJbSetFloat(js_entropyvals, varname, fv->data.fv_float.value);
289  }
290 
291  } else if (fv->datatype == FLOWVAR_TYPE_INT) {
292  const char *varname = VarNameStoreLookupById(fv->idx,
293  VAR_TYPE_FLOW_INT);
294  if (varname) {
295  if (js_flowints == NULL) {
296  js_flowints = SCJbNewObject();
297  if (js_flowints == NULL)
298  break;
299  }
300  SCJbSetUint(js_flowints, varname, fv->data.fv_int.value);
301  }
302  }
303  } else if (gv->type == DETECT_FLOWBITS) {
304  FlowBit *fb = (FlowBit *)gv;
305  const char *varname = VarNameStoreLookupById(fb->idx,
306  VAR_TYPE_FLOW_BIT);
307  if (varname) {
308  if (SCStringHasPrefix(varname, TRAFFIC_ID_PREFIX)) {
309  if (js_traffic_id == NULL) {
310  js_traffic_id = SCJbNewArray();
311  if (unlikely(js_traffic_id == NULL)) {
312  break;
313  }
314  }
315  SCJbAppendString(js_traffic_id, &varname[traffic_id_prefix_len]);
316  } else if (SCStringHasPrefix(varname, TRAFFIC_LABEL_PREFIX)) {
317  if (js_traffic_label == NULL) {
318  js_traffic_label = SCJbNewArray();
319  if (unlikely(js_traffic_label == NULL)) {
320  break;
321  }
322  }
323  SCJbAppendString(js_traffic_label, &varname[traffic_label_prefix_len]);
324  } else {
325  if (js_flowbits == NULL) {
326  js_flowbits = SCJbNewArray();
327  if (unlikely(js_flowbits == NULL))
328  break;
329  }
330  SCJbAppendString(js_flowbits, varname);
331  }
332  }
333  }
334  gv = gv->next;
335  }
336  if (js_flowbits) {
337  SCJbClose(js_flowbits);
338  SCJbSetObject(js_root, "flowbits", js_flowbits);
339  SCJbFree(js_flowbits);
340  }
341  if (js_flowints) {
342  SCJbClose(js_flowints);
343  SCJbSetObject(js_root, "flowints", js_flowints);
344  SCJbFree(js_flowints);
345  }
346  if (js_entropyvals) {
347  SCJbClose(js_entropyvals);
348  SCJbSetObject(js_root, "entropy", js_entropyvals);
349  SCJbFree(js_entropyvals);
350  }
351  if (js_flowvars) {
352  SCJbClose(js_flowvars);
353  SCJbSetObject(js_root, "flowvars", js_flowvars);
354  SCJbFree(js_flowvars);
355  }
356 
357  if (js_traffic_id != NULL || js_traffic_label != NULL) {
358  *js_traffic = SCJbNewObject();
359  if (likely(*js_traffic != NULL)) {
360  if (js_traffic_id != NULL) {
361  SCJbClose(js_traffic_id);
362  SCJbSetObject(*js_traffic, "id", js_traffic_id);
363  SCJbFree(js_traffic_id);
364  }
365  if (js_traffic_label != NULL) {
366  SCJbClose(js_traffic_label);
367  SCJbSetObject(*js_traffic, "label", js_traffic_label);
368  SCJbFree(js_traffic_label);
369  }
370  SCJbClose(*js_traffic);
371  }
372  }
373 }
374 
375 void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
376 {
377  if ((p && p->pktvar) || (f && f->flowvar)) {
378  SCJsonBuilder *js_vars = SCJbNewObject();
379  if (js_vars) {
380  if (f && f->flowvar) {
381  SCJsonBuilder *js_traffic = NULL;
382  EveAddFlowVars(f, js_vars, &js_traffic);
383  if (js_traffic != NULL) {
384  SCJbSetObject(js, "traffic", js_traffic);
385  SCJbFree(js_traffic);
386  }
387  }
388  if (p && p->pktvar) {
389  EveAddPacketVars(p, js_vars);
390  }
391  SCJbClose(js_vars);
392  SCJbSetObject(js, "metadata", js_vars);
393  SCJbFree(js_vars);
394  }
395  }
396 }
397 
398 void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f,
399  SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
400 {
401  if (cfg->include_suricata_version) {
402  SCJbSetString(js, "suricata_version", PROG_VER);
403  }
404  if (cfg->include_metadata) {
405  EveAddMetadata(p, f, js);
406  }
407  if (cfg->include_ethernet) {
408  CreateJSONEther(js, p, f, dir);
409  }
410  if (cfg->include_community_id && f != NULL) {
411  CreateEveCommunityFlowId(js, f, cfg->community_id_seed);
412  }
413  if (f != NULL && f->tenant_id > 0) {
414  SCJbSetUint(js, "tenant_id", f->tenant_id);
415  }
416 }
417 
418 /**
419  * \brief Jsonify a packet
420  *
421  * \param p Packet
422  * \param js JSON object
423  * \param max_length If non-zero, restricts the number of packet data bytes handled.
424  */
425 void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
426 {
427  uint32_t max_len = max_length == 0 ? GET_PKT_LEN(p) : max_length;
428  SCJbSetBase64(js, "packet", GET_PKT_DATA(p), max_len);
429 
430  if (!SCJbOpenObject(js, "packet_info")) {
431  return;
432  }
433  if (!SCJbSetUint(js, "linktype", p->datalink)) {
434  SCJbClose(js);
435  return;
436  }
437 
438  const char *dl_name = DatalinkValueToName(p->datalink);
439 
440  // Intentionally ignore the return value from SCJbSetString and proceed
441  // so the jb object is closed
442  (void)SCJbSetString(js, "linktype_name", dl_name == NULL ? "n/a" : dl_name);
443 
444  SCJbClose(js);
445 }
446 
447 /** \brief jsonify tcp flags field
448  * Only add 'true' fields in an attempt to keep things reasonably compact.
449  */
450 void EveTcpFlags(const uint8_t flags, SCJsonBuilder *js)
451 {
452  if (flags & TH_SYN)
453  JB_SET_TRUE(js, "syn");
454  if (flags & TH_FIN)
455  JB_SET_TRUE(js, "fin");
456  if (flags & TH_RST)
457  JB_SET_TRUE(js, "rst");
458  if (flags & TH_PUSH)
459  JB_SET_TRUE(js, "psh");
460  if (flags & TH_ACK)
461  JB_SET_TRUE(js, "ack");
462  if (flags & TH_URG)
463  JB_SET_TRUE(js, "urg");
464  if (flags & TH_ECN)
465  JB_SET_TRUE(js, "ecn");
466  if (flags & TH_CWR)
467  JB_SET_TRUE(js, "cwr");
468 }
469 
470 void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr,
471  OutputJsonCommonSettings *cfg)
472 {
473  Port sp, dp;
474 
475  const void *src_ip = NULL;
476  const void *dst_ip = NULL;
477 
478  switch (dir) {
479  case LOG_DIR_PACKET:
480  if (PacketIsIPv4(p)) {
481  src_ip = GET_IPV4_SRC_ADDR_PTR(p);
482  dst_ip = GET_IPV4_DST_ADDR_PTR(p);
483  } else if (PacketIsIPv6(p)) {
484  src_ip = GET_IPV6_SRC_ADDR(p);
485  dst_ip = GET_IPV6_DST_ADDR(p);
486  } else {
487  /* Not an IP packet so don't do anything */
488  return;
489  }
490  sp = p->sp;
491  dp = p->dp;
492  break;
493  case LOG_DIR_FLOW:
494  case LOG_DIR_FLOW_TOSERVER:
495  if ((PKT_IS_TOSERVER(p))) {
496  if (PacketIsIPv4(p)) {
497  src_ip = GET_IPV4_SRC_ADDR_PTR(p);
498  dst_ip = GET_IPV4_DST_ADDR_PTR(p);
499  } else if (PacketIsIPv6(p)) {
500  src_ip = GET_IPV6_SRC_ADDR(p);
501  dst_ip = GET_IPV6_DST_ADDR(p);
502  }
503  sp = p->sp;
504  dp = p->dp;
505  } else {
506  if (PacketIsIPv4(p)) {
507  src_ip = GET_IPV4_DST_ADDR_PTR(p);
508  dst_ip = GET_IPV4_SRC_ADDR_PTR(p);
509  } else if (PacketIsIPv6(p)) {
510  src_ip = GET_IPV6_DST_ADDR(p);
511  dst_ip = GET_IPV6_SRC_ADDR(p);
512  }
513  sp = p->dp;
514  dp = p->sp;
515  }
516  break;
517  case LOG_DIR_FLOW_TOCLIENT:
518  if ((PKT_IS_TOCLIENT(p))) {
519  if (PacketIsIPv4(p)) {
520  src_ip = GET_IPV4_SRC_ADDR_PTR(p);
521  dst_ip = GET_IPV4_DST_ADDR_PTR(p);
522  } else if (PacketIsIPv6(p)) {
523  src_ip = GET_IPV6_SRC_ADDR(p);
524  dst_ip = GET_IPV6_DST_ADDR(p);
525  }
526  sp = p->sp;
527  dp = p->dp;
528  } else {
529  if (PacketIsIPv4(p)) {
530  src_ip = GET_IPV4_DST_ADDR_PTR(p);
531  dst_ip = GET_IPV4_SRC_ADDR_PTR(p);
532  } else if (PacketIsIPv6(p)) {
533  src_ip = GET_IPV6_DST_ADDR(p);
534  dst_ip = GET_IPV6_SRC_ADDR(p);
535  }
536  sp = p->dp;
537  dp = p->sp;
538  }
539  break;
540  default:
541  DEBUG_VALIDATE_BUG_ON(1);
542  return;
543  }
544 
545  if (PacketIsIPv4(p)) {
546  PrintInet(AF_INET, (const void *)src_ip, addr->src_ip, JSON_ADDR_LEN);
547  PrintInet(AF_INET, (const void *)dst_ip, addr->dst_ip, JSON_ADDR_LEN);
548  } else if (PacketIsIPv6(p)) {
549  PrintInetIPv6((const void *)src_ip, addr->src_ip, sizeof(addr->src_ip), cfg->compress_ipv6);
550  PrintInetIPv6((const void *)dst_ip, addr->dst_ip, sizeof(addr->dst_ip), cfg->compress_ipv6);
551  }
552 
553  switch (p->proto) {
554  case IPPROTO_UDP:
555  case IPPROTO_TCP:
556  case IPPROTO_SCTP:
557  addr->sp = sp;
558  addr->dp = dp;
559  addr->log_port = true;
560  break;
561  default:
562  addr->log_port = false;
563  break;
564  }
565 
566  if (SCProtoNameValid(PacketGetIPProto(p))) {
567  strlcpy(addr->proto, known_proto[PacketGetIPProto(p)], sizeof(addr->proto));
568  } else {
569  snprintf(addr->proto, sizeof(addr->proto), "%" PRIu32, PacketGetIPProto(p));
570  }
571 }
572 
573 #define COMMUNITY_ID_BUF_SIZE 64
574 
575 static bool CalculateCommunityFlowIdv4(const Flow *f,
576  const uint16_t seed, unsigned char *base64buf)
577 {
578  struct {
579  uint16_t seed;
580  uint32_t src;
581  uint32_t dst;
582  uint8_t proto;
583  uint8_t pad0;
584  uint16_t sp;
585  uint16_t dp;
586  } __attribute__((__packed__)) ipv4;
587 
588  uint32_t src = f->src.addr_data32[0];
589  uint32_t dst = f->dst.addr_data32[0];
590  uint16_t sp = f->sp;
591  if (f->proto == IPPROTO_ICMP)
592  sp = f->icmp_s.type;
593  sp = htons(sp);
594  uint16_t dp = f->dp;
595  if (f->proto == IPPROTO_ICMP)
596  dp = f->icmp_d.type;
597  dp = htons(dp);
598 
599  ipv4.seed = htons(seed);
600  if (ntohl(src) < ntohl(dst) || (src == dst && ntohs(sp) < ntohs(dp))) {
601  ipv4.src = src;
602  ipv4.dst = dst;
603  ipv4.sp = sp;
604  ipv4.dp = dp;
605  } else {
606  ipv4.src = dst;
607  ipv4.dst = src;
608  ipv4.sp = dp;
609  ipv4.dp = sp;
610  }
611  ipv4.proto = f->proto;
612  ipv4.pad0 = 0;
613 
614  uint8_t hash[20];
615  if (SCSha1HashBuffer((const uint8_t *)&ipv4, sizeof(ipv4), hash, sizeof(hash)) == 1) {
616  strlcpy((char *)base64buf, "1:", COMMUNITY_ID_BUF_SIZE);
617  unsigned long out_len = COMMUNITY_ID_BUF_SIZE - 2;
618  if (SCBase64Encode(hash, sizeof(hash), base64buf + 2, &out_len) == SC_BASE64_OK) {
619  return true;
620  }
621  }
622  return false;
623 }
624 
625 static bool CalculateCommunityFlowIdv6(const Flow *f,
626  const uint16_t seed, unsigned char *base64buf)
627 {
628  struct {
629  uint16_t seed;
630  uint32_t src[4];
631  uint32_t dst[4];
632  uint8_t proto;
633  uint8_t pad0;
634  uint16_t sp;
635  uint16_t dp;
636  } __attribute__((__packed__)) ipv6;
637 
638  uint16_t sp = f->sp;
639  if (f->proto == IPPROTO_ICMPV6)
640  sp = f->icmp_s.type;
641  sp = htons(sp);
642  uint16_t dp = f->dp;
643  if (f->proto == IPPROTO_ICMPV6)
644  dp = f->icmp_d.type;
645  dp = htons(dp);
646 
647  ipv6.seed = htons(seed);
648  int cmp_r = memcmp(&f->src, &f->dst, sizeof(f->src));
649  if ((cmp_r < 0) || (cmp_r == 0 && ntohs(sp) < ntohs(dp))) {
650  memcpy(&ipv6.src, &f->src.addr_data32, 16);
651  memcpy(&ipv6.dst, &f->dst.addr_data32, 16);
652  ipv6.sp = sp;
653  ipv6.dp = dp;
654  } else {
655  memcpy(&ipv6.src, &f->dst.addr_data32, 16);
656  memcpy(&ipv6.dst, &f->src.addr_data32, 16);
657  ipv6.sp = dp;
658  ipv6.dp = sp;
659  }
660  ipv6.proto = f->proto;
661  ipv6.pad0 = 0;
662 
663  uint8_t hash[20];
664  if (SCSha1HashBuffer((const uint8_t *)&ipv6, sizeof(ipv6), hash, sizeof(hash)) == 1) {
665  strlcpy((char *)base64buf, "1:", COMMUNITY_ID_BUF_SIZE);
666  unsigned long out_len = COMMUNITY_ID_BUF_SIZE - 2;
667  if (SCBase64Encode(hash, sizeof(hash), base64buf + 2, &out_len) == SC_BASE64_OK) {
668  return true;
669  }
670  }
671  return false;
672 }
673 
674 static void CreateEveCommunityFlowId(SCJsonBuilder *js, const Flow *f, const uint16_t seed)
675 {
676  unsigned char buf[COMMUNITY_ID_BUF_SIZE];
677  if (f->flags & FLOW_IPV4) {
678  if (CalculateCommunityFlowIdv4(f, seed, buf)) {
679  SCJbSetString(js, "community_id", (const char *)buf);
680  }
681  } else if (f->flags & FLOW_IPV6) {
682  if (CalculateCommunityFlowIdv6(f, seed, buf)) {
683  SCJbSetString(js, "community_id", (const char *)buf);
684  }
685  }
686 }
687 
688 void CreateEveFlowId(SCJsonBuilder *js, const Flow *f)
689 {
690  if (f == NULL) {
691  return;
692  }
693  uint64_t flow_id = FlowGetId(f);
694  SCJbSetUint(js, "flow_id", flow_id);
695  if (f->parent_id) {
696  SCJbSetUint(js, "parent_id", f->parent_id);
697  }
698 }
699 
700 void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
701 {
702  char eth_addr[19];
703  (void) snprintf(eth_addr, 19, "%02x:%02x:%02x:%02x:%02x:%02x",
704  val[0], val[1], val[2], val[3], val[4], val[5]);
705  if (is_array) {
706  SCJbAppendString(js, eth_addr);
707  } else {
708  SCJbSetString(js, key, eth_addr);
709  }
710 }
711 
712 /* only required to traverse the MAC address set */
713 typedef struct JSONMACAddrInfo {
714  SCJsonBuilder *src, *dst;
715 } JSONMACAddrInfo;
716 
717 static int MacSetIterateToJSON(uint8_t *val, MacSetSide side, void *data)
718 {
719  JSONMACAddrInfo *info = (JSONMACAddrInfo*) data;
720  if (side == MAC_SET_DST) {
721  JSONFormatAndAddMACAddr(info->dst, NULL, val, true);
722  } else {
723  JSONFormatAndAddMACAddr(info->src, NULL, val, true);
724  }
725  return 0;
726 }
727 
728 static int CreateJSONEther(
729  SCJsonBuilder *js, const Packet *p, const Flow *f, enum SCOutputJsonLogDirection dir)
730 {
731  if (p != NULL) {
732  /* this is a packet context, so we need to add scalar fields */
733  if (PacketIsEthernet(p)) {
734  const EthernetHdr *ethh = PacketGetEthernet(p);
735  SCJbOpenObject(js, "ether");
736  SCJbSetUint(js, "ether_type", SCNtohs(ethh->eth_type));
737  const uint8_t *src;
738  const uint8_t *dst;
739  switch (dir) {
740  case LOG_DIR_FLOW_TOSERVER:
741  // fallthrough
742  case LOG_DIR_FLOW:
743  if (PKT_IS_TOCLIENT(p)) {
744  src = ethh->eth_dst;
745  dst = ethh->eth_src;
746  } else {
747  src = ethh->eth_src;
748  dst = ethh->eth_dst;
749  }
750  break;
751  case LOG_DIR_FLOW_TOCLIENT:
752  if (PKT_IS_TOSERVER(p)) {
753  src = ethh->eth_dst;
754  dst = ethh->eth_src;
755  } else {
756  src = ethh->eth_src;
757  dst = ethh->eth_dst;
758  }
759  break;
760  case LOG_DIR_PACKET:
761  default:
762  src = ethh->eth_src;
763  dst = ethh->eth_dst;
764  break;
765  }
766  JSONFormatAndAddMACAddr(js, "src_mac", src, false);
767  JSONFormatAndAddMACAddr(js, "dest_mac", dst, false);
768  SCJbClose(js);
769  } else if (f != NULL) {
770  /* When pseudopackets do not have associated ethernet metadata,
771  use the first set of mac addresses stored with their flow.
772  The first set of macs should come from the flow's first packet,
773  providing the most fitting representation of the event's ethernet. */
774  MacSet *ms = FlowGetStorageById(f, MacSetGetFlowStorageID());
775  if (ms != NULL && MacSetSize(ms) > 0) {
776  uint8_t *src = MacSetGetFirst(ms, MAC_SET_SRC);
777  uint8_t *dst = MacSetGetFirst(ms, MAC_SET_DST);
778  if (dst != NULL && src != NULL) {
779  SCJbOpenObject(js, "ether");
780  JSONFormatAndAddMACAddr(js, "src_mac", src, false);
781  JSONFormatAndAddMACAddr(js, "dest_mac", dst, false);
782  SCJbClose(js);
783  }
784  }
785  }
786  } else if (f != NULL) {
787  /* we are creating an ether object in a flow context, so we need to
788  append to arrays */
789  MacSet *ms = FlowGetStorageById(f, MacSetGetFlowStorageID());
790  if (ms != NULL && MacSetSize(ms) > 0) {
791  SCJbOpenObject(js, "ether");
792  JSONMACAddrInfo info;
793  info.dst = SCJbNewArray();
794  info.src = SCJbNewArray();
795  int ret = MacSetForEach(ms, MacSetIterateToJSON, &info);
796  if (unlikely(ret != 0)) {
797  /* should not happen, JSONFlowAppendMACAddrs is sane */
798  SCJbFree(info.dst);
799  SCJbFree(info.src);
800  SCJbClose(js);
801  return ret;
802  }
803  SCJbClose(info.dst);
804  SCJbClose(info.src);
805  /* case is handling netflow too so may need to revert */
806  if (dir == LOG_DIR_FLOW_TOCLIENT) {
807  SCJbSetObject(js, "dest_macs", info.src);
808  SCJbSetObject(js, "src_macs", info.dst);
809  } else {
810  DEBUG_VALIDATE_BUG_ON(dir != LOG_DIR_FLOW_TOSERVER && dir != LOG_DIR_FLOW);
811  SCJbSetObject(js, "dest_macs", info.dst);
812  SCJbSetObject(js, "src_macs", info.src);
813  }
814  SCJbFree(info.dst);
815  SCJbFree(info.src);
816  SCJbClose(js);
817  }
818  }
819  return 0;
820 }
821 
822 SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir,
823  const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
824 {
825  char timebuf[64];
826  const Flow *f = (const Flow *)p->flow;
827 
828  SCJsonBuilder *js = SCJbNewObject();
829  if (unlikely(js == NULL)) {
830  return NULL;
831  }
832 
833  CreateIsoTimeString(p->ts, timebuf, sizeof(timebuf));
834 
835  SCJbSetString(js, "timestamp", timebuf);
836 
837  CreateEveFlowId(js, f);
838 
839  /* sensor id */
840  if (sensor_id >= 0) {
841  SCJbSetUint(js, "sensor_id", sensor_id);
842  }
843 
844  /* input interface */
845  if (p->livedev) {
846  SCJbSetString(js, "in_iface", p->livedev->dev);
847  }
848 
849  /* pcap_cnt */
850  uint64_t pcap_cnt = PcapPacketCntGet(p);
851  if (pcap_cnt != 0) {
852  SCJbSetUint(js, "pcap_cnt", pcap_cnt);
853  }
854 
855  if (event_type) {
856  SCJbSetString(js, "event_type", event_type);
857  }
858 
859  /* vlan */
860  if (p->vlan_idx > 0) {
861  SCJbOpenArray(js, "vlan");
862  SCJbAppendUint(js, p->vlan_id[0]);
863  if (p->vlan_idx > 1) {
864  SCJbAppendUint(js, p->vlan_id[1]);
865  }
866  if (p->vlan_idx > 2) {
867  SCJbAppendUint(js, p->vlan_id[2]);
868  }
869  SCJbClose(js);
870  }
871 
872  /* 5-tuple */
873  JsonAddrInfo addr_info = json_addr_info_zero;
874  if (addr == NULL) {
875  JsonAddrInfoInit(p, dir, &addr_info, &eve_ctx->cfg);
876  addr = &addr_info;
877  }
878  if (addr->src_ip[0] != '\0') {
879  SCJbSetString(js, "src_ip", addr->src_ip);
880  }
881  if (addr->log_port) {
882  SCJbSetUint(js, "src_port", addr->sp);
883  }
884  if (addr->dst_ip[0] != '\0') {
885  SCJbSetString(js, "dest_ip", addr->dst_ip);
886  }
887  if (addr->log_port) {
888  SCJbSetUint(js, "dest_port", addr->dp);
889  }
890  if (addr->proto[0] != '\0') {
891  SCJbSetString(js, "proto", addr->proto);
892  }
893 
894  /* ip version */
895  if (PacketIsIPv4(p)) {
896  SCJbSetUint(js, "ip_v", 4);
897  } else if (PacketIsIPv6(p)) {
898  SCJbSetUint(js, "ip_v", 6);
899  }
900 
901  /* icmp */
902  switch (p->proto) {
903  case IPPROTO_ICMP:
904  if (PacketIsICMPv4(p)) {
905  SCJbSetUint(js, "icmp_type", p->icmp_s.type);
906  SCJbSetUint(js, "icmp_code", p->icmp_s.code);
907  }
908  break;
909  case IPPROTO_ICMPV6:
910  if (PacketIsICMPv6(p)) {
911  SCJbSetUint(js, "icmp_type", PacketGetICMPv6(p)->type);
912  SCJbSetUint(js, "icmp_code", PacketGetICMPv6(p)->code);
913  }
914  break;
915  case IPPROTO_IGMP:
916  if (PacketIsIGMP(p)) {
917  SCLogDebug("rgmp %s", BOOL2STR(p->l4.vars.igmp.rgmp));
918  if (!p->l4.vars.igmp.rgmp) {
919  SCJbOpenObject(js, "igmp");
920  SCJbSetUint(js, "type", PacketGetIGMP(p)->type);
921  SCJbSetUint(js, "version", p->l4.vars.igmp.version);
922  SCJbClose(js);
923  } else {
924  SCJbOpenObject(js, "rgmp");
925  SCJbSetUint(js, "type", PacketGetIGMP(p)->type);
926  SCJbClose(js);
927  }
928  }
929  break;
930  }
931 
932  SCJbSetString(js, "pkt_src", PktSrcToString(p->pkt_src));
933 
934  if (eve_ctx != NULL) {
935  EveAddCommonOptions(&eve_ctx->cfg, p, f, js, dir);
936  }
937 
938  return js;
939 }
940 
941 SCJsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir,
942  const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
943 {
944  SCJsonBuilder *js = CreateEveHeader(p, dir, event_type, addr, eve_ctx);
945  if (unlikely(js == NULL))
946  return NULL;
947 
948  /* tx id for correlation with other events */
949  SCJbSetUint(js, "tx_id", tx_id);
950 
951  return js;
952 }
953 
954 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
955 {
956  OutputJSONMemBufferWrapper *wrapper = data;
957  MemBuffer **memb = wrapper->buffer;
958 
959  if (MEMBUFFER_OFFSET(*memb) + size >= MEMBUFFER_SIZE(*memb)) {
960  MemBufferExpand(memb, wrapper->expand_by);
961  }
962 
963  DEBUG_VALIDATE_BUG_ON(size > UINT32_MAX);
964  MemBufferWriteRaw((*memb), (const uint8_t *)str, (uint32_t)size);
965  return 0;
966 }
967 
968 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
969 {
970  if (file_ctx->sensor_name) {
971  json_object_set_new(js, "host",
972  json_string(file_ctx->sensor_name));
973  }
974 
975  if (file_ctx->is_pcap_offline) {
976  json_object_set_new(js, "pcap_filename", json_string(PcapFileGetFilename()));
977  }
978 
979  if (file_ctx->prefix) {
980  MemBufferWriteRaw((*buffer), (const uint8_t *)file_ctx->prefix, file_ctx->prefix_len);
981  }
982 
983  OutputJSONMemBufferWrapper wrapper = {
984  .buffer = buffer,
985  .expand_by = JSON_OUTPUT_BUFFER_SIZE
986  };
987 
988  int r = json_dump_callback(js, OutputJSONMemBufferCallback, &wrapper,
989  file_ctx->json_flags);
990  if (r != 0)
991  return TM_ECODE_OK;
992 
993  LogFileWrite(file_ctx, *buffer);
994  return 0;
995 }
996 
997 void OutputJsonFlush(OutputJsonThreadCtx *ctx)
998 {
999  LogFileCtx *file_ctx = ctx->file_ctx;
1000  LogFileFlush(file_ctx);
1001 }
1002 
1003 void OutputJsonBuilderBuffer(
1004  ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
1005 {
1006  LogFileCtx *file_ctx = ctx->file_ctx;
1007  MemBuffer **buffer = &ctx->buffer;
1008  if (file_ctx->sensor_name) {
1009  SCJbSetString(js, "host", file_ctx->sensor_name);
1010  }
1011 
1012  if (file_ctx->is_pcap_offline) {
1013  SCJbSetString(js, "pcap_filename", PcapFileGetFilename());
1014  }
1015 
1016  SCEveRunCallbacks(tv, p, f, js);
1017 
1018  SCJbClose(js);
1019 
1020  MemBufferReset(*buffer);
1021 
1022  if (file_ctx->prefix) {
1023  MemBufferWriteRaw((*buffer), (const uint8_t *)file_ctx->prefix, file_ctx->prefix_len);
1024  }
1025 
1026  size_t jslen = SCJbLen(js);
1027  DEBUG_VALIDATE_BUG_ON(SCJbLen(js) > UINT32_MAX);
1028  size_t remaining = MEMBUFFER_SIZE(*buffer) - MEMBUFFER_OFFSET(*buffer);
1029  if (jslen >= remaining) {
1030  size_t expand_by = jslen + 1 - remaining;
1031  if (MemBufferExpand(buffer, (uint32_t)expand_by) < 0) {
1032  if (!ctx->too_large_warning) {
1033  /* Log a warning once, and include enough of the log
1034  * message to hopefully identify the event_type. */
1035  char partial[120];
1036  size_t partial_len = MIN(sizeof(partial), jslen);
1037  memcpy(partial, SCJbPtr(js), partial_len - 1);
1038  partial[partial_len - 1] = '\0';
1039  SCLogWarning("Formatted JSON EVE record too large, will be dropped: %s", partial);
1040  ctx->too_large_warning = true;
1041  }
1042  return;
1043  }
1044  }
1045 
1046  MemBufferWriteRaw((*buffer), SCJbPtr(js), (uint32_t)jslen);
1047  LogFileWrite(file_ctx, *buffer);
1048 }
1049 
1050 static inline enum LogFileType FileTypeFromConf(const char *typestr)
1051 {
1052  enum LogFileType log_filetype = LOGFILE_TYPE_NOTSET;
1053 
1054  if (typestr == NULL) {
1055  log_filetype = LOGFILE_TYPE_FILE;
1056  } else if (strcmp(typestr, "file") == 0 || strcmp(typestr, "regular") == 0) {
1057  log_filetype = LOGFILE_TYPE_FILE;
1058  } else if (strcmp(typestr, "unix_dgram") == 0) {
1059  log_filetype = LOGFILE_TYPE_UNIX_DGRAM;
1060  } else if (strcmp(typestr, "unix_stream") == 0) {
1061  log_filetype = LOGFILE_TYPE_UNIX_STREAM;
1062  } else if (strcmp(typestr, "redis") == 0) {
1063 #ifdef HAVE_LIBHIREDIS
1064  log_filetype = LOGFILE_TYPE_REDIS;
1065 #else
1066  FatalError("redis JSON output option is not compiled");
1067 #endif
1068  }
1069  SCLogDebug("type %s, file type value %d", typestr, log_filetype);
1070  return log_filetype;
1071 }
1072 
1073 static int LogFileTypePrepare(
1074  OutputJsonCtx *json_ctx, enum LogFileType log_filetype, SCConfNode *conf)
1075 {
1076 
1077  if (log_filetype == LOGFILE_TYPE_FILE || log_filetype == LOGFILE_TYPE_UNIX_DGRAM ||
1078  log_filetype == LOGFILE_TYPE_UNIX_STREAM) {
1079  if (SCConfLogOpenGeneric(conf, json_ctx->file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
1080  return -1;
1081  }
1082  }
1083 #ifdef HAVE_LIBHIREDIS
1084  else if (log_filetype == LOGFILE_TYPE_REDIS) {
1085  SCLogRedisInit();
1086  SCConfNode *redis_node = SCConfNodeLookupChild(conf, "redis");
1087  if (!json_ctx->file_ctx->sensor_name) {
1088  char hostname[1024];
1089  gethostname(hostname, 1023);
1090  json_ctx->file_ctx->sensor_name = SCStrdup(hostname);
1091  }
1092  if (json_ctx->file_ctx->sensor_name == NULL) {
1093  return -1;
1094  }
1095 
1096  if (SCConfLogOpenRedis(redis_node, json_ctx->file_ctx) < 0) {
1097  return -1;
1098  }
1099  }
1100 #endif
1101  else if (log_filetype == LOGFILE_TYPE_FILETYPE) {
1102  if (json_ctx->file_ctx->threaded) {
1103  /* Prepare for threaded log output. */
1104  if (!SCLogOpenThreadedFile(NULL, NULL, json_ctx->file_ctx)) {
1105  return -1;
1106  }
1107  }
1108  if (json_ctx->filetype->Init(conf, json_ctx->file_ctx->threaded,
1109  &json_ctx->file_ctx->filetype.init_data) < 0) {
1110  return -1;
1111  }
1112  if (json_ctx->filetype->ThreadInit) {
1113  if (json_ctx->filetype->ThreadInit(json_ctx->file_ctx->filetype.init_data, 0,
1114  &json_ctx->file_ctx->filetype.thread_data) < 0) {
1115  return -1;
1116  }
1117  }
1118  json_ctx->file_ctx->filetype.filetype = json_ctx->filetype;
1119  }
1120 
1121  return 0;
1122 }
1123 
1124 /**
1125  * \brief Create a new LogFileCtx for "fast" output style.
1126  * \param conf The configuration node for this output.
1127  * \return A LogFileCtx pointer on success, NULL on failure.
1128  */
1129 OutputInitResult OutputJsonInitCtx(SCConfNode *conf)
1130 {
1131  OutputInitResult result = { NULL, false };
1132  OutputCtx *output_ctx = NULL;
1133 
1134  OutputJsonCtx *json_ctx = SCCalloc(1, sizeof(OutputJsonCtx));
1135  if (unlikely(json_ctx == NULL)) {
1136  SCLogDebug("could not create new OutputJsonCtx");
1137  return result;
1138  }
1139 
1140  /* First lookup a sensor-name value in this outputs configuration
1141  * node (deprecated). If that fails, lookup the global one. */
1142  const char *sensor_name = SCConfNodeLookupChildValue(conf, "sensor-name");
1143  if (sensor_name != NULL) {
1144  SCLogWarning("Found deprecated eve-log setting \"sensor-name\". "
1145  "Please set sensor-name globally.");
1146  }
1147  else {
1148  (void)SCConfGet("sensor-name", &sensor_name);
1149  }
1150 
1151  json_ctx->file_ctx = LogFileNewCtx();
1152  if (unlikely(json_ctx->file_ctx == NULL)) {
1153  SCLogDebug("AlertJsonInitCtx: Could not create new LogFileCtx");
1154  goto error_exit;
1155  }
1156 
1157  if (sensor_name) {
1158  json_ctx->file_ctx->sensor_name = SCStrdup(sensor_name);
1159  if (json_ctx->file_ctx->sensor_name == NULL) {
1160  goto error_exit;
1161  }
1162  } else {
1163  json_ctx->file_ctx->sensor_name = NULL;
1164  }
1165 
1166  output_ctx = SCCalloc(1, sizeof(OutputCtx));
1167  if (unlikely(output_ctx == NULL)) {
1168  goto error_exit;
1169  }
1170 
1171  output_ctx->data = json_ctx;
1172  output_ctx->DeInit = OutputJsonDeInitCtx;
1173 
1174  if (conf) {
1175  const char *output_s = SCConfNodeLookupChildValue(conf, "filetype");
1176  // Backwards compatibility
1177  if (output_s == NULL) {
1178  output_s = SCConfNodeLookupChildValue(conf, "type");
1179  }
1180 
1181  enum LogFileType log_filetype = FileTypeFromConf(output_s);
1182  if (log_filetype == LOGFILE_TYPE_NOTSET) {
1183  SCEveFileType *filetype = SCEveFindFileType(output_s);
1184  if (filetype != NULL) {
1185  log_filetype = LOGFILE_TYPE_FILETYPE;
1186  json_ctx->filetype = filetype;
1187  } else
1188  FatalError("Invalid JSON output option: %s", output_s);
1189  }
1190 
1191  const SCConfNode *compress_ipv6 = SCConfNodeLookupChild(conf, "ipv6-compress");
1192  if (compress_ipv6 && compress_ipv6->val && SCConfValIsTrue(compress_ipv6->val)) {
1193  SCLogConfig("Will compress IPv6 addresses in EVE output per RFC 5952");
1194  json_ctx->cfg.compress_ipv6 = true;
1195  } else {
1196  json_ctx->cfg.compress_ipv6 = false;
1197  }
1198 
1199  const char *prefix = SCConfNodeLookupChildValue(conf, "prefix");
1200  if (prefix != NULL)
1201  {
1202  SCLogInfo("Using prefix '%s' for JSON messages", prefix);
1203  json_ctx->file_ctx->prefix = SCStrdup(prefix);
1204  if (json_ctx->file_ctx->prefix == NULL)
1205  {
1206  FatalError("Failed to allocate memory for eve-log.prefix setting.");
1207  }
1208  json_ctx->file_ctx->prefix_len = (uint32_t)strlen(prefix);
1209  }
1210 
1211  /* Threaded file output */
1212  const SCConfNode *threaded = SCConfNodeLookupChild(conf, "threaded");
1213  if (threaded && threaded->val && SCConfValIsTrue(threaded->val)) {
1214  SCLogConfig("Threaded EVE logging configured");
1215  json_ctx->file_ctx->threaded = true;
1216  } else {
1217  json_ctx->file_ctx->threaded = false;
1218  }
1219  if (LogFileTypePrepare(json_ctx, log_filetype, conf) < 0) {
1220  goto error_exit;
1221  }
1222 
1223  const char *sensor_id_s = SCConfNodeLookupChildValue(conf, "sensor-id");
1224  if (sensor_id_s != NULL) {
1225  if (StringParseUint64((uint64_t *)&sensor_id, 10, 0, sensor_id_s) < 0) {
1226  FatalError("Failed to initialize JSON output, "
1227  "invalid sensor-id: %s",
1228  sensor_id_s);
1229  }
1230  }
1231 
1232  /* Check if top-level metadata should be logged. */
1233  const SCConfNode *metadata = SCConfNodeLookupChild(conf, "metadata");
1234  if (metadata && metadata->val && SCConfValIsFalse(metadata->val)) {
1235  SCLogConfig("Disabling eve metadata logging.");
1236  json_ctx->cfg.include_metadata = false;
1237  } else {
1238  json_ctx->cfg.include_metadata = true;
1239  }
1240 
1241  /* Check if ethernet information should be logged. */
1242  const SCConfNode *ethernet = SCConfNodeLookupChild(conf, "ethernet");
1243  if (ethernet && ethernet->val && SCConfValIsTrue(ethernet->val)) {
1244  SCLogConfig("Enabling Ethernet MAC address logging.");
1245  json_ctx->cfg.include_ethernet = true;
1246  } else {
1247  json_ctx->cfg.include_ethernet = false;
1248  }
1249 
1250  const SCConfNode *suriver = SCConfNodeLookupChild(conf, "suricata-version");
1251  if (suriver && suriver->val && SCConfValIsTrue(suriver->val)) {
1252  SCLogConfig("Enabling Suricata version logging.");
1253  json_ctx->cfg.include_suricata_version = true;
1254  } else {
1255  json_ctx->cfg.include_suricata_version = false;
1256  }
1257 
1258  /* See if we want to enable the community id */
1259  const SCConfNode *community_id = SCConfNodeLookupChild(conf, "community-id");
1260  if (community_id && community_id->val && SCConfValIsTrue(community_id->val)) {
1261  SCLogConfig("Enabling eve community_id logging.");
1262  json_ctx->cfg.include_community_id = true;
1263  } else {
1264  json_ctx->cfg.include_community_id = false;
1265  }
1266  const char *cid_seed = SCConfNodeLookupChildValue(conf, "community-id-seed");
1267  if (cid_seed != NULL) {
1268  if (StringParseUint16(&json_ctx->cfg.community_id_seed,
1269  10, 0, cid_seed) < 0)
1270  {
1271  FatalError("Failed to initialize JSON output, "
1272  "invalid community-id-seed: %s",
1273  cid_seed);
1274  }
1275  }
1276 
1277  /* Do we have a global eve xff configuration? */
1278  const SCConfNode *xff = SCConfNodeLookupChild(conf, "xff");
1279  if (xff != NULL) {
1280  json_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
1281  if (likely(json_ctx->xff_cfg != NULL)) {
1282  HttpXFFGetCfg(conf, json_ctx->xff_cfg);
1283  }
1284  }
1285 
1286  const char *pcapfile_s = SCConfNodeLookupChildValue(conf, "pcap-file");
1287  if (pcapfile_s != NULL && SCConfValIsTrue(pcapfile_s)) {
1288  json_ctx->file_ctx->is_pcap_offline =
1289  (SCRunmodeGet() == RUNMODE_PCAP_FILE || SCRunmodeGet() == RUNMODE_UNIX_SOCKET);
1290  }
1291  json_ctx->file_ctx->type = log_filetype;
1292  }
1293 
1294  SCLogDebug("returning output_ctx %p", output_ctx);
1295 
1296  result.ctx = output_ctx;
1297  result.ok = true;
1298  return result;
1299 
1300 error_exit:
1301  if (json_ctx->file_ctx) {
1302  if (json_ctx->file_ctx->prefix) {
1303  SCFree(json_ctx->file_ctx->prefix);
1304  }
1305  LogFileFreeCtx(json_ctx->file_ctx);
1306  }
1307  SCFree(json_ctx);
1308 
1309  if (output_ctx) {
1310  SCFree(output_ctx);
1311  }
1312  return result;
1313 }
1314 
1315 static void OutputJsonDeInitCtx(OutputCtx *output_ctx)
1316 {
1317  OutputJsonCtx *json_ctx = (OutputJsonCtx *)output_ctx->data;
1318  LogFileCtx *logfile_ctx = json_ctx->file_ctx;
1319  if (logfile_ctx->dropped) {
1320  SCLogWarning("%" PRIu64 " events were dropped due to slow or "
1321  "disconnected socket",
1322  logfile_ctx->dropped);
1323  }
1324  if (json_ctx->xff_cfg != NULL) {
1325  SCFree(json_ctx->xff_cfg);
1326  }
1327  LogFileFreeCtx(logfile_ctx);
1328  SCFree(json_ctx);
1329  SCFree(output_ctx);
1330 }
PKT_IS_TOCLIENT
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:240
FlowVar_::fv_float
FlowVarTypeFloat fv_float
Definition: flow-var.h:66
util-device-private.h
util-byte.h
MacSetSide
MacSetSide
Definition: util-macset.h:28
Packet_::proto
uint8_t proto
Definition: decode.h:527
OutputJsonFlush
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
Definition: output-json.c:997
pad0
uint8_t pad0
Definition: decode-template.h:1
SCOutputJsonLogDirection
SCOutputJsonLogDirection
Definition: output-eve-bindgen.h:33
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:552
detect-engine.h
LOGFILE_TYPE_REDIS
@ LOGFILE_TYPE_REDIS
Definition: util-logopenfile.h:42
LogFileCtx_::sensor_name
char * sensor_name
Definition: util-logopenfile.h:115
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:81
Flow_::flags
uint64_t flags
Definition: flow.h:396
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
CreateIsoTimeString
void CreateIsoTimeString(const SCTime_t ts, char *str, size_t size)
Definition: util-time.c:209
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:80
HttpXFFGetCfg
void HttpXFFGetCfg(SCConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:219
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:119
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:712
PcapPacketCntGet
uint64_t PcapPacketCntGet(const Packet *p)
Definition: decode.c:1107
MemBufferExpand
int MemBufferExpand(MemBuffer **buffer, uint32_t expand_by)
expand membuffer by size of 'expand_by'
Definition: util-buffer.c:60
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
Flow_::proto
uint8_t proto
Definition: flow.h:369
FlowVarTypeStr::value_len
uint16_t value_len
Definition: flow-var.h:41
LogFileFlush
void LogFileFlush(LogFileCtx *file_ctx)
Definition: util-logopenfile.c:991
FLOWVAR_TYPE_STR
#define FLOWVAR_TYPE_STR
Definition: flow-var.h:33
CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:822
JSON_OUTPUT_BUFFER_SIZE
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:54
TH_RST
#define TH_RST
Definition: decode-tcp.h:36
util-macset.h
OutputJsonCtx_
Definition: output-json.h:77
LogFileCtx_::json_flags
size_t json_flags
Definition: util-logopenfile.h:156
PrintInetIPv6
const char * PrintInetIPv6(const void *src, char *dst, socklen_t size, bool compress_ipv6)
Definition: util-print.c:209
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:533
Flow_
Flow data structure.
Definition: flow.h:347
File_::state
FileState state
Definition: util-file.h:149
OutputJsonCommonSettings_
Definition: output-json.h:62
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr, OutputJsonCommonSettings *cfg)
Definition: output-json.c:470
TH_FIN
#define TH_FIN
Definition: decode-tcp.h:34
util-syslog.h
ctx
struct Thresholds ctx
LogFileCtx_
Definition: util-logopenfile.h:72
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:296
SCConfGet
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:351
PktVar_::next
struct PktVar_ * next
Definition: decode.h:314
FILE_STORE
#define FILE_STORE
Definition: util-file.h:122
File_::file_store_id
uint32_t file_store_id
Definition: util-file.h:152
FlowVar_::fv_str
FlowVarTypeStr fv_str
Definition: flow-var.h:64
FlowVar_::keylen
FlowVarKeyLenType keylen
Definition: flow-var.h:58
LOGFILE_TYPE_NOTSET
@ LOGFILE_TYPE_NOTSET
Definition: util-logopenfile.h:45
SCProtoNameValid
bool SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
Definition: util-proto-name.c:450
EveTcpFlags
void EveTcpFlags(const uint8_t flags, SCJsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
Definition: output-json.c:450
output-eve-null.h
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
flow-bit.h
util-var-name.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:408
util-log-redis.h
LOG_DIR_FLOW_TOSERVER
@ LOG_DIR_FLOW_TOSERVER
Definition: output-eve-bindgen.h:37
COMMUNITY_ID_BUF_SIZE
#define COMMUNITY_ID_BUF_SIZE
Definition: output-json.c:573
OutputJsonCommonSettings_::include_community_id
bool include_community_id
Definition: output-json.h:64
SCConfValIsFalse
int SCConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:577
OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition: output-json.h:58
known_proto
const char * known_proto[256]
Definition: util-proto-name.c:40
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:1003
FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition: util-file.h:140
proto
uint8_t proto
Definition: decode-template.h:0
CreateEveFlowId
void CreateEveFlowId(SCJsonBuilder *js, const Flow *f)
Definition: output-json.c:688
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:855
Flow_::dp
Port dp
Definition: flow.h:363
JSONMACAddrInfo::dst
SCJsonBuilder * dst
Definition: output-json.c:714
FLOWVAR_TYPE_INT
#define FLOWVAR_TYPE_INT
Definition: flow-var.h:34
JSONMACAddrInfo
struct JSONMACAddrInfo JSONMACAddrInfo
File_::sha1
uint8_t sha1[SC_SHA1_LEN]
Definition: util-file.h:163
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:205
util-unittest.h
SCJsonString
json_t * SCJsonString(const char *val)
Definition: output-json.c:96
OutputJsonCommonSettings_::include_suricata_version
bool include_suricata_version
Definition: output-json.h:67
util-unittest-helper.h
OutputCtx_::data
void * data
Definition: tm-modules.h:91
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:195
OutputJsonRegister
void OutputJsonRegister(void)
Definition: output-json.c:83
OutputCtx_
Definition: tm-modules.h:88
RUNMODE_UNIX_SOCKET
@ RUNMODE_UNIX_SOCKET
Definition: runmodes.h:42
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
OutputJsonThreadCtx_
Definition: output-json.h:85
Packet_::icmp_s
struct Packet_::@32::@39 icmp_s
Packet_::datalink
int datalink
Definition: decode.h:639
File_::name_len
uint16_t name_len
Definition: util-file.h:148
FlowVar_::fv_int
FlowVarTypeInt fv_int
Definition: flow-var.h:65
LogFileCtx_::filetype
LogFileTypeCtx filetype
Definition: util-logopenfile.h:91
Flow_::dst
FlowAddress dst
Definition: flow.h:350
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:45
File_::md5
uint8_t md5[SC_MD5_LEN]
Definition: util-file.h:161
SCRunmodeGet
SCRunMode SCRunmodeGet(void)
Get the current run mode.
Definition: suricata.c:289
LogFileWrite
int LogFileWrite(LogFileCtx *file_ctx, MemBuffer *buffer)
Definition: util-logopenfile.c:997
util-debug.h
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition: rust.h:35
Packet_::pktvar
PktVar * pktvar
Definition: decode.h:601
GenericVar_::next
struct GenericVar_ * next
Definition: util-var.h:57
GET_IPV4_DST_ADDR_PTR
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:200
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:239
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: output-json.c:66
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
Definition: output-json.c:398
File_::end
uint64_t end
Definition: util-file.h:173
DETECT_FLOWINT
@ DETECT_FLOWINT
Definition: detect-engine-register.h:64
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
LogFileCtx_::prefix_len
uint32_t prefix_len
Definition: util-logopenfile.h:132
DETECT_FLOWVAR
@ DETECT_FLOWVAR
Definition: detect-engine-register.h:62
Packet_::ts
SCTime_t ts
Definition: decode.h:559
output-json.h
FlowVar_::idx
uint32_t idx
Definition: flow-var.h:59
SCEveFileType_::ThreadInit
SCEveFileTypeThreadInitFunc ThreadInit
Initialize thread specific data.
Definition: output-eve-bindgen.h:161
JSONMACAddrInfo
Definition: output-json.c:713
PktVar_::value
uint8_t * value
Definition: decode.h:320
BOOL2STR
#define BOOL2STR(b)
Definition: util-debug.h:542
OutputRegisterModule
void OutputRegisterModule(const char *, const char *, OutputInitFunc)
OutputJsonInitCtx
OutputInitResult OutputJsonInitCtx(SCConfNode *conf)
Create a new LogFileCtx for "fast" output style.
Definition: output-json.c:1129
util-print.h
FlowVar_::key
uint8_t * key
Definition: flow-var.h:68
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:210
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:238
FlowVarTypeFloat_::value
double value
Definition: flow-var.h:51
Packet_::sp
Port sp
Definition: decode.h:512
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:325
SCEveFileType_::Init
SCEveFileTypeInitFunc Init
Function to initialize this filetype.
Definition: output-eve-bindgen.h:140
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:876
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
util-time.h
JB_SET_TRUE
#define JB_SET_TRUE(jb, key)
Definition: rust.h:36
OutputInitResult_::ok
bool ok
Definition: output.h:48
LiveDevice_::dev
char * dev
Definition: util-device-private.h:33
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:262
PktVar_::key
uint8_t * key
Definition: decode.h:319
SyslogInitialize
void SyslogInitialize(void)
Definition: output-eve-syslog.c:99
LogFileCtx_::type
enum LogFileType type
Definition: util-logopenfile.h:103
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-eve-bindgen.h:35
LOGFILE_TYPE_FILE
@ LOGFILE_TYPE_FILE
Definition: util-logopenfile.h:39
IGMPVars_::rgmp
bool rgmp
Definition: decode-igmp.h:35
MAC_SET_DST
@ MAC_SET_DST
Definition: util-macset.h:28
JsonAddrInfo_::log_port
bool log_port
Definition: output-json.h:48
JsonAddrInfo_
Definition: output-json.h:41
source-pcap-file-helper.h
NullLogInitialize
void NullLogInitialize(void)
Definition: output-eve-null.c:66
Packet_
Definition: decode.h:505
EveFileInfo
void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
Definition: output-json.c:124
OutputJSONMemBufferWrapper_
Definition: output-json.h:57
type
uint16_t type
Definition: decode-vlan.c:106
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:209
MacSet_
Definition: util-macset.c:45
conf.h
Packet_::l4
struct PacketL4 l4
Definition: decode.h:605
JSONFormatAndAddMACAddr
void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
Definition: output-json.c:700
Port
uint16_t Port
Definition: decode.h:219
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:622
File_::name
uint8_t * name
Definition: util-file.h:155
TH_ECN
#define TH_ECN
Definition: decode-tcp.h:41
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
LOGFILE_TYPE_UNIX_DGRAM
@ LOGFILE_TYPE_UNIX_DGRAM
Definition: util-logopenfile.h:40
MacSetGetFlowStorageID
FlowStorageId MacSetGetFlowStorageID(void)
Definition: util-macset.c:113
LogFileTypeCtx_::thread_data
void * thread_data
Definition: util-logopenfile.h:68
SCLogOpenThreadedFile
bool SCLogOpenThreadedFile(const char *log_path, const char *append, LogFileCtx *parent_ctx)
Definition: util-logopenfile.c:375
util-proto-name.h
OutputJsonCommonSettings_::include_ethernet
bool include_ethernet
Definition: output-json.h:65
__attribute__
typedef __attribute__
DNP3 application header.
File_::sid
uint32_t * sid
Definition: util-file.h:175
LOGFILE_TYPE_UNIX_STREAM
@ LOGFILE_TYPE_UNIX_STREAM
Definition: util-logopenfile.h:41
EvePacket
void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
Jsonify a packet.
Definition: output-json.c:425
MemBuffer_
Definition: util-buffer.h:27
File_::sid_cnt
uint32_t sid_cnt
Definition: util-file.h:176
TH_URG
#define TH_URG
Definition: decode-tcp.h:39
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:232
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
Definition: output-json.c:375
VAR_TYPE_FLOW_FLOAT
@ VAR_TYPE_FLOW_FLOAT
Definition: util-var.h:38
FlowVarTypeInt_::value
uint32_t value
Definition: flow-var.h:46
Flow_::src
FlowAddress src
Definition: flow.h:350
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:482
OutputJsonCommonSettings_::compress_ipv6
bool compress_ipv6
Definition: output-json.h:66
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:63
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:46
MAC_SET_SRC
@ MAC_SET_SRC
Definition: util-macset.h:28
File_::flags
uint16_t flags
Definition: util-file.h:147
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:827
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:138
File_
Definition: util-file.h:146
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
flow-storage.h
OutputInitResult_
Definition: output.h:46
FlowVarTypeStr::value
uint8_t * value
Definition: flow-var.h:40
Packet_::flow
struct Flow_ * flow
Definition: decode.h:553
StringParseUint64
int StringParseUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:264
VAR_TYPE_FLOW_BIT
@ VAR_TYPE_FLOW_BIT
Definition: util-var.h:36
GET_IPV4_SRC_ADDR_PTR
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:199
PrintBufferData
#define PrintBufferData(buf, buf_offset_ptr, buf_size,...)
Definition: util-print.h:27
TH_SYN
#define TH_SYN
Definition: decode-tcp.h:35
flags
uint8_t flags
Definition: decode-gre.h:0
OutputJSONMemBufferWrapper_::expand_by
uint32_t expand_by
Definition: output-json.h:59
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:431
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:44
FLOW_IPV6
#define FLOW_IPV6
Definition: flow.h:101
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:94
Flow_::icmp_d
struct Flow_::@123::@129 icmp_d
LogFileTypeCtx_::init_data
void * init_data
Definition: util-logopenfile.h:67
VarNameStoreLookupById
const char * VarNameStoreLookupById(const uint32_t id, const enum VarTypes type)
find name for id+type at packet time. As the active store won't be modified, we don't need locks.
Definition: util-var-name.c:306
MacSetSize
int MacSetSize(const MacSet *ms)
Definition: util-macset.c:246
GenericVar_
Definition: util-var.h:53
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:37
FILE_STORED
#define FILE_STORED
Definition: util-file.h:123
FLOWVAR_TYPE_FLOAT
#define FLOWVAR_TYPE_FLOAT
Definition: flow-var.h:35
FILE_MD5
#define FILE_MD5
Definition: util-file.h:115
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:926
output-eve-syslog.h
util-classification-config.h
CreateEveHeaderWithTxId
SCJsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
Definition: output-json.c:941
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:517
Flow_::parent_id
int64_t parent_id
Definition: flow.h:423
FlowBit_::idx
uint32_t idx
Definition: flow-bit.h:33
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:61
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:33
File_::sha256
uint8_t sha256[SC_SHA256_LEN]
Definition: util-file.h:165
File_::start
uint64_t start
Definition: util-file.h:172
JB_SET_FALSE
#define JB_SET_FALSE(jb, key)
Definition: rust.h:37
util-optimize.h
util-validate.h
FlowVar_::data
union FlowVar_::@116 data
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:42
FlowBit_
Definition: flow-bit.h:30
str
#define str(s)
Definition: suricata-common.h:308
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(SCConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:480
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:204
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:615
util-logopenfile.h
MacSetGetFirst
uint8_t * MacSetGetFirst(const MacSet *ms, MacSetSide side)
Definition: util-macset.c:233
MEMBUFFER_SIZE
#define MEMBUFFER_SIZE(mem_buffer)
Get the MemBuffers current size.
Definition: util-buffer.h:61
src
uint16_t src
Definition: app-layer-dnp3.h:5
util-buffer.h
TH_CWR
#define TH_CWR
Definition: decode-tcp.h:43
VAR_TYPE_FLOW_VAR
@ VAR_TYPE_FLOW_VAR
Definition: util-var.h:39
MacSetForEach
int MacSetForEach(const MacSet *ms, MacSetIteratorFunc IterFunc, void *data)
Definition: util-macset.c:220
LogFileCtx_::prefix
char * prefix
Definition: util-logopenfile.h:131
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:43
VAR_TYPE_FLOW_INT
@ VAR_TYPE_FLOW_INT
Definition: util-var.h:37
LogFileCtx_::is_pcap_offline
bool is_pcap_offline
Definition: util-logopenfile.h:159
PcapFileGetFilename
const char * PcapFileGetFilename(void)
Definition: source-pcap-file-helper.c:168
GenericVar_::type
uint16_t type
Definition: util-var.h:54
PktVar_::value_len
uint16_t value_len
Definition: decode.h:318
MAX_JSON_SIZE
#define MAX_JSON_SIZE
Definition: output-json.c:69
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:78
OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition: output-json.c:954
JSONMACAddrInfo::src
SCJsonBuilder * src
Definition: output-json.c:714
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:968
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:117
PacketL4::L4Vars::igmp
IGMPVars igmp
Definition: decode.h:484
LogFileType
LogFileType
Definition: util-logopenfile.h:38
MemBufferWriteRaw
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.c:115
SCEveFindFileType
SCEveFileType * SCEveFindFileType(const char *name)
Definition: output-eve.c:82
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-eve-bindgen.h:34
LOG_DIR_FLOW_TOCLIENT
@ LOG_DIR_FLOW_TOCLIENT
Definition: output-eve-bindgen.h:36
IGMPVars_::version
uint8_t version
Definition: decode-igmp.h:34
PktVar_
Definition: decode.h:312
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:532
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:1255
Flow_::icmp_s
struct Flow_::@121::@127 icmp_s
Flow_::sp
Port sp
Definition: flow.h:352
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
PROG_VER
#define PROG_VER
Definition: suricata.h:76
LogFileTypeCtx_::filetype
SCEveFileType * filetype
Definition: util-logopenfile.h:66
OutputJsonCommonSettings_::community_id_seed
uint16_t community_id_seed
Definition: output-json.h:68
flow.h
MEMBUFFER_OFFSET
#define MEMBUFFER_OFFSET(mem_buffer)
Get the MemBuffers current offset.
Definition: util-buffer.h:56
Packet_::dp
Port dp
Definition: decode.h:520
PktVar_::key_len
uint16_t key_len
Definition: decode.h:317
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition: runmodes.h:30
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCConfNode_
Definition: conf.h:37
flow-var.h
SCConfNode_::val
char * val
Definition: conf.h:39
FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition: util-file.h:142
FlowVar_
Definition: flow-var.h:55
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Flow_::tenant_id
uint32_t tenant_id
Definition: flow.h:417
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:33
PacketL4::vars
union PacketL4::L4Vars vars
LOGFILE_TYPE_FILETYPE
@ LOGFILE_TYPE_FILETYPE
Definition: util-logopenfile.h:44
FlowVar_::datatype
uint8_t datatype
Definition: flow-var.h:57
FILE_HAS_GAPS
#define FILE_HAS_GAPS
Definition: util-file.h:126
output.h
PktVar_::id
uint32_t id
Definition: decode.h:313
SCEveRunCallbacks
void SCEveRunCallbacks(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *jb)
Definition: output-eve.c:53
LogFileCtx_::threaded
bool threaded
Definition: util-logopenfile.h:98
MODULE_NAME
#define MODULE_NAME
Definition: output-json.c:67
SCEveFileType_
Structure used to define an EVE output file type.
Definition: output-eve-bindgen.h:110
OutputJsonCtx_::filetype
SCEveFileType * filetype
Definition: output-json.h:82