suricata
output-json.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs detection and monitoring events in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "flow.h"
29 #include "conf.h"
30 
31 #include "util-debug.h"
32 #include "util-time.h"
33 #include "util-var-name.h"
34 #include "util-macset.h"
35 
36 #include "util-unittest.h"
37 #include "util-unittest-helper.h"
38 
39 #include "detect-engine.h"
40 #include "util-classification-config.h"
41 #include "util-syslog.h"
42 
43 /* Internal output plugins */
44 #include "output-eve-syslog.h"
45 #include "output-eve-null.h"
46 
47 #include "output.h"
48 #include "output-json.h"
49 
50 #include "util-byte.h"
51 #include "util-print.h"
52 #include "util-proto-name.h"
53 #include "util-optimize.h"
54 #include "util-buffer.h"
55 #include "util-logopenfile.h"
56 #include "util-log-redis.h"
57 #include "util-device-private.h"
58 #include "util-validate.h"
59 
60 #include "flow-var.h"
61 #include "flow-bit.h"
62 #include "flow-storage.h"
63 
64 #include "source-pcap-file-helper.h"
65 
66 #define DEFAULT_LOG_FILENAME "eve.json"
67 #define MODULE_NAME "OutputJSON"
68 
69 #define MAX_JSON_SIZE 2048
70 
71 static void OutputJsonDeInitCtx(OutputCtx *);
72 static void CreateEveCommunityFlowId(SCJsonBuilder *js, const Flow *f, const uint16_t seed);
73 static int CreateJSONEther(
74  SCJsonBuilder *parent, const Packet *p, const Flow *f, enum SCOutputJsonLogDirection dir);
75 
76 static const char *TRAFFIC_ID_PREFIX = "traffic/id/";
77 static const char *TRAFFIC_LABEL_PREFIX = "traffic/label/";
78 static size_t traffic_id_prefix_len = 0;
79 static size_t traffic_label_prefix_len = 0;
80 
81 const JsonAddrInfo json_addr_info_zero;
82 
83 void OutputJsonRegister (void)
84 {
85  OutputRegisterModule(MODULE_NAME, "eve-log", OutputJsonInitCtx);
86 
87  traffic_id_prefix_len = strlen(TRAFFIC_ID_PREFIX);
88  traffic_label_prefix_len = strlen(TRAFFIC_LABEL_PREFIX);
89 
90  // Register output file types that use the new eve filetype registration
91  // API.
92  SyslogInitialize();
93  NullLogInitialize();
94 }
95 
96 json_t *SCJsonString(const char *val)
97 {
98  if (val == NULL){
99  return NULL;
100  }
101  json_t * retval = json_string(val);
102  char retbuf[MAX_JSON_SIZE] = {0};
103  if (retval == NULL) {
104  uint32_t u = 0;
105  uint32_t offset = 0;
106  for (u = 0; u < strlen(val); u++) {
107  if (isprint(val[u])) {
108  PrintBufferData(retbuf, &offset, MAX_JSON_SIZE-1, "%c",
109  val[u]);
110  } else {
111  PrintBufferData(retbuf, &offset, MAX_JSON_SIZE-1,
112  "\\x%02X", val[u]);
113  }
114  }
115  retbuf[offset] = '\0';
116  retval = json_string(retbuf);
117  }
118  return retval;
119 }
120 
121 /* Default Sensor ID value */
122 static int64_t sensor_id = -1; /* -1 = not defined */
123 
124 void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
125 {
126  SCJbSetStringFromBytes(jb, "filename", ff->name, ff->name_len);
127 
128  if (ff->sid_cnt > 0) {
129  SCJbOpenArray(jb, "sid");
130  for (uint32_t i = 0; ff->sid != NULL && i < ff->sid_cnt; i++) {
131  SCJbAppendUint(jb, ff->sid[i]);
132  }
133  SCJbClose(jb);
134  }
135 
136 #ifdef HAVE_MAGIC
137  if (ff->magic)
138  SCJbSetString(jb, "magic", (char *)ff->magic);
139 #endif
140  SCJbSetBool(jb, "gaps", ff->flags & FILE_HAS_GAPS);
141  switch (ff->state) {
142  case FILE_STATE_CLOSED:
143  JB_SET_STRING(jb, "state", "CLOSED");
144  if (ff->flags & FILE_MD5) {
145  SCJbSetHex(jb, "md5", (uint8_t *)ff->md5, (uint32_t)sizeof(ff->md5));
146  }
147  if (ff->flags & FILE_SHA1) {
148  SCJbSetHex(jb, "sha1", (uint8_t *)ff->sha1, (uint32_t)sizeof(ff->sha1));
149  }
150  break;
151  case FILE_STATE_TRUNCATED:
152  JB_SET_STRING(jb, "state", "TRUNCATED");
153  break;
154  case FILE_STATE_ERROR:
155  JB_SET_STRING(jb, "state", "ERROR");
156  break;
157  default:
158  JB_SET_STRING(jb, "state", "UNKNOWN");
159  break;
160  }
161 
162  if (ff->flags & FILE_SHA256) {
163  SCJbSetHex(jb, "sha256", (uint8_t *)ff->sha256, (uint32_t)sizeof(ff->sha256));
164  }
165 
166  if (flags & FILE_STORED) {
167  JB_SET_TRUE(jb, "stored");
168  SCJbSetUint(jb, "file_id", ff->file_store_id);
169  } else {
170  JB_SET_FALSE(jb, "stored");
171  if (flags & FILE_STORE) {
172  JB_SET_TRUE(jb, "storing");
173  }
174  }
175 
176  SCJbSetUint(jb, "size", FileTrackedSize(ff));
177  if (ff->end > 0) {
178  SCJbSetUint(jb, "start", ff->start);
179  SCJbSetUint(jb, "end", ff->end);
180  }
181  SCJbSetUint(jb, "tx_id", tx_id);
182 }
183 
184 static void EveAddPacketVars(const Packet *p, SCJsonBuilder *js_vars)
185 {
186  if (p == NULL || p->pktvar == NULL) {
187  return;
188  }
189  PktVar *pv = p->pktvar;
190  bool open = false;
191  while (pv != NULL) {
192  if (pv->key || pv->id > 0) {
193  if (!open) {
194  SCJbOpenArray(js_vars, "pktvars");
195  open = true;
196  }
197  SCJbStartObject(js_vars);
198 
199  if (pv->key != NULL) {
200  uint32_t offset = 0;
201  DEBUG_VALIDATE_BUG_ON(pv->key_len > UINT16_MAX);
202  uint8_t keybuf[pv->key_len + 1];
203  PrintStringsToBuffer(keybuf, &offset, pv->key_len + 1, pv->key, pv->key_len);
204  SCJbSetPrintAsciiString(js_vars, (char *)keybuf, pv->value, pv->value_len);
205  } else {
206  const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR);
207  SCJbSetPrintAsciiString(js_vars, varname, pv->value, pv->value_len);
208  }
209  SCJbClose(js_vars);
210  }
211  pv = pv->next;
212  }
213  if (open) {
214  SCJbClose(js_vars);
215  }
216 }
217 
218 /**
219  * \brief Check if string s has prefix prefix.
220  *
221  * \retval true if string has prefix
222  * \retval false if string does not have prefix
223  *
224  * TODO: Move to file with other string handling functions.
225  */
226 static bool SCStringHasPrefix(const char *s, const char *prefix)
227 {
228  if (strncmp(s, prefix, strlen(prefix)) == 0) {
229  return true;
230  }
231  return false;
232 }
233 
234 static void EveAddFlowVars(const Flow *f, SCJsonBuilder *js_root, SCJsonBuilder **js_traffic)
235 {
236  if (f == NULL || f->flowvar == NULL) {
237  return;
238  }
239  SCJsonBuilder *js_flowvars = NULL;
240  SCJsonBuilder *js_traffic_id = NULL;
241  SCJsonBuilder *js_traffic_label = NULL;
242  SCJsonBuilder *js_flowints = NULL;
243  SCJsonBuilder *js_entropyvals = NULL;
244  SCJsonBuilder *js_flowbits = NULL;
245  GenericVar *gv = f->flowvar;
246  while (gv != NULL) {
247  if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) {
248  FlowVar *fv = (FlowVar *)gv;
249  if (fv->datatype == FLOWVAR_TYPE_STR && fv->key == NULL) {
250  const char *varname = VarNameStoreLookupById(fv->idx,
251  VAR_TYPE_FLOW_VAR);
252  if (varname) {
253  if (js_flowvars == NULL) {
254  js_flowvars = SCJbNewArray();
255  if (js_flowvars == NULL)
256  break;
257  }
258 
259  SCJbStartObject(js_flowvars);
260  SCJbSetPrintAsciiString(
261  js_flowvars, varname, fv->data.fv_str.value, fv->data.fv_str.value_len);
262  SCJbClose(js_flowvars);
263  }
264  } else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) {
265  if (js_flowvars == NULL) {
266  js_flowvars = SCJbNewArray();
267  if (js_flowvars == NULL)
268  break;
269  }
270 
271  // fv->keylen is uint16
272  uint8_t keybuf[fv->keylen + 1];
273  uint32_t offset = 0;
274  PrintStringsToBuffer(keybuf, &offset, fv->keylen + 1, fv->key, fv->keylen);
275 
276  SCJbStartObject(js_flowvars);
277  SCJbSetPrintAsciiString(js_flowvars, (const char *)keybuf, fv->data.fv_str.value,
278  fv->data.fv_str.value_len);
279  SCJbClose(js_flowvars);
280  } else if (fv->datatype == FLOWVAR_TYPE_FLOAT) {
281  const char *varname = VarNameStoreLookupById(fv->idx, VAR_TYPE_FLOW_FLOAT);
282  if (varname) {
283  if (js_entropyvals == NULL) {
284  js_entropyvals = SCJbNewObject();
285  if (js_entropyvals == NULL)
286  break;
287  }
288  SCJbSetFloat(js_entropyvals, varname, fv->data.fv_float.value);
289  }
290 
291  } else if (fv->datatype == FLOWVAR_TYPE_INT) {
292  const char *varname = VarNameStoreLookupById(fv->idx,
293  VAR_TYPE_FLOW_INT);
294  if (varname) {
295  if (js_flowints == NULL) {
296  js_flowints = SCJbNewObject();
297  if (js_flowints == NULL)
298  break;
299  }
300  SCJbSetUint(js_flowints, varname, fv->data.fv_int.value);
301  }
302  }
303  } else if (gv->type == DETECT_FLOWBITS) {
304  FlowBit *fb = (FlowBit *)gv;
305  const char *varname = VarNameStoreLookupById(fb->idx,
306  VAR_TYPE_FLOW_BIT);
307  if (varname) {
308  if (SCStringHasPrefix(varname, TRAFFIC_ID_PREFIX)) {
309  if (js_traffic_id == NULL) {
310  js_traffic_id = SCJbNewArray();
311  if (unlikely(js_traffic_id == NULL)) {
312  break;
313  }
314  }
315  SCJbAppendString(js_traffic_id, &varname[traffic_id_prefix_len]);
316  } else if (SCStringHasPrefix(varname, TRAFFIC_LABEL_PREFIX)) {
317  if (js_traffic_label == NULL) {
318  js_traffic_label = SCJbNewArray();
319  if (unlikely(js_traffic_label == NULL)) {
320  break;
321  }
322  }
323  SCJbAppendString(js_traffic_label, &varname[traffic_label_prefix_len]);
324  } else {
325  if (js_flowbits == NULL) {
326  js_flowbits = SCJbNewArray();
327  if (unlikely(js_flowbits == NULL))
328  break;
329  }
330  SCJbAppendString(js_flowbits, varname);
331  }
332  }
333  }
334  gv = gv->next;
335  }
336  if (js_flowbits) {
337  SCJbClose(js_flowbits);
338  SCJbSetObject(js_root, "flowbits", js_flowbits);
339  SCJbFree(js_flowbits);
340  }
341  if (js_flowints) {
342  SCJbClose(js_flowints);
343  SCJbSetObject(js_root, "flowints", js_flowints);
344  SCJbFree(js_flowints);
345  }
346  if (js_entropyvals) {
347  SCJbClose(js_entropyvals);
348  SCJbSetObject(js_root, "entropy", js_entropyvals);
349  SCJbFree(js_entropyvals);
350  }
351  if (js_flowvars) {
352  SCJbClose(js_flowvars);
353  SCJbSetObject(js_root, "flowvars", js_flowvars);
354  SCJbFree(js_flowvars);
355  }
356 
357  if (js_traffic_id != NULL || js_traffic_label != NULL) {
358  *js_traffic = SCJbNewObject();
359  if (likely(*js_traffic != NULL)) {
360  if (js_traffic_id != NULL) {
361  SCJbClose(js_traffic_id);
362  SCJbSetObject(*js_traffic, "id", js_traffic_id);
363  SCJbFree(js_traffic_id);
364  }
365  if (js_traffic_label != NULL) {
366  SCJbClose(js_traffic_label);
367  SCJbSetObject(*js_traffic, "label", js_traffic_label);
368  SCJbFree(js_traffic_label);
369  }
370  SCJbClose(*js_traffic);
371  }
372  }
373 }
374 
375 void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
376 {
377  if ((p && p->pktvar) || (f && f->flowvar)) {
378  SCJsonBuilder *js_vars = SCJbNewObject();
379  if (js_vars) {
380  if (f && f->flowvar) {
381  SCJsonBuilder *js_traffic = NULL;
382  EveAddFlowVars(f, js_vars, &js_traffic);
383  if (js_traffic != NULL) {
384  SCJbSetObject(js, "traffic", js_traffic);
385  SCJbFree(js_traffic);
386  }
387  }
388  if (p && p->pktvar) {
389  EveAddPacketVars(p, js_vars);
390  }
391  SCJbClose(js_vars);
392  SCJbSetObject(js, "metadata", js_vars);
393  SCJbFree(js_vars);
394  }
395  }
396 }
397 
398 void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f,
399  SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
400 {
401  if (cfg->include_suricata_version) {
402  SCJbSetString(js, "suricata_version", PROG_VER);
403  }
404  if (cfg->include_metadata) {
405  EveAddMetadata(p, f, js);
406  }
407  if (cfg->include_ethernet) {
408  CreateJSONEther(js, p, f, dir);
409  }
410  if (cfg->include_community_id && f != NULL) {
411  CreateEveCommunityFlowId(js, f, cfg->community_id_seed);
412  }
413  if (f != NULL && f->tenant_id > 0) {
414  SCJbSetUint(js, "tenant_id", f->tenant_id);
415  }
416 }
417 
418 /**
419  * \brief Jsonify a packet
420  *
421  * \param p Packet
422  * \param js JSON object
423  * \param max_length If non-zero, restricts the number of packet data bytes handled.
424  */
425 void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
426 {
427  uint32_t max_len = max_length == 0 ? GET_PKT_LEN(p) : max_length;
428  SCJbSetBase64(js, "packet", GET_PKT_DATA(p), max_len);
429 
430  if (!SCJbOpenObject(js, "packet_info")) {
431  return;
432  }
433  if (!SCJbSetUint(js, "linktype", p->datalink)) {
434  SCJbClose(js);
435  return;
436  }
437 
438  const char *dl_name = DatalinkValueToName(p->datalink);
439 
440  // Intentionally ignore the return value from SCJbSetString and proceed
441  // so the jb object is closed
442  (void)SCJbSetString(js, "linktype_name", dl_name == NULL ? "n/a" : dl_name);
443 
444  SCJbClose(js);
445 }
446 
447 /** \brief jsonify tcp flags field
448  * Only add 'true' fields in an attempt to keep things reasonably compact.
449  */
450 void EveTcpFlags(const uint8_t flags, SCJsonBuilder *js)
451 {
452  if (flags & TH_SYN)
453  JB_SET_TRUE(js, "syn");
454  if (flags & TH_FIN)
455  JB_SET_TRUE(js, "fin");
456  if (flags & TH_RST)
457  JB_SET_TRUE(js, "rst");
458  if (flags & TH_PUSH)
459  JB_SET_TRUE(js, "psh");
460  if (flags & TH_ACK)
461  JB_SET_TRUE(js, "ack");
462  if (flags & TH_URG)
463  JB_SET_TRUE(js, "urg");
464  if (flags & TH_ECN)
465  JB_SET_TRUE(js, "ecn");
466  if (flags & TH_CWR)
467  JB_SET_TRUE(js, "cwr");
468 }
469 
470 void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
471 {
472  char srcip[46] = {0}, dstip[46] = {0};
473  Port sp, dp;
474 
475  switch (dir) {
476  case LOG_DIR_PACKET:
477  if (PacketIsIPv4(p)) {
478  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
479  srcip, sizeof(srcip));
480  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
481  dstip, sizeof(dstip));
482  } else if (PacketIsIPv6(p)) {
483  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
484  srcip, sizeof(srcip));
485  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
486  dstip, sizeof(dstip));
487  } else {
488  /* Not an IP packet so don't do anything */
489  return;
490  }
491  sp = p->sp;
492  dp = p->dp;
493  break;
494  case LOG_DIR_FLOW:
495  case LOG_DIR_FLOW_TOSERVER:
496  if ((PKT_IS_TOSERVER(p))) {
497  if (PacketIsIPv4(p)) {
498  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
499  srcip, sizeof(srcip));
500  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
501  dstip, sizeof(dstip));
502  } else if (PacketIsIPv6(p)) {
503  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
504  srcip, sizeof(srcip));
505  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
506  dstip, sizeof(dstip));
507  }
508  sp = p->sp;
509  dp = p->dp;
510  } else {
511  if (PacketIsIPv4(p)) {
512  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
513  srcip, sizeof(srcip));
514  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
515  dstip, sizeof(dstip));
516  } else if (PacketIsIPv6(p)) {
517  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
518  srcip, sizeof(srcip));
519  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
520  dstip, sizeof(dstip));
521  }
522  sp = p->dp;
523  dp = p->sp;
524  }
525  break;
526  case LOG_DIR_FLOW_TOCLIENT:
527  if ((PKT_IS_TOCLIENT(p))) {
528  if (PacketIsIPv4(p)) {
529  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
530  srcip, sizeof(srcip));
531  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
532  dstip, sizeof(dstip));
533  } else if (PacketIsIPv6(p)) {
534  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
535  srcip, sizeof(srcip));
536  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
537  dstip, sizeof(dstip));
538  }
539  sp = p->sp;
540  dp = p->dp;
541  } else {
542  if (PacketIsIPv4(p)) {
543  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
544  srcip, sizeof(srcip));
545  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
546  dstip, sizeof(dstip));
547  } else if (PacketIsIPv6(p)) {
548  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
549  srcip, sizeof(srcip));
550  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
551  dstip, sizeof(dstip));
552  }
553  sp = p->dp;
554  dp = p->sp;
555  }
556  break;
557  default:
558  DEBUG_VALIDATE_BUG_ON(1);
559  return;
560  }
561 
562  strlcpy(addr->src_ip, srcip, JSON_ADDR_LEN);
563  strlcpy(addr->dst_ip, dstip, JSON_ADDR_LEN);
564 
565  switch (p->proto) {
566  case IPPROTO_UDP:
567  case IPPROTO_TCP:
568  case IPPROTO_SCTP:
569  addr->sp = sp;
570  addr->dp = dp;
571  addr->log_port = true;
572  break;
573  default:
574  addr->log_port = false;
575  break;
576  }
577 
578  if (SCProtoNameValid(PacketGetIPProto(p))) {
579  strlcpy(addr->proto, known_proto[PacketGetIPProto(p)], sizeof(addr->proto));
580  } else {
581  snprintf(addr->proto, sizeof(addr->proto), "%" PRIu32, PacketGetIPProto(p));
582  }
583 }
584 
585 #define COMMUNITY_ID_BUF_SIZE 64
586 
587 static bool CalculateCommunityFlowIdv4(const Flow *f,
588  const uint16_t seed, unsigned char *base64buf)
589 {
590  struct {
591  uint16_t seed;
592  uint32_t src;
593  uint32_t dst;
594  uint8_t proto;
595  uint8_t pad0;
596  uint16_t sp;
597  uint16_t dp;
598  } __attribute__((__packed__)) ipv4;
599 
600  uint32_t src = f->src.addr_data32[0];
601  uint32_t dst = f->dst.addr_data32[0];
602  uint16_t sp = f->sp;
603  if (f->proto == IPPROTO_ICMP)
604  sp = f->icmp_s.type;
605  sp = htons(sp);
606  uint16_t dp = f->dp;
607  if (f->proto == IPPROTO_ICMP)
608  dp = f->icmp_d.type;
609  dp = htons(dp);
610 
611  ipv4.seed = htons(seed);
612  if (ntohl(src) < ntohl(dst) || (src == dst && ntohs(sp) < ntohs(dp))) {
613  ipv4.src = src;
614  ipv4.dst = dst;
615  ipv4.sp = sp;
616  ipv4.dp = dp;
617  } else {
618  ipv4.src = dst;
619  ipv4.dst = src;
620  ipv4.sp = dp;
621  ipv4.dp = sp;
622  }
623  ipv4.proto = f->proto;
624  ipv4.pad0 = 0;
625 
626  uint8_t hash[20];
627  if (SCSha1HashBuffer((const uint8_t *)&ipv4, sizeof(ipv4), hash, sizeof(hash)) == 1) {
628  strlcpy((char *)base64buf, "1:", COMMUNITY_ID_BUF_SIZE);
629  unsigned long out_len = COMMUNITY_ID_BUF_SIZE - 2;
630  if (SCBase64Encode(hash, sizeof(hash), base64buf + 2, &out_len) == SC_BASE64_OK) {
631  return true;
632  }
633  }
634  return false;
635 }
636 
637 static bool CalculateCommunityFlowIdv6(const Flow *f,
638  const uint16_t seed, unsigned char *base64buf)
639 {
640  struct {
641  uint16_t seed;
642  uint32_t src[4];
643  uint32_t dst[4];
644  uint8_t proto;
645  uint8_t pad0;
646  uint16_t sp;
647  uint16_t dp;
648  } __attribute__((__packed__)) ipv6;
649 
650  uint16_t sp = f->sp;
651  if (f->proto == IPPROTO_ICMPV6)
652  sp = f->icmp_s.type;
653  sp = htons(sp);
654  uint16_t dp = f->dp;
655  if (f->proto == IPPROTO_ICMPV6)
656  dp = f->icmp_d.type;
657  dp = htons(dp);
658 
659  ipv6.seed = htons(seed);
660  int cmp_r = memcmp(&f->src, &f->dst, sizeof(f->src));
661  if ((cmp_r < 0) || (cmp_r == 0 && ntohs(sp) < ntohs(dp))) {
662  memcpy(&ipv6.src, &f->src.addr_data32, 16);
663  memcpy(&ipv6.dst, &f->dst.addr_data32, 16);
664  ipv6.sp = sp;
665  ipv6.dp = dp;
666  } else {
667  memcpy(&ipv6.src, &f->dst.addr_data32, 16);
668  memcpy(&ipv6.dst, &f->src.addr_data32, 16);
669  ipv6.sp = dp;
670  ipv6.dp = sp;
671  }
672  ipv6.proto = f->proto;
673  ipv6.pad0 = 0;
674 
675  uint8_t hash[20];
676  if (SCSha1HashBuffer((const uint8_t *)&ipv6, sizeof(ipv6), hash, sizeof(hash)) == 1) {
677  strlcpy((char *)base64buf, "1:", COMMUNITY_ID_BUF_SIZE);
678  unsigned long out_len = COMMUNITY_ID_BUF_SIZE - 2;
679  if (SCBase64Encode(hash, sizeof(hash), base64buf + 2, &out_len) == SC_BASE64_OK) {
680  return true;
681  }
682  }
683  return false;
684 }
685 
686 static void CreateEveCommunityFlowId(SCJsonBuilder *js, const Flow *f, const uint16_t seed)
687 {
688  unsigned char buf[COMMUNITY_ID_BUF_SIZE];
689  if (f->flags & FLOW_IPV4) {
690  if (CalculateCommunityFlowIdv4(f, seed, buf)) {
691  SCJbSetString(js, "community_id", (const char *)buf);
692  }
693  } else if (f->flags & FLOW_IPV6) {
694  if (CalculateCommunityFlowIdv6(f, seed, buf)) {
695  SCJbSetString(js, "community_id", (const char *)buf);
696  }
697  }
698 }
699 
700 void CreateEveFlowId(SCJsonBuilder *js, const Flow *f)
701 {
702  if (f == NULL) {
703  return;
704  }
705  uint64_t flow_id = FlowGetId(f);
706  SCJbSetUint(js, "flow_id", flow_id);
707  if (f->parent_id) {
708  SCJbSetUint(js, "parent_id", f->parent_id);
709  }
710 }
711 
712 void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
713 {
714  char eth_addr[19];
715  (void) snprintf(eth_addr, 19, "%02x:%02x:%02x:%02x:%02x:%02x",
716  val[0], val[1], val[2], val[3], val[4], val[5]);
717  if (is_array) {
718  SCJbAppendString(js, eth_addr);
719  } else {
720  SCJbSetString(js, key, eth_addr);
721  }
722 }
723 
724 /* only required to traverse the MAC address set */
725 typedef struct JSONMACAddrInfo {
726  SCJsonBuilder *src, *dst;
727 } JSONMACAddrInfo;
728 
729 static int MacSetIterateToJSON(uint8_t *val, MacSetSide side, void *data)
730 {
731  JSONMACAddrInfo *info = (JSONMACAddrInfo*) data;
732  if (side == MAC_SET_DST) {
733  JSONFormatAndAddMACAddr(info->dst, NULL, val, true);
734  } else {
735  JSONFormatAndAddMACAddr(info->src, NULL, val, true);
736  }
737  return 0;
738 }
739 
740 static int CreateJSONEther(
741  SCJsonBuilder *js, const Packet *p, const Flow *f, enum SCOutputJsonLogDirection dir)
742 {
743  if (p != NULL) {
744  /* this is a packet context, so we need to add scalar fields */
745  if (PacketIsEthernet(p)) {
746  const EthernetHdr *ethh = PacketGetEthernet(p);
747  SCJbOpenObject(js, "ether");
748  SCJbSetUint(js, "ether_type", SCNtohs(ethh->eth_type));
749  const uint8_t *src;
750  const uint8_t *dst;
751  switch (dir) {
752  case LOG_DIR_FLOW_TOSERVER:
753  // fallthrough
754  case LOG_DIR_FLOW:
755  if (PKT_IS_TOCLIENT(p)) {
756  src = ethh->eth_dst;
757  dst = ethh->eth_src;
758  } else {
759  src = ethh->eth_src;
760  dst = ethh->eth_dst;
761  }
762  break;
763  case LOG_DIR_FLOW_TOCLIENT:
764  if (PKT_IS_TOSERVER(p)) {
765  src = ethh->eth_dst;
766  dst = ethh->eth_src;
767  } else {
768  src = ethh->eth_src;
769  dst = ethh->eth_dst;
770  }
771  break;
772  case LOG_DIR_PACKET:
773  default:
774  src = ethh->eth_src;
775  dst = ethh->eth_dst;
776  break;
777  }
778  JSONFormatAndAddMACAddr(js, "src_mac", src, false);
779  JSONFormatAndAddMACAddr(js, "dest_mac", dst, false);
780  SCJbClose(js);
781  } else if (f != NULL) {
782  /* When pseudopackets do not have associated ethernet metadata,
783  use the first set of mac addresses stored with their flow.
784  The first set of macs should come from the flow's first packet,
785  providing the most fitting representation of the event's ethernet. */
786  MacSet *ms = FlowGetStorageById(f, MacSetGetFlowStorageID());
787  if (ms != NULL && MacSetSize(ms) > 0) {
788  uint8_t *src = MacSetGetFirst(ms, MAC_SET_SRC);
789  uint8_t *dst = MacSetGetFirst(ms, MAC_SET_DST);
790  if (dst != NULL && src != NULL) {
791  SCJbOpenObject(js, "ether");
792  JSONFormatAndAddMACAddr(js, "src_mac", src, false);
793  JSONFormatAndAddMACAddr(js, "dest_mac", dst, false);
794  SCJbClose(js);
795  }
796  }
797  }
798  } else if (f != NULL) {
799  /* we are creating an ether object in a flow context, so we need to
800  append to arrays */
801  MacSet *ms = FlowGetStorageById(f, MacSetGetFlowStorageID());
802  if (ms != NULL && MacSetSize(ms) > 0) {
803  SCJbOpenObject(js, "ether");
804  JSONMACAddrInfo info;
805  info.dst = SCJbNewArray();
806  info.src = SCJbNewArray();
807  int ret = MacSetForEach(ms, MacSetIterateToJSON, &info);
808  if (unlikely(ret != 0)) {
809  /* should not happen, JSONFlowAppendMACAddrs is sane */
810  SCJbFree(info.dst);
811  SCJbFree(info.src);
812  SCJbClose(js);
813  return ret;
814  }
815  SCJbClose(info.dst);
816  SCJbClose(info.src);
817  /* case is handling netflow too so may need to revert */
818  if (dir == LOG_DIR_FLOW_TOCLIENT) {
819  SCJbSetObject(js, "dest_macs", info.src);
820  SCJbSetObject(js, "src_macs", info.dst);
821  } else {
822  DEBUG_VALIDATE_BUG_ON(dir != LOG_DIR_FLOW_TOSERVER && dir != LOG_DIR_FLOW);
823  SCJbSetObject(js, "dest_macs", info.dst);
824  SCJbSetObject(js, "src_macs", info.src);
825  }
826  SCJbFree(info.dst);
827  SCJbFree(info.src);
828  SCJbClose(js);
829  }
830  }
831  return 0;
832 }
833 
834 SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir,
835  const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
836 {
837  char timebuf[64];
838  const Flow *f = (const Flow *)p->flow;
839 
840  SCJsonBuilder *js = SCJbNewObject();
841  if (unlikely(js == NULL)) {
842  return NULL;
843  }
844 
845  CreateIsoTimeString(p->ts, timebuf, sizeof(timebuf));
846 
847  SCJbSetString(js, "timestamp", timebuf);
848 
849  CreateEveFlowId(js, f);
850 
851  /* sensor id */
852  if (sensor_id >= 0) {
853  SCJbSetUint(js, "sensor_id", sensor_id);
854  }
855 
856  /* input interface */
857  if (p->livedev) {
858  SCJbSetString(js, "in_iface", p->livedev->dev);
859  }
860 
861  /* pcap_cnt */
862  uint64_t pcap_cnt = PcapPacketCntGet(p);
863  if (pcap_cnt != 0) {
864  SCJbSetUint(js, "pcap_cnt", pcap_cnt);
865  }
866 
867  if (event_type) {
868  SCJbSetString(js, "event_type", event_type);
869  }
870 
871  /* vlan */
872  if (p->vlan_idx > 0) {
873  SCJbOpenArray(js, "vlan");
874  SCJbAppendUint(js, p->vlan_id[0]);
875  if (p->vlan_idx > 1) {
876  SCJbAppendUint(js, p->vlan_id[1]);
877  }
878  if (p->vlan_idx > 2) {
879  SCJbAppendUint(js, p->vlan_id[2]);
880  }
881  SCJbClose(js);
882  }
883 
884  /* 5-tuple */
885  JsonAddrInfo addr_info = json_addr_info_zero;
886  if (addr == NULL) {
887  JsonAddrInfoInit(p, dir, &addr_info);
888  addr = &addr_info;
889  }
890  if (addr->src_ip[0] != '\0') {
891  SCJbSetString(js, "src_ip", addr->src_ip);
892  }
893  if (addr->log_port) {
894  SCJbSetUint(js, "src_port", addr->sp);
895  }
896  if (addr->dst_ip[0] != '\0') {
897  SCJbSetString(js, "dest_ip", addr->dst_ip);
898  }
899  if (addr->log_port) {
900  SCJbSetUint(js, "dest_port", addr->dp);
901  }
902  if (addr->proto[0] != '\0') {
903  SCJbSetString(js, "proto", addr->proto);
904  }
905 
906  /* ip version */
907  if (PacketIsIPv4(p)) {
908  SCJbSetUint(js, "ip_v", 4);
909  } else if (PacketIsIPv6(p)) {
910  SCJbSetUint(js, "ip_v", 6);
911  }
912 
913  /* icmp */
914  switch (p->proto) {
915  case IPPROTO_ICMP:
916  if (PacketIsICMPv4(p)) {
917  SCJbSetUint(js, "icmp_type", p->icmp_s.type);
918  SCJbSetUint(js, "icmp_code", p->icmp_s.code);
919  }
920  break;
921  case IPPROTO_ICMPV6:
922  if (PacketIsICMPv6(p)) {
923  SCJbSetUint(js, "icmp_type", PacketGetICMPv6(p)->type);
924  SCJbSetUint(js, "icmp_code", PacketGetICMPv6(p)->code);
925  }
926  break;
927  }
928 
929  SCJbSetString(js, "pkt_src", PktSrcToString(p->pkt_src));
930 
931  if (eve_ctx != NULL) {
932  EveAddCommonOptions(&eve_ctx->cfg, p, f, js, dir);
933  }
934 
935  return js;
936 }
937 
938 SCJsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir,
939  const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
940 {
941  SCJsonBuilder *js = CreateEveHeader(p, dir, event_type, addr, eve_ctx);
942  if (unlikely(js == NULL))
943  return NULL;
944 
945  /* tx id for correlation with other events */
946  SCJbSetUint(js, "tx_id", tx_id);
947 
948  return js;
949 }
950 
951 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
952 {
953  OutputJSONMemBufferWrapper *wrapper = data;
954  MemBuffer **memb = wrapper->buffer;
955 
956  if (MEMBUFFER_OFFSET(*memb) + size >= MEMBUFFER_SIZE(*memb)) {
957  MemBufferExpand(memb, wrapper->expand_by);
958  }
959 
960  DEBUG_VALIDATE_BUG_ON(size > UINT32_MAX);
961  MemBufferWriteRaw((*memb), (const uint8_t *)str, (uint32_t)size);
962  return 0;
963 }
964 
965 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
966 {
967  if (file_ctx->sensor_name) {
968  json_object_set_new(js, "host",
969  json_string(file_ctx->sensor_name));
970  }
971 
972  if (file_ctx->is_pcap_offline) {
973  json_object_set_new(js, "pcap_filename", json_string(PcapFileGetFilename()));
974  }
975 
976  if (file_ctx->prefix) {
977  MemBufferWriteRaw((*buffer), (const uint8_t *)file_ctx->prefix, file_ctx->prefix_len);
978  }
979 
980  OutputJSONMemBufferWrapper wrapper = {
981  .buffer = buffer,
982  .expand_by = JSON_OUTPUT_BUFFER_SIZE
983  };
984 
985  int r = json_dump_callback(js, OutputJSONMemBufferCallback, &wrapper,
986  file_ctx->json_flags);
987  if (r != 0)
988  return TM_ECODE_OK;
989 
990  LogFileWrite(file_ctx, *buffer);
991  return 0;
992 }
993 
994 void OutputJsonFlush(OutputJsonThreadCtx *ctx)
995 {
996  LogFileCtx *file_ctx = ctx->file_ctx;
997  LogFileFlush(file_ctx);
998 }
999 
1000 void OutputJsonBuilderBuffer(
1001  ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
1002 {
1003  LogFileCtx *file_ctx = ctx->file_ctx;
1004  MemBuffer **buffer = &ctx->buffer;
1005  if (file_ctx->sensor_name) {
1006  SCJbSetString(js, "host", file_ctx->sensor_name);
1007  }
1008 
1009  if (file_ctx->is_pcap_offline) {
1010  SCJbSetString(js, "pcap_filename", PcapFileGetFilename());
1011  }
1012 
1013  SCEveRunCallbacks(tv, p, f, js);
1014 
1015  SCJbClose(js);
1016 
1017  MemBufferReset(*buffer);
1018 
1019  if (file_ctx->prefix) {
1020  MemBufferWriteRaw((*buffer), (const uint8_t *)file_ctx->prefix, file_ctx->prefix_len);
1021  }
1022 
1023  size_t jslen = SCJbLen(js);
1024  DEBUG_VALIDATE_BUG_ON(SCJbLen(js) > UINT32_MAX);
1025  size_t remaining = MEMBUFFER_SIZE(*buffer) - MEMBUFFER_OFFSET(*buffer);
1026  if (jslen >= remaining) {
1027  size_t expand_by = jslen + 1 - remaining;
1028  if (MemBufferExpand(buffer, (uint32_t)expand_by) < 0) {
1029  if (!ctx->too_large_warning) {
1030  /* Log a warning once, and include enough of the log
1031  * message to hopefully identify the event_type. */
1032  char partial[120];
1033  size_t partial_len = MIN(sizeof(partial), jslen);
1034  memcpy(partial, SCJbPtr(js), partial_len - 1);
1035  partial[partial_len - 1] = '\0';
1036  SCLogWarning("Formatted JSON EVE record too large, will be dropped: %s", partial);
1037  ctx->too_large_warning = true;
1038  }
1039  return;
1040  }
1041  }
1042 
1043  MemBufferWriteRaw((*buffer), SCJbPtr(js), (uint32_t)jslen);
1044  LogFileWrite(file_ctx, *buffer);
1045 }
1046 
1047 static inline enum LogFileType FileTypeFromConf(const char *typestr)
1048 {
1049  enum LogFileType log_filetype = LOGFILE_TYPE_NOTSET;
1050 
1051  if (typestr == NULL) {
1052  log_filetype = LOGFILE_TYPE_FILE;
1053  } else if (strcmp(typestr, "file") == 0 || strcmp(typestr, "regular") == 0) {
1054  log_filetype = LOGFILE_TYPE_FILE;
1055  } else if (strcmp(typestr, "unix_dgram") == 0) {
1056  log_filetype = LOGFILE_TYPE_UNIX_DGRAM;
1057  } else if (strcmp(typestr, "unix_stream") == 0) {
1058  log_filetype = LOGFILE_TYPE_UNIX_STREAM;
1059  } else if (strcmp(typestr, "redis") == 0) {
1060 #ifdef HAVE_LIBHIREDIS
1061  log_filetype = LOGFILE_TYPE_REDIS;
1062 #else
1063  FatalError("redis JSON output option is not compiled");
1064 #endif
1065  }
1066  SCLogDebug("type %s, file type value %d", typestr, log_filetype);
1067  return log_filetype;
1068 }
1069 
1070 static int LogFileTypePrepare(
1071  OutputJsonCtx *json_ctx, enum LogFileType log_filetype, SCConfNode *conf)
1072 {
1073 
1074  if (log_filetype == LOGFILE_TYPE_FILE || log_filetype == LOGFILE_TYPE_UNIX_DGRAM ||
1075  log_filetype == LOGFILE_TYPE_UNIX_STREAM) {
1076  if (SCConfLogOpenGeneric(conf, json_ctx->file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
1077  return -1;
1078  }
1079  }
1080 #ifdef HAVE_LIBHIREDIS
1081  else if (log_filetype == LOGFILE_TYPE_REDIS) {
1082  SCLogRedisInit();
1083  SCConfNode *redis_node = SCConfNodeLookupChild(conf, "redis");
1084  if (!json_ctx->file_ctx->sensor_name) {
1085  char hostname[1024];
1086  gethostname(hostname, 1023);
1087  json_ctx->file_ctx->sensor_name = SCStrdup(hostname);
1088  }
1089  if (json_ctx->file_ctx->sensor_name == NULL) {
1090  return -1;
1091  }
1092 
1093  if (SCConfLogOpenRedis(redis_node, json_ctx->file_ctx) < 0) {
1094  return -1;
1095  }
1096  }
1097 #endif
1098  else if (log_filetype == LOGFILE_TYPE_FILETYPE) {
1099  if (json_ctx->file_ctx->threaded) {
1100  /* Prepare for threaded log output. */
1101  if (!SCLogOpenThreadedFile(NULL, NULL, json_ctx->file_ctx)) {
1102  return -1;
1103  }
1104  }
1105  if (json_ctx->filetype->Init(conf, json_ctx->file_ctx->threaded,
1106  &json_ctx->file_ctx->filetype.init_data) < 0) {
1107  return -1;
1108  }
1109  if (json_ctx->filetype->ThreadInit) {
1110  if (json_ctx->filetype->ThreadInit(json_ctx->file_ctx->filetype.init_data, 0,
1111  &json_ctx->file_ctx->filetype.thread_data) < 0) {
1112  return -1;
1113  }
1114  }
1115  json_ctx->file_ctx->filetype.filetype = json_ctx->filetype;
1116  }
1117 
1118  return 0;
1119 }
1120 
1121 /**
1122  * \brief Create a new LogFileCtx for "fast" output style.
1123  * \param conf The configuration node for this output.
1124  * \return A LogFileCtx pointer on success, NULL on failure.
1125  */
1126 OutputInitResult OutputJsonInitCtx(SCConfNode *conf)
1127 {
1128  OutputInitResult result = { NULL, false };
1129  OutputCtx *output_ctx = NULL;
1130 
1131  OutputJsonCtx *json_ctx = SCCalloc(1, sizeof(OutputJsonCtx));
1132  if (unlikely(json_ctx == NULL)) {
1133  SCLogDebug("could not create new OutputJsonCtx");
1134  return result;
1135  }
1136 
1137  /* First lookup a sensor-name value in this outputs configuration
1138  * node (deprecated). If that fails, lookup the global one. */
1139  const char *sensor_name = SCConfNodeLookupChildValue(conf, "sensor-name");
1140  if (sensor_name != NULL) {
1141  SCLogWarning("Found deprecated eve-log setting \"sensor-name\". "
1142  "Please set sensor-name globally.");
1143  }
1144  else {
1145  (void)SCConfGet("sensor-name", &sensor_name);
1146  }
1147 
1148  json_ctx->file_ctx = LogFileNewCtx();
1149  if (unlikely(json_ctx->file_ctx == NULL)) {
1150  SCLogDebug("AlertJsonInitCtx: Could not create new LogFileCtx");
1151  goto error_exit;
1152  }
1153 
1154  if (sensor_name) {
1155  json_ctx->file_ctx->sensor_name = SCStrdup(sensor_name);
1156  if (json_ctx->file_ctx->sensor_name == NULL) {
1157  goto error_exit;
1158  }
1159  } else {
1160  json_ctx->file_ctx->sensor_name = NULL;
1161  }
1162 
1163  output_ctx = SCCalloc(1, sizeof(OutputCtx));
1164  if (unlikely(output_ctx == NULL)) {
1165  goto error_exit;
1166  }
1167 
1168  output_ctx->data = json_ctx;
1169  output_ctx->DeInit = OutputJsonDeInitCtx;
1170 
1171  if (conf) {
1172  const char *output_s = SCConfNodeLookupChildValue(conf, "filetype");
1173  // Backwards compatibility
1174  if (output_s == NULL) {
1175  output_s = SCConfNodeLookupChildValue(conf, "type");
1176  }
1177 
1178  enum LogFileType log_filetype = FileTypeFromConf(output_s);
1179  if (log_filetype == LOGFILE_TYPE_NOTSET) {
1180  SCEveFileType *filetype = SCEveFindFileType(output_s);
1181  if (filetype != NULL) {
1182  log_filetype = LOGFILE_TYPE_FILETYPE;
1183  json_ctx->filetype = filetype;
1184  } else
1185  FatalError("Invalid JSON output option: %s", output_s);
1186  }
1187 
1188  const char *prefix = SCConfNodeLookupChildValue(conf, "prefix");
1189  if (prefix != NULL)
1190  {
1191  SCLogInfo("Using prefix '%s' for JSON messages", prefix);
1192  json_ctx->file_ctx->prefix = SCStrdup(prefix);
1193  if (json_ctx->file_ctx->prefix == NULL)
1194  {
1195  FatalError("Failed to allocate memory for eve-log.prefix setting.");
1196  }
1197  json_ctx->file_ctx->prefix_len = (uint32_t)strlen(prefix);
1198  }
1199 
1200  /* Threaded file output */
1201  const SCConfNode *threaded = SCConfNodeLookupChild(conf, "threaded");
1202  if (threaded && threaded->val && SCConfValIsTrue(threaded->val)) {
1203  SCLogConfig("Threaded EVE logging configured");
1204  json_ctx->file_ctx->threaded = true;
1205  } else {
1206  json_ctx->file_ctx->threaded = false;
1207  }
1208  if (LogFileTypePrepare(json_ctx, log_filetype, conf) < 0) {
1209  goto error_exit;
1210  }
1211 
1212  const char *sensor_id_s = SCConfNodeLookupChildValue(conf, "sensor-id");
1213  if (sensor_id_s != NULL) {
1214  if (StringParseUint64((uint64_t *)&sensor_id, 10, 0, sensor_id_s) < 0) {
1215  FatalError("Failed to initialize JSON output, "
1216  "invalid sensor-id: %s",
1217  sensor_id_s);
1218  }
1219  }
1220 
1221  /* Check if top-level metadata should be logged. */
1222  const SCConfNode *metadata = SCConfNodeLookupChild(conf, "metadata");
1223  if (metadata && metadata->val && SCConfValIsFalse(metadata->val)) {
1224  SCLogConfig("Disabling eve metadata logging.");
1225  json_ctx->cfg.include_metadata = false;
1226  } else {
1227  json_ctx->cfg.include_metadata = true;
1228  }
1229 
1230  /* Check if ethernet information should be logged. */
1231  const SCConfNode *ethernet = SCConfNodeLookupChild(conf, "ethernet");
1232  if (ethernet && ethernet->val && SCConfValIsTrue(ethernet->val)) {
1233  SCLogConfig("Enabling Ethernet MAC address logging.");
1234  json_ctx->cfg.include_ethernet = true;
1235  } else {
1236  json_ctx->cfg.include_ethernet = false;
1237  }
1238 
1239  const SCConfNode *suriver = SCConfNodeLookupChild(conf, "suricata-version");
1240  if (suriver && suriver->val && SCConfValIsTrue(suriver->val)) {
1241  SCLogConfig("Enabling Suricata version logging.");
1242  json_ctx->cfg.include_suricata_version = true;
1243  } else {
1244  json_ctx->cfg.include_suricata_version = false;
1245  }
1246 
1247  /* See if we want to enable the community id */
1248  const SCConfNode *community_id = SCConfNodeLookupChild(conf, "community-id");
1249  if (community_id && community_id->val && SCConfValIsTrue(community_id->val)) {
1250  SCLogConfig("Enabling eve community_id logging.");
1251  json_ctx->cfg.include_community_id = true;
1252  } else {
1253  json_ctx->cfg.include_community_id = false;
1254  }
1255  const char *cid_seed = SCConfNodeLookupChildValue(conf, "community-id-seed");
1256  if (cid_seed != NULL) {
1257  if (StringParseUint16(&json_ctx->cfg.community_id_seed,
1258  10, 0, cid_seed) < 0)
1259  {
1260  FatalError("Failed to initialize JSON output, "
1261  "invalid community-id-seed: %s",
1262  cid_seed);
1263  }
1264  }
1265 
1266  /* Do we have a global eve xff configuration? */
1267  const SCConfNode *xff = SCConfNodeLookupChild(conf, "xff");
1268  if (xff != NULL) {
1269  json_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
1270  if (likely(json_ctx->xff_cfg != NULL)) {
1271  HttpXFFGetCfg(conf, json_ctx->xff_cfg);
1272  }
1273  }
1274 
1275  const char *pcapfile_s = SCConfNodeLookupChildValue(conf, "pcap-file");
1276  if (pcapfile_s != NULL && SCConfValIsTrue(pcapfile_s)) {
1277  json_ctx->file_ctx->is_pcap_offline =
1278  (SCRunmodeGet() == RUNMODE_PCAP_FILE || SCRunmodeGet() == RUNMODE_UNIX_SOCKET);
1279  }
1280  json_ctx->file_ctx->type = log_filetype;
1281  }
1282 
1283  SCLogDebug("returning output_ctx %p", output_ctx);
1284 
1285  result.ctx = output_ctx;
1286  result.ok = true;
1287  return result;
1288 
1289 error_exit:
1290  if (json_ctx->file_ctx) {
1291  if (json_ctx->file_ctx->prefix) {
1292  SCFree(json_ctx->file_ctx->prefix);
1293  }
1294  LogFileFreeCtx(json_ctx->file_ctx);
1295  }
1296  SCFree(json_ctx);
1297 
1298  if (output_ctx) {
1299  SCFree(output_ctx);
1300  }
1301  return result;
1302 }
1303 
1304 static void OutputJsonDeInitCtx(OutputCtx *output_ctx)
1305 {
1306  OutputJsonCtx *json_ctx = (OutputJsonCtx *)output_ctx->data;
1307  LogFileCtx *logfile_ctx = json_ctx->file_ctx;
1308  if (logfile_ctx->dropped) {
1309  SCLogWarning("%" PRIu64 " events were dropped due to slow or "
1310  "disconnected socket",
1311  logfile_ctx->dropped);
1312  }
1313  if (json_ctx->xff_cfg != NULL) {
1314  SCFree(json_ctx->xff_cfg);
1315  }
1316  LogFileFreeCtx(logfile_ctx);
1317  SCFree(json_ctx);
1318  SCFree(output_ctx);
1319 }
PKT_IS_TOCLIENT
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:239
FlowVar_::fv_float
FlowVarTypeFloat fv_float
Definition: flow-var.h:66
util-device-private.h
util-byte.h
MacSetSide
MacSetSide
Definition: util-macset.h:28
Packet_::proto
uint8_t proto
Definition: decode.h:523
OutputJsonFlush
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
Definition: output-json.c:994
pad0
uint8_t pad0
Definition: decode-template.h:1
SCOutputJsonLogDirection
SCOutputJsonLogDirection
Definition: output-eve-bindgen.h:31
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:552
detect-engine.h
LOGFILE_TYPE_REDIS
@ LOGFILE_TYPE_REDIS
Definition: util-logopenfile.h:42
LogFileCtx_::sensor_name
char * sensor_name
Definition: util-logopenfile.h:115
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:79
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
CreateIsoTimeString
void CreateIsoTimeString(const SCTime_t ts, char *str, size_t size)
Definition: util-time.c:209
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:78
HttpXFFGetCfg
void HttpXFFGetCfg(SCConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:219
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:112
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:706
PcapPacketCntGet
uint64_t PcapPacketCntGet(const Packet *p)
Definition: decode.c:1104
MemBufferExpand
int MemBufferExpand(MemBuffer **buffer, uint32_t expand_by)
expand membuffer by size of 'expand_by'
Definition: util-buffer.c:60
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
Flow_::proto
uint8_t proto
Definition: flow.h:369
FlowVarTypeStr::value_len
uint16_t value_len
Definition: flow-var.h:41
LogFileFlush
void LogFileFlush(LogFileCtx *file_ctx)
Definition: util-logopenfile.c:985
FLOWVAR_TYPE_STR
#define FLOWVAR_TYPE_STR
Definition: flow-var.h:33
CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:834
JSON_OUTPUT_BUFFER_SIZE
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:56
TH_RST
#define TH_RST
Definition: decode-tcp.h:36
util-macset.h
OutputJsonCtx_
Definition: output-json.h:75
LogFileCtx_::json_flags
size_t json_flags
Definition: util-logopenfile.h:150
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:529
Flow_
Flow data structure.
Definition: flow.h:347
File_::state
FileState state
Definition: util-file.h:142
OutputJsonCommonSettings_
Definition: output-json.h:64
TH_FIN
#define TH_FIN
Definition: decode-tcp.h:34
util-syslog.h
ctx
struct Thresholds ctx
LogFileCtx_
Definition: util-logopenfile.h:72
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:296
SCConfGet
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:351
PktVar_::next
struct PktVar_ * next
Definition: decode.h:313
FILE_STORE
#define FILE_STORE
Definition: util-file.h:115
File_::file_store_id
uint32_t file_store_id
Definition: util-file.h:145
FlowVar_::fv_str
FlowVarTypeStr fv_str
Definition: flow-var.h:64
FlowVar_::keylen
FlowVarKeyLenType keylen
Definition: flow-var.h:58
LOGFILE_TYPE_NOTSET
@ LOGFILE_TYPE_NOTSET
Definition: util-logopenfile.h:45
SCProtoNameValid
bool SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
Definition: util-proto-name.c:450
EveTcpFlags
void EveTcpFlags(const uint8_t flags, SCJsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
Definition: output-json.c:450
output-eve-null.h
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
flow-bit.h
util-var-name.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:408
util-log-redis.h
LOG_DIR_FLOW_TOSERVER
@ LOG_DIR_FLOW_TOSERVER
Definition: output-eve-bindgen.h:35
COMMUNITY_ID_BUF_SIZE
#define COMMUNITY_ID_BUF_SIZE
Definition: output-json.c:585
OutputJsonCommonSettings_::include_community_id
bool include_community_id
Definition: output-json.h:66
SCConfValIsFalse
int SCConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:577
OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition: output-json.h:60
known_proto
const char * known_proto[256]
Definition: util-proto-name.c:40
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:1000
FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition: util-file.h:133
proto
uint8_t proto
Definition: decode-template.h:0
CreateEveFlowId
void CreateEveFlowId(SCJsonBuilder *js, const Flow *f)
Definition: output-json.c:700
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:855
Flow_::dp
Port dp
Definition: flow.h:363
JSONMACAddrInfo::dst
SCJsonBuilder * dst
Definition: output-json.c:726
FLOWVAR_TYPE_INT
#define FLOWVAR_TYPE_INT
Definition: flow-var.h:34
JSONMACAddrInfo
struct JSONMACAddrInfo JSONMACAddrInfo
File_::sha1
uint8_t sha1[SC_SHA1_LEN]
Definition: util-file.h:156
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:204
util-unittest.h
SCJsonString
json_t * SCJsonString(const char *val)
Definition: output-json.c:96
OutputJsonCommonSettings_::include_suricata_version
bool include_suricata_version
Definition: output-json.h:68
util-unittest-helper.h
OutputCtx_::data
void * data
Definition: tm-modules.h:91
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:195
OutputJsonRegister
void OutputJsonRegister(void)
Definition: output-json.c:83
OutputCtx_
Definition: tm-modules.h:88
RUNMODE_UNIX_SOCKET
@ RUNMODE_UNIX_SOCKET
Definition: runmodes.h:42
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
OutputJsonThreadCtx_
Definition: output-json.h:83
Packet_::icmp_s
struct Packet_::@32::@39 icmp_s
Packet_::datalink
int datalink
Definition: decode.h:635
File_::name_len
uint16_t name_len
Definition: util-file.h:141
FlowVar_::fv_int
FlowVarTypeInt fv_int
Definition: flow-var.h:65
LogFileCtx_::filetype
LogFileTypeCtx filetype
Definition: util-logopenfile.h:91
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:470
Flow_::dst
FlowAddress dst
Definition: flow.h:350
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:45
File_::md5
uint8_t md5[SC_MD5_LEN]
Definition: util-file.h:154
SCRunmodeGet
SCRunMode SCRunmodeGet(void)
Get the current run mode.
Definition: suricata.c:283
LogFileWrite
int LogFileWrite(LogFileCtx *file_ctx, MemBuffer *buffer)
Definition: util-logopenfile.c:991
util-debug.h
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition: rust.h:33
Packet_::pktvar
PktVar * pktvar
Definition: decode.h:597
GenericVar_::next
struct GenericVar_ * next
Definition: util-var.h:57
GET_IPV4_DST_ADDR_PTR
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:199
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:238
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: output-json.c:66
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
Definition: output-json.c:398
File_::end
uint64_t end
Definition: util-file.h:166
DETECT_FLOWINT
@ DETECT_FLOWINT
Definition: detect-engine-register.h:62
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
LogFileCtx_::prefix_len
uint32_t prefix_len
Definition: util-logopenfile.h:132
DETECT_FLOWVAR
@ DETECT_FLOWVAR
Definition: detect-engine-register.h:60
Packet_::ts
SCTime_t ts
Definition: decode.h:555
output-json.h
FlowVar_::idx
uint32_t idx
Definition: flow-var.h:59
JSONMACAddrInfo
Definition: output-json.c:725
PktVar_::value
uint8_t * value
Definition: decode.h:319
OutputRegisterModule
void OutputRegisterModule(const char *, const char *, OutputInitFunc)
OutputJsonInitCtx
OutputInitResult OutputJsonInitCtx(SCConfNode *conf)
Create a new LogFileCtx for "fast" output style.
Definition: output-json.c:1126
util-print.h
FlowVar_::key
uint8_t * key
Definition: flow-var.h:68
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:209
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:231
FlowVarTypeFloat_::value
double value
Definition: flow-var.h:51
Packet_::sp
Port sp
Definition: decode.h:508
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:325
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:873
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
util-time.h
JB_SET_TRUE
#define JB_SET_TRUE(jb, key)
Definition: rust.h:34
OutputInitResult_::ok
bool ok
Definition: output.h:48
LiveDevice_::dev
char * dev
Definition: util-device-private.h:33
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:262
PktVar_::key
uint8_t * key
Definition: decode.h:318
SyslogInitialize
void SyslogInitialize(void)
Definition: output-eve-syslog.c:99
LogFileCtx_::type
enum LogFileType type
Definition: util-logopenfile.h:103
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-eve-bindgen.h:33
LOGFILE_TYPE_FILE
@ LOGFILE_TYPE_FILE
Definition: util-logopenfile.h:39
MAC_SET_DST
@ MAC_SET_DST
Definition: util-macset.h:28
JsonAddrInfo_::log_port
bool log_port
Definition: output-json.h:48
JsonAddrInfo_
Definition: output-json.h:41
source-pcap-file-helper.h
NullLogInitialize
void NullLogInitialize(void)
Definition: output-eve-null.c:66
Packet_
Definition: decode.h:501
EveFileInfo
void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
Definition: output-json.c:124
OutputJSONMemBufferWrapper_
Definition: output-json.h:59
type
uint16_t type
Definition: decode-vlan.c:106
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:208
MacSet_
Definition: util-macset.c:45
conf.h
JSONFormatAndAddMACAddr
void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
Definition: output-json.c:712
Port
uint16_t Port
Definition: decode.h:218
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:618
File_::name
uint8_t * name
Definition: util-file.h:148
TH_ECN
#define TH_ECN
Definition: decode-tcp.h:41
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
LOGFILE_TYPE_UNIX_DGRAM
@ LOGFILE_TYPE_UNIX_DGRAM
Definition: util-logopenfile.h:40
MacSetGetFlowStorageID
FlowStorageId MacSetGetFlowStorageID(void)
Definition: util-macset.c:113
LogFileTypeCtx_::thread_data
void * thread_data
Definition: util-logopenfile.h:68
SCLogOpenThreadedFile
bool SCLogOpenThreadedFile(const char *log_path, const char *append, LogFileCtx *parent_ctx)
Definition: util-logopenfile.c:375
util-proto-name.h
OutputJsonCommonSettings_::include_ethernet
bool include_ethernet
Definition: output-json.h:67
__attribute__
typedef __attribute__
DNP3 application header.
File_::sid
uint32_t * sid
Definition: util-file.h:168
LOGFILE_TYPE_UNIX_STREAM
@ LOGFILE_TYPE_UNIX_STREAM
Definition: util-logopenfile.h:41
EvePacket
void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
Jsonify a packet.
Definition: output-json.c:425
MemBuffer_
Definition: util-buffer.h:27
File_::sid_cnt
uint32_t sid_cnt
Definition: util-file.h:169
TH_URG
#define TH_URG
Definition: decode-tcp.h:39
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:232
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
Definition: output-json.c:375
VAR_TYPE_FLOW_FLOAT
@ VAR_TYPE_FLOW_FLOAT
Definition: util-var.h:38
FlowVarTypeInt_::value
uint32_t value
Definition: flow-var.h:46
Flow_::src
FlowAddress src
Definition: flow.h:350
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:480
SCEveFileType_::Init
int(* Init)(const SCConfNode *conf, const bool threaded, void **init_data)
Function to initialize this filetype.
Definition: output-eve.h:103
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:65
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:46
MAC_SET_SRC
@ MAC_SET_SRC
Definition: util-macset.h:28
File_::flags
uint16_t flags
Definition: util-file.h:140
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:827
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:131
File_
Definition: util-file.h:139
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
flow-storage.h
OutputInitResult_
Definition: output.h:46
FlowVarTypeStr::value
uint8_t * value
Definition: flow-var.h:40
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
StringParseUint64
int StringParseUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:264
VAR_TYPE_FLOW_BIT
@ VAR_TYPE_FLOW_BIT
Definition: util-var.h:36
GET_IPV4_SRC_ADDR_PTR
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:198
PrintBufferData
#define PrintBufferData(buf, buf_offset_ptr, buf_size,...)
Definition: util-print.h:27
TH_SYN
#define TH_SYN
Definition: decode-tcp.h:35
flags
uint8_t flags
Definition: decode-gre.h:0
OutputJSONMemBufferWrapper_::expand_by
uint32_t expand_by
Definition: output-json.h:61
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:431
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:44
FLOW_IPV6
#define FLOW_IPV6
Definition: flow.h:101
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:94
Flow_::icmp_d
struct Flow_::@123::@129 icmp_d
LogFileTypeCtx_::init_data
void * init_data
Definition: util-logopenfile.h:67
VarNameStoreLookupById
const char * VarNameStoreLookupById(const uint32_t id, const enum VarTypes type)
find name for id+type at packet time. As the active store won't be modified, we don't need locks.
Definition: util-var-name.c:306
MacSetSize
int MacSetSize(const MacSet *ms)
Definition: util-macset.c:246
GenericVar_
Definition: util-var.h:53
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:37
FILE_STORED
#define FILE_STORED
Definition: util-file.h:116
FLOWVAR_TYPE_FLOAT
#define FLOWVAR_TYPE_FLOAT
Definition: flow-var.h:35
FILE_MD5
#define FILE_MD5
Definition: util-file.h:108
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:920
output-eve-syslog.h
util-classification-config.h
CreateEveHeaderWithTxId
SCJsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
Definition: output-json.c:938
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:517
Flow_::parent_id
int64_t parent_id
Definition: flow.h:421
FlowBit_::idx
uint32_t idx
Definition: flow-bit.h:33
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:59
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:33
File_::sha256
uint8_t sha256[SC_SHA256_LEN]
Definition: util-file.h:158
File_::start
uint64_t start
Definition: util-file.h:165
JB_SET_FALSE
#define JB_SET_FALSE(jb, key)
Definition: rust.h:35
util-optimize.h
util-validate.h
FlowVar_::data
union FlowVar_::@116 data
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:42
FlowBit_
Definition: flow-bit.h:30
str
#define str(s)
Definition: suricata-common.h:308
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(SCConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:480
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:203
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:611
util-logopenfile.h
MacSetGetFirst
uint8_t * MacSetGetFirst(const MacSet *ms, MacSetSide side)
Definition: util-macset.c:233
MEMBUFFER_SIZE
#define MEMBUFFER_SIZE(mem_buffer)
Get the MemBuffers current size.
Definition: util-buffer.h:61
Flow_::flags
uint32_t flags
Definition: flow.h:412
src
uint16_t src
Definition: app-layer-dnp3.h:5
util-buffer.h
TH_CWR
#define TH_CWR
Definition: decode-tcp.h:43
VAR_TYPE_FLOW_VAR
@ VAR_TYPE_FLOW_VAR
Definition: util-var.h:39
MacSetForEach
int MacSetForEach(const MacSet *ms, MacSetIteratorFunc IterFunc, void *data)
Definition: util-macset.c:220
LogFileCtx_::prefix
char * prefix
Definition: util-logopenfile.h:131
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:43
VAR_TYPE_FLOW_INT
@ VAR_TYPE_FLOW_INT
Definition: util-var.h:37
LogFileCtx_::is_pcap_offline
bool is_pcap_offline
Definition: util-logopenfile.h:156
PcapFileGetFilename
const char * PcapFileGetFilename(void)
Definition: source-pcap-file-helper.c:118
GenericVar_::type
uint16_t type
Definition: util-var.h:54
PktVar_::value_len
uint16_t value_len
Definition: decode.h:317
MAX_JSON_SIZE
#define MAX_JSON_SIZE
Definition: output-json.c:69
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:76
OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition: output-json.c:951
JSONMACAddrInfo::src
SCJsonBuilder * src
Definition: output-json.c:726
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:965
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:110
LogFileType
LogFileType
Definition: util-logopenfile.h:38
MemBufferWriteRaw
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.c:115
SCEveFindFileType
SCEveFileType * SCEveFindFileType(const char *name)
Definition: output-eve.c:82
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-eve-bindgen.h:32
LOG_DIR_FLOW_TOCLIENT
@ LOG_DIR_FLOW_TOCLIENT
Definition: output-eve-bindgen.h:34
PktVar_
Definition: decode.h:311
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:528
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:1229
Flow_::icmp_s
struct Flow_::@121::@127 icmp_s
SCEveFileType_::ThreadInit
int(* ThreadInit)(const void *init_data, const ThreadId thread_id, void **thread_data)
Initialize thread specific data.
Definition: output-eve.h:124
Flow_::sp
Port sp
Definition: flow.h:352
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
PROG_VER
#define PROG_VER
Definition: suricata.h:76
LogFileTypeCtx_::filetype
SCEveFileType * filetype
Definition: util-logopenfile.h:66
OutputJsonCommonSettings_::community_id_seed
uint16_t community_id_seed
Definition: output-json.h:69
flow.h
MEMBUFFER_OFFSET
#define MEMBUFFER_OFFSET(mem_buffer)
Get the MemBuffers current offset.
Definition: util-buffer.h:56
Packet_::dp
Port dp
Definition: decode.h:516
PktVar_::key_len
uint16_t key_len
Definition: decode.h:316
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition: runmodes.h:30
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCConfNode_
Definition: conf.h:37
flow-var.h
SCConfNode_::val
char * val
Definition: conf.h:39
FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition: util-file.h:135
FlowVar_
Definition: flow-var.h:55
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Flow_::tenant_id
uint32_t tenant_id
Definition: flow.h:407
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:33
LOGFILE_TYPE_FILETYPE
@ LOGFILE_TYPE_FILETYPE
Definition: util-logopenfile.h:44
FlowVar_::datatype
uint8_t datatype
Definition: flow-var.h:57
FILE_HAS_GAPS
#define FILE_HAS_GAPS
Definition: util-file.h:119
output.h
PktVar_::id
uint32_t id
Definition: decode.h:312
SCEveRunCallbacks
void SCEveRunCallbacks(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *jb)
Definition: output-eve.c:53
LogFileCtx_::threaded
bool threaded
Definition: util-logopenfile.h:98
MODULE_NAME
#define MODULE_NAME
Definition: output-json.c:67
SCEveFileType_
Structure used to define an EVE output file type.
Definition: output-eve.h:73
OutputJsonCtx_::filetype
SCEveFileType * filetype
Definition: output-json.h:80