suricata
output-json.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs detection and monitoring events in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "flow.h"
29 #include "conf.h"
30 
31 #include "util-debug.h"
32 #include "util-time.h"
33 #include "util-var-name.h"
34 #include "util-macset.h"
35 
36 #include "util-unittest.h"
37 #include "util-unittest-helper.h"
38 
39 #include "detect-engine.h"
40 #include "util-classification-config.h"
41 #include "util-syslog.h"
42 
43 /* Internal output plugins */
44 #include "output-eve-syslog.h"
45 #include "output-eve-null.h"
46 
47 #include "output.h"
48 #include "output-json.h"
49 
50 #include "util-byte.h"
51 #include "util-print.h"
52 #include "util-proto-name.h"
53 #include "util-optimize.h"
54 #include "util-buffer.h"
55 #include "util-logopenfile.h"
56 #include "util-log-redis.h"
57 #include "util-device.h"
58 #include "util-validate.h"
59 
60 #include "flow-var.h"
61 #include "flow-bit.h"
62 #include "flow-storage.h"
63 
64 #include "source-pcap-file-helper.h"
65 
66 #define DEFAULT_LOG_FILENAME "eve.json"
67 #define MODULE_NAME "OutputJSON"
68 
69 #define MAX_JSON_SIZE 2048
70 
71 static void OutputJsonDeInitCtx(OutputCtx *);
72 static void CreateEveCommunityFlowId(SCJsonBuilder *js, const Flow *f, const uint16_t seed);
73 static int CreateJSONEther(
74  SCJsonBuilder *parent, const Packet *p, const Flow *f, enum SCOutputJsonLogDirection dir);
75 
76 static const char *TRAFFIC_ID_PREFIX = "traffic/id/";
77 static const char *TRAFFIC_LABEL_PREFIX = "traffic/label/";
78 static size_t traffic_id_prefix_len = 0;
79 static size_t traffic_label_prefix_len = 0;
80 
81 const JsonAddrInfo json_addr_info_zero;
82 
83 void OutputJsonRegister (void)
84 {
85  OutputRegisterModule(MODULE_NAME, "eve-log", OutputJsonInitCtx);
86 
87  traffic_id_prefix_len = strlen(TRAFFIC_ID_PREFIX);
88  traffic_label_prefix_len = strlen(TRAFFIC_LABEL_PREFIX);
89 
90  // Register output file types that use the new eve filetype registration
91  // API.
92  SyslogInitialize();
93  NullLogInitialize();
94 }
95 
96 json_t *SCJsonString(const char *val)
97 {
98  if (val == NULL){
99  return NULL;
100  }
101  json_t * retval = json_string(val);
102  char retbuf[MAX_JSON_SIZE] = {0};
103  if (retval == NULL) {
104  uint32_t u = 0;
105  uint32_t offset = 0;
106  for (u = 0; u < strlen(val); u++) {
107  if (isprint(val[u])) {
108  PrintBufferData(retbuf, &offset, MAX_JSON_SIZE-1, "%c",
109  val[u]);
110  } else {
111  PrintBufferData(retbuf, &offset, MAX_JSON_SIZE-1,
112  "\\x%02X", val[u]);
113  }
114  }
115  retbuf[offset] = '\0';
116  retval = json_string(retbuf);
117  }
118  return retval;
119 }
120 
121 /* Default Sensor ID value */
122 static int64_t sensor_id = -1; /* -1 = not defined */
123 
124 void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
125 {
126  SCJbSetStringFromBytes(jb, "filename", ff->name, ff->name_len);
127 
128  if (ff->sid_cnt > 0) {
129  SCJbOpenArray(jb, "sid");
130  for (uint32_t i = 0; ff->sid != NULL && i < ff->sid_cnt; i++) {
131  SCJbAppendUint(jb, ff->sid[i]);
132  }
133  SCJbClose(jb);
134  }
135 
136 #ifdef HAVE_MAGIC
137  if (ff->magic)
138  SCJbSetString(jb, "magic", (char *)ff->magic);
139 #endif
140  SCJbSetBool(jb, "gaps", ff->flags & FILE_HAS_GAPS);
141  switch (ff->state) {
142  case FILE_STATE_CLOSED:
143  JB_SET_STRING(jb, "state", "CLOSED");
144  if (ff->flags & FILE_MD5) {
145  SCJbSetHex(jb, "md5", (uint8_t *)ff->md5, (uint32_t)sizeof(ff->md5));
146  }
147  if (ff->flags & FILE_SHA1) {
148  SCJbSetHex(jb, "sha1", (uint8_t *)ff->sha1, (uint32_t)sizeof(ff->sha1));
149  }
150  break;
151  case FILE_STATE_TRUNCATED:
152  JB_SET_STRING(jb, "state", "TRUNCATED");
153  break;
154  case FILE_STATE_ERROR:
155  JB_SET_STRING(jb, "state", "ERROR");
156  break;
157  default:
158  JB_SET_STRING(jb, "state", "UNKNOWN");
159  break;
160  }
161 
162  if (ff->flags & FILE_SHA256) {
163  SCJbSetHex(jb, "sha256", (uint8_t *)ff->sha256, (uint32_t)sizeof(ff->sha256));
164  }
165 
166  if (flags & FILE_STORED) {
167  JB_SET_TRUE(jb, "stored");
168  SCJbSetUint(jb, "file_id", ff->file_store_id);
169  } else {
170  JB_SET_FALSE(jb, "stored");
171  if (flags & FILE_STORE) {
172  JB_SET_TRUE(jb, "storing");
173  }
174  }
175 
176  SCJbSetUint(jb, "size", FileTrackedSize(ff));
177  if (ff->end > 0) {
178  SCJbSetUint(jb, "start", ff->start);
179  SCJbSetUint(jb, "end", ff->end);
180  }
181  SCJbSetUint(jb, "tx_id", tx_id);
182 }
183 
184 static void EveAddPacketVars(const Packet *p, SCJsonBuilder *js_vars)
185 {
186  if (p == NULL || p->pktvar == NULL) {
187  return;
188  }
189  PktVar *pv = p->pktvar;
190  bool open = false;
191  while (pv != NULL) {
192  if (pv->key || pv->id > 0) {
193  if (!open) {
194  SCJbOpenArray(js_vars, "pktvars");
195  open = true;
196  }
197  SCJbStartObject(js_vars);
198 
199  if (pv->key != NULL) {
200  uint32_t offset = 0;
201  uint8_t keybuf[pv->key_len + 1];
202  PrintStringsToBuffer(keybuf, &offset, pv->key_len + 1, pv->key, pv->key_len);
203  uint32_t len = pv->value_len;
204  uint8_t printable_buf[len + 1];
205  offset = 0;
206  PrintStringsToBuffer(printable_buf, &offset, len + 1, pv->value, pv->value_len);
207  SCJbSetString(js_vars, (char *)keybuf, (char *)printable_buf);
208  } else {
209  const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR);
210  uint32_t len = pv->value_len;
211  uint8_t printable_buf[len + 1];
212  uint32_t offset = 0;
213  PrintStringsToBuffer(printable_buf, &offset, len + 1, pv->value, pv->value_len);
214  SCJbSetString(js_vars, varname, (char *)printable_buf);
215  }
216  SCJbClose(js_vars);
217  }
218  pv = pv->next;
219  }
220  if (open) {
221  SCJbClose(js_vars);
222  }
223 }
224 
225 /**
226  * \brief Check if string s has prefix prefix.
227  *
228  * \retval true if string has prefix
229  * \retval false if string does not have prefix
230  *
231  * TODO: Move to file with other string handling functions.
232  */
233 static bool SCStringHasPrefix(const char *s, const char *prefix)
234 {
235  if (strncmp(s, prefix, strlen(prefix)) == 0) {
236  return true;
237  }
238  return false;
239 }
240 
241 static void EveAddFlowVars(const Flow *f, SCJsonBuilder *js_root, SCJsonBuilder **js_traffic)
242 {
243  if (f == NULL || f->flowvar == NULL) {
244  return;
245  }
246  SCJsonBuilder *js_flowvars = NULL;
247  SCJsonBuilder *js_traffic_id = NULL;
248  SCJsonBuilder *js_traffic_label = NULL;
249  SCJsonBuilder *js_flowints = NULL;
250  SCJsonBuilder *js_flowbits = NULL;
251  GenericVar *gv = f->flowvar;
252  while (gv != NULL) {
253  if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) {
254  FlowVar *fv = (FlowVar *)gv;
255  if (fv->datatype == FLOWVAR_TYPE_STR && fv->key == NULL) {
256  const char *varname = VarNameStoreLookupById(fv->idx,
257  VAR_TYPE_FLOW_VAR);
258  if (varname) {
259  if (js_flowvars == NULL) {
260  js_flowvars = SCJbNewArray();
261  if (js_flowvars == NULL)
262  break;
263  }
264 
265  uint32_t len = fv->data.fv_str.value_len;
266  uint8_t printable_buf[len + 1];
267  uint32_t offset = 0;
268  PrintStringsToBuffer(printable_buf, &offset, len + 1, fv->data.fv_str.value,
269  fv->data.fv_str.value_len);
270 
271  SCJbStartObject(js_flowvars);
272  SCJbSetString(js_flowvars, varname, (char *)printable_buf);
273  SCJbClose(js_flowvars);
274  }
275  } else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) {
276  if (js_flowvars == NULL) {
277  js_flowvars = SCJbNewArray();
278  if (js_flowvars == NULL)
279  break;
280  }
281 
282  uint8_t keybuf[fv->keylen + 1];
283  uint32_t offset = 0;
284  PrintStringsToBuffer(keybuf, &offset, fv->keylen + 1, fv->key, fv->keylen);
285 
286  uint32_t len = fv->data.fv_str.value_len;
287  uint8_t printable_buf[len + 1];
288  offset = 0;
289  PrintStringsToBuffer(printable_buf, &offset, len + 1, fv->data.fv_str.value,
290  fv->data.fv_str.value_len);
291 
292  SCJbStartObject(js_flowvars);
293  SCJbSetString(js_flowvars, (const char *)keybuf, (char *)printable_buf);
294  SCJbClose(js_flowvars);
295  } else if (fv->datatype == FLOWVAR_TYPE_INT) {
296  const char *varname = VarNameStoreLookupById(fv->idx,
297  VAR_TYPE_FLOW_INT);
298  if (varname) {
299  if (js_flowints == NULL) {
300  js_flowints = SCJbNewObject();
301  if (js_flowints == NULL)
302  break;
303  }
304  SCJbSetUint(js_flowints, varname, fv->data.fv_int.value);
305  }
306 
307  }
308  } else if (gv->type == DETECT_FLOWBITS) {
309  FlowBit *fb = (FlowBit *)gv;
310  const char *varname = VarNameStoreLookupById(fb->idx,
311  VAR_TYPE_FLOW_BIT);
312  if (varname) {
313  if (SCStringHasPrefix(varname, TRAFFIC_ID_PREFIX)) {
314  if (js_traffic_id == NULL) {
315  js_traffic_id = SCJbNewArray();
316  if (unlikely(js_traffic_id == NULL)) {
317  break;
318  }
319  }
320  SCJbAppendString(js_traffic_id, &varname[traffic_id_prefix_len]);
321  } else if (SCStringHasPrefix(varname, TRAFFIC_LABEL_PREFIX)) {
322  if (js_traffic_label == NULL) {
323  js_traffic_label = SCJbNewArray();
324  if (unlikely(js_traffic_label == NULL)) {
325  break;
326  }
327  }
328  SCJbAppendString(js_traffic_label, &varname[traffic_label_prefix_len]);
329  } else {
330  if (js_flowbits == NULL) {
331  js_flowbits = SCJbNewArray();
332  if (unlikely(js_flowbits == NULL))
333  break;
334  }
335  SCJbAppendString(js_flowbits, varname);
336  }
337  }
338  }
339  gv = gv->next;
340  }
341  if (js_flowbits) {
342  SCJbClose(js_flowbits);
343  SCJbSetObject(js_root, "flowbits", js_flowbits);
344  SCJbFree(js_flowbits);
345  }
346  if (js_flowints) {
347  SCJbClose(js_flowints);
348  SCJbSetObject(js_root, "flowints", js_flowints);
349  SCJbFree(js_flowints);
350  }
351  if (js_flowvars) {
352  SCJbClose(js_flowvars);
353  SCJbSetObject(js_root, "flowvars", js_flowvars);
354  SCJbFree(js_flowvars);
355  }
356 
357  if (js_traffic_id != NULL || js_traffic_label != NULL) {
358  *js_traffic = SCJbNewObject();
359  if (likely(*js_traffic != NULL)) {
360  if (js_traffic_id != NULL) {
361  SCJbClose(js_traffic_id);
362  SCJbSetObject(*js_traffic, "id", js_traffic_id);
363  SCJbFree(js_traffic_id);
364  }
365  if (js_traffic_label != NULL) {
366  SCJbClose(js_traffic_label);
367  SCJbSetObject(*js_traffic, "label", js_traffic_label);
368  SCJbFree(js_traffic_label);
369  }
370  SCJbClose(*js_traffic);
371  }
372  }
373 }
374 
375 void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
376 {
377  if ((p && p->pktvar) || (f && f->flowvar)) {
378  SCJsonBuilder *js_vars = SCJbNewObject();
379  if (js_vars) {
380  if (f && f->flowvar) {
381  SCJsonBuilder *js_traffic = NULL;
382  EveAddFlowVars(f, js_vars, &js_traffic);
383  if (js_traffic != NULL) {
384  SCJbSetObject(js, "traffic", js_traffic);
385  SCJbFree(js_traffic);
386  }
387  }
388  if (p && p->pktvar) {
389  EveAddPacketVars(p, js_vars);
390  }
391  SCJbClose(js_vars);
392  SCJbSetObject(js, "metadata", js_vars);
393  SCJbFree(js_vars);
394  }
395  }
396 }
397 
398 void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f,
399  SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
400 {
401  if (cfg->include_suricata_version) {
402  SCJbSetString(js, "suricata_version", PROG_VER);
403  }
404  if (cfg->include_metadata) {
405  EveAddMetadata(p, f, js);
406  }
407  if (cfg->include_ethernet) {
408  CreateJSONEther(js, p, f, dir);
409  }
410  if (cfg->include_community_id && f != NULL) {
411  CreateEveCommunityFlowId(js, f, cfg->community_id_seed);
412  }
413  if (f != NULL && f->tenant_id > 0) {
414  SCJbSetUint(js, "tenant_id", f->tenant_id);
415  }
416 }
417 
418 /**
419  * \brief Jsonify a packet
420  *
421  * \param p Packet
422  * \param js JSON object
423  * \param max_length If non-zero, restricts the number of packet data bytes handled.
424  */
425 void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
426 {
427  uint32_t max_len = max_length == 0 ? GET_PKT_LEN(p) : max_length;
428  SCJbSetBase64(js, "packet", GET_PKT_DATA(p), max_len);
429 
430  if (!SCJbOpenObject(js, "packet_info")) {
431  return;
432  }
433  if (!SCJbSetUint(js, "linktype", p->datalink)) {
434  SCJbClose(js);
435  return;
436  }
437 
438  const char *dl_name = DatalinkValueToName(p->datalink);
439 
440  // Intentionally ignore the return value from SCJbSetString and proceed
441  // so the jb object is closed
442  (void)SCJbSetString(js, "linktype_name", dl_name == NULL ? "n/a" : dl_name);
443 
444  SCJbClose(js);
445 }
446 
447 /** \brief jsonify tcp flags field
448  * Only add 'true' fields in an attempt to keep things reasonably compact.
449  */
450 void EveTcpFlags(const uint8_t flags, SCJsonBuilder *js)
451 {
452  if (flags & TH_SYN)
453  JB_SET_TRUE(js, "syn");
454  if (flags & TH_FIN)
455  JB_SET_TRUE(js, "fin");
456  if (flags & TH_RST)
457  JB_SET_TRUE(js, "rst");
458  if (flags & TH_PUSH)
459  JB_SET_TRUE(js, "psh");
460  if (flags & TH_ACK)
461  JB_SET_TRUE(js, "ack");
462  if (flags & TH_URG)
463  JB_SET_TRUE(js, "urg");
464  if (flags & TH_ECN)
465  JB_SET_TRUE(js, "ecn");
466  if (flags & TH_CWR)
467  JB_SET_TRUE(js, "cwr");
468 }
469 
470 void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
471 {
472  char srcip[46] = {0}, dstip[46] = {0};
473  Port sp, dp;
474 
475  switch (dir) {
476  case LOG_DIR_PACKET:
477  if (PacketIsIPv4(p)) {
478  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
479  srcip, sizeof(srcip));
480  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
481  dstip, sizeof(dstip));
482  } else if (PacketIsIPv6(p)) {
483  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
484  srcip, sizeof(srcip));
485  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
486  dstip, sizeof(dstip));
487  } else {
488  /* Not an IP packet so don't do anything */
489  return;
490  }
491  sp = p->sp;
492  dp = p->dp;
493  break;
494  case LOG_DIR_FLOW:
495  case LOG_DIR_FLOW_TOSERVER:
496  if ((PKT_IS_TOSERVER(p))) {
497  if (PacketIsIPv4(p)) {
498  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
499  srcip, sizeof(srcip));
500  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
501  dstip, sizeof(dstip));
502  } else if (PacketIsIPv6(p)) {
503  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
504  srcip, sizeof(srcip));
505  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
506  dstip, sizeof(dstip));
507  }
508  sp = p->sp;
509  dp = p->dp;
510  } else {
511  if (PacketIsIPv4(p)) {
512  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
513  srcip, sizeof(srcip));
514  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
515  dstip, sizeof(dstip));
516  } else if (PacketIsIPv6(p)) {
517  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
518  srcip, sizeof(srcip));
519  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
520  dstip, sizeof(dstip));
521  }
522  sp = p->dp;
523  dp = p->sp;
524  }
525  break;
526  case LOG_DIR_FLOW_TOCLIENT:
527  if ((PKT_IS_TOCLIENT(p))) {
528  if (PacketIsIPv4(p)) {
529  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
530  srcip, sizeof(srcip));
531  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
532  dstip, sizeof(dstip));
533  } else if (PacketIsIPv6(p)) {
534  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
535  srcip, sizeof(srcip));
536  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
537  dstip, sizeof(dstip));
538  }
539  sp = p->sp;
540  dp = p->dp;
541  } else {
542  if (PacketIsIPv4(p)) {
543  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
544  srcip, sizeof(srcip));
545  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
546  dstip, sizeof(dstip));
547  } else if (PacketIsIPv6(p)) {
548  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
549  srcip, sizeof(srcip));
550  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
551  dstip, sizeof(dstip));
552  }
553  sp = p->dp;
554  dp = p->sp;
555  }
556  break;
557  default:
558  DEBUG_VALIDATE_BUG_ON(1);
559  return;
560  }
561 
562  strlcpy(addr->src_ip, srcip, JSON_ADDR_LEN);
563  strlcpy(addr->dst_ip, dstip, JSON_ADDR_LEN);
564 
565  switch (p->proto) {
566  case IPPROTO_UDP:
567  case IPPROTO_TCP:
568  case IPPROTO_SCTP:
569  addr->sp = sp;
570  addr->dp = dp;
571  addr->log_port = true;
572  break;
573  default:
574  addr->log_port = false;
575  break;
576  }
577 
578  if (SCProtoNameValid(PacketGetIPProto(p))) {
579  strlcpy(addr->proto, known_proto[PacketGetIPProto(p)], sizeof(addr->proto));
580  } else {
581  snprintf(addr->proto, sizeof(addr->proto), "%" PRIu32, PacketGetIPProto(p));
582  }
583 }
584 
585 #define COMMUNITY_ID_BUF_SIZE 64
586 
587 static bool CalculateCommunityFlowIdv4(const Flow *f,
588  const uint16_t seed, unsigned char *base64buf)
589 {
590  struct {
591  uint16_t seed;
592  uint32_t src;
593  uint32_t dst;
594  uint8_t proto;
595  uint8_t pad0;
596  uint16_t sp;
597  uint16_t dp;
598  } __attribute__((__packed__)) ipv4;
599 
600  uint32_t src = f->src.addr_data32[0];
601  uint32_t dst = f->dst.addr_data32[0];
602  uint16_t sp = f->sp;
603  if (f->proto == IPPROTO_ICMP)
604  sp = f->icmp_s.type;
605  sp = htons(sp);
606  uint16_t dp = f->dp;
607  if (f->proto == IPPROTO_ICMP)
608  dp = f->icmp_d.type;
609  dp = htons(dp);
610 
611  ipv4.seed = htons(seed);
612  if (ntohl(src) < ntohl(dst) || (src == dst && sp < dp)) {
613  ipv4.src = src;
614  ipv4.dst = dst;
615  ipv4.sp = sp;
616  ipv4.dp = dp;
617  } else {
618  ipv4.src = dst;
619  ipv4.dst = src;
620  ipv4.sp = dp;
621  ipv4.dp = sp;
622  }
623  ipv4.proto = f->proto;
624  ipv4.pad0 = 0;
625 
626  uint8_t hash[20];
627  if (SCSha1HashBuffer((const uint8_t *)&ipv4, sizeof(ipv4), hash, sizeof(hash)) == 1) {
628  strlcpy((char *)base64buf, "1:", COMMUNITY_ID_BUF_SIZE);
629  unsigned long out_len = COMMUNITY_ID_BUF_SIZE - 2;
630  if (SCBase64Encode(hash, sizeof(hash), base64buf + 2, &out_len) == SC_BASE64_OK) {
631  return true;
632  }
633  }
634  return false;
635 }
636 
637 static bool CalculateCommunityFlowIdv6(const Flow *f,
638  const uint16_t seed, unsigned char *base64buf)
639 {
640  struct {
641  uint16_t seed;
642  uint32_t src[4];
643  uint32_t dst[4];
644  uint8_t proto;
645  uint8_t pad0;
646  uint16_t sp;
647  uint16_t dp;
648  } __attribute__((__packed__)) ipv6;
649 
650  uint16_t sp = f->sp;
651  if (f->proto == IPPROTO_ICMPV6)
652  sp = f->icmp_s.type;
653  sp = htons(sp);
654  uint16_t dp = f->dp;
655  if (f->proto == IPPROTO_ICMPV6)
656  dp = f->icmp_d.type;
657  dp = htons(dp);
658 
659  ipv6.seed = htons(seed);
660  int cmp_r = memcmp(&f->src, &f->dst, sizeof(f->src));
661  if ((cmp_r < 0) || (cmp_r == 0 && sp < dp)) {
662  memcpy(&ipv6.src, &f->src.addr_data32, 16);
663  memcpy(&ipv6.dst, &f->dst.addr_data32, 16);
664  ipv6.sp = sp;
665  ipv6.dp = dp;
666  } else {
667  memcpy(&ipv6.src, &f->dst.addr_data32, 16);
668  memcpy(&ipv6.dst, &f->src.addr_data32, 16);
669  ipv6.sp = dp;
670  ipv6.dp = sp;
671  }
672  ipv6.proto = f->proto;
673  ipv6.pad0 = 0;
674 
675  uint8_t hash[20];
676  if (SCSha1HashBuffer((const uint8_t *)&ipv6, sizeof(ipv6), hash, sizeof(hash)) == 1) {
677  strlcpy((char *)base64buf, "1:", COMMUNITY_ID_BUF_SIZE);
678  unsigned long out_len = COMMUNITY_ID_BUF_SIZE - 2;
679  if (SCBase64Encode(hash, sizeof(hash), base64buf + 2, &out_len) == SC_BASE64_OK) {
680  return true;
681  }
682  }
683  return false;
684 }
685 
686 static void CreateEveCommunityFlowId(SCJsonBuilder *js, const Flow *f, const uint16_t seed)
687 {
688  unsigned char buf[COMMUNITY_ID_BUF_SIZE];
689  if (f->flags & FLOW_IPV4) {
690  if (CalculateCommunityFlowIdv4(f, seed, buf)) {
691  SCJbSetString(js, "community_id", (const char *)buf);
692  }
693  } else if (f->flags & FLOW_IPV6) {
694  if (CalculateCommunityFlowIdv6(f, seed, buf)) {
695  SCJbSetString(js, "community_id", (const char *)buf);
696  }
697  }
698 }
699 
700 void CreateEveFlowId(SCJsonBuilder *js, const Flow *f)
701 {
702  if (f == NULL) {
703  return;
704  }
705  int64_t flow_id = FlowGetId(f);
706  SCJbSetUint(js, "flow_id", flow_id);
707  if (f->parent_id) {
708  SCJbSetUint(js, "parent_id", f->parent_id);
709  }
710 }
711 
712 void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
713 {
714  char eth_addr[19];
715  (void) snprintf(eth_addr, 19, "%02x:%02x:%02x:%02x:%02x:%02x",
716  val[0], val[1], val[2], val[3], val[4], val[5]);
717  if (is_array) {
718  SCJbAppendString(js, eth_addr);
719  } else {
720  SCJbSetString(js, key, eth_addr);
721  }
722 }
723 
724 /* only required to traverse the MAC address set */
725 typedef struct JSONMACAddrInfo {
726  SCJsonBuilder *src, *dst;
727 } JSONMACAddrInfo;
728 
729 static int MacSetIterateToJSON(uint8_t *val, MacSetSide side, void *data)
730 {
731  JSONMACAddrInfo *info = (JSONMACAddrInfo*) data;
732  if (side == MAC_SET_DST) {
733  JSONFormatAndAddMACAddr(info->dst, NULL, val, true);
734  } else {
735  JSONFormatAndAddMACAddr(info->src, NULL, val, true);
736  }
737  return 0;
738 }
739 
740 static int CreateJSONEther(
741  SCJsonBuilder *js, const Packet *p, const Flow *f, enum SCOutputJsonLogDirection dir)
742 {
743  if (p != NULL) {
744  /* this is a packet context, so we need to add scalar fields */
745  if (PacketIsEthernet(p)) {
746  const EthernetHdr *ethh = PacketGetEthernet(p);
747  SCJbOpenObject(js, "ether");
748  SCJbSetUint(js, "ether_type", ethh->eth_type);
749  const uint8_t *src;
750  const uint8_t *dst;
751  switch (dir) {
752  case LOG_DIR_FLOW_TOSERVER:
753  // fallthrough
754  case LOG_DIR_FLOW:
755  if (PKT_IS_TOCLIENT(p)) {
756  src = ethh->eth_dst;
757  dst = ethh->eth_src;
758  } else {
759  src = ethh->eth_src;
760  dst = ethh->eth_dst;
761  }
762  break;
763  case LOG_DIR_FLOW_TOCLIENT:
764  if (PKT_IS_TOSERVER(p)) {
765  src = ethh->eth_dst;
766  dst = ethh->eth_src;
767  } else {
768  src = ethh->eth_src;
769  dst = ethh->eth_dst;
770  }
771  break;
772  case LOG_DIR_PACKET:
773  default:
774  src = ethh->eth_src;
775  dst = ethh->eth_dst;
776  break;
777  }
778  JSONFormatAndAddMACAddr(js, "src_mac", src, false);
779  JSONFormatAndAddMACAddr(js, "dest_mac", dst, false);
780  SCJbClose(js);
781  } else if (f != NULL) {
782  /* When pseudopackets do not have associated ethernet metadata,
783  use the first set of mac addresses stored with their flow.
784  The first set of macs should come from the flow's first packet,
785  providing the most fitting representation of the event's ethernet. */
786  MacSet *ms = FlowGetStorageById(f, MacSetGetFlowStorageID());
787  if (ms != NULL && MacSetSize(ms) > 0) {
788  uint8_t *src = MacSetGetFirst(ms, MAC_SET_SRC);
789  uint8_t *dst = MacSetGetFirst(ms, MAC_SET_DST);
790  if (dst != NULL && src != NULL) {
791  SCJbOpenObject(js, "ether");
792  JSONFormatAndAddMACAddr(js, "src_mac", src, false);
793  JSONFormatAndAddMACAddr(js, "dest_mac", dst, false);
794  SCJbClose(js);
795  }
796  }
797  }
798  } else if (f != NULL) {
799  /* we are creating an ether object in a flow context, so we need to
800  append to arrays */
801  MacSet *ms = FlowGetStorageById(f, MacSetGetFlowStorageID());
802  if (ms != NULL && MacSetSize(ms) > 0) {
803  SCJbOpenObject(js, "ether");
804  JSONMACAddrInfo info;
805  info.dst = SCJbNewArray();
806  info.src = SCJbNewArray();
807  int ret = MacSetForEach(ms, MacSetIterateToJSON, &info);
808  if (unlikely(ret != 0)) {
809  /* should not happen, JSONFlowAppendMACAddrs is sane */
810  SCJbFree(info.dst);
811  SCJbFree(info.src);
812  SCJbClose(js);
813  return ret;
814  }
815  SCJbClose(info.dst);
816  SCJbClose(info.src);
817  /* case is handling netflow too so may need to revert */
818  if (dir == LOG_DIR_FLOW_TOCLIENT) {
819  SCJbSetObject(js, "dest_macs", info.src);
820  SCJbSetObject(js, "src_macs", info.dst);
821  } else {
822  DEBUG_VALIDATE_BUG_ON(dir != LOG_DIR_FLOW_TOSERVER && dir != LOG_DIR_FLOW);
823  SCJbSetObject(js, "dest_macs", info.dst);
824  SCJbSetObject(js, "src_macs", info.src);
825  }
826  SCJbFree(info.dst);
827  SCJbFree(info.src);
828  SCJbClose(js);
829  }
830  }
831  return 0;
832 }
833 
834 SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir,
835  const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
836 {
837  char timebuf[64];
838  const Flow *f = (const Flow *)p->flow;
839 
840  SCJsonBuilder *js = SCJbNewObject();
841  if (unlikely(js == NULL)) {
842  return NULL;
843  }
844 
845  CreateIsoTimeString(p->ts, timebuf, sizeof(timebuf));
846 
847  SCJbSetString(js, "timestamp", timebuf);
848 
849  CreateEveFlowId(js, f);
850 
851  /* sensor id */
852  if (sensor_id >= 0) {
853  SCJbSetUint(js, "sensor_id", sensor_id);
854  }
855 
856  /* input interface */
857  if (p->livedev) {
858  SCJbSetString(js, "in_iface", p->livedev->dev);
859  }
860 
861  /* pcap_cnt */
862  if (p->pcap_cnt != 0) {
863  SCJbSetUint(js, "pcap_cnt", p->pcap_cnt);
864  }
865 
866  if (event_type) {
867  SCJbSetString(js, "event_type", event_type);
868  }
869 
870  /* vlan */
871  if (p->vlan_idx > 0) {
872  SCJbOpenArray(js, "vlan");
873  SCJbAppendUint(js, p->vlan_id[0]);
874  if (p->vlan_idx > 1) {
875  SCJbAppendUint(js, p->vlan_id[1]);
876  }
877  if (p->vlan_idx > 2) {
878  SCJbAppendUint(js, p->vlan_id[2]);
879  }
880  SCJbClose(js);
881  }
882 
883  /* 5-tuple */
884  JsonAddrInfo addr_info = json_addr_info_zero;
885  if (addr == NULL) {
886  JsonAddrInfoInit(p, dir, &addr_info);
887  addr = &addr_info;
888  }
889  if (addr->src_ip[0] != '\0') {
890  SCJbSetString(js, "src_ip", addr->src_ip);
891  }
892  if (addr->log_port) {
893  SCJbSetUint(js, "src_port", addr->sp);
894  }
895  if (addr->dst_ip[0] != '\0') {
896  SCJbSetString(js, "dest_ip", addr->dst_ip);
897  }
898  if (addr->log_port) {
899  SCJbSetUint(js, "dest_port", addr->dp);
900  }
901  if (addr->proto[0] != '\0') {
902  SCJbSetString(js, "proto", addr->proto);
903  }
904 
905  /* icmp */
906  switch (p->proto) {
907  case IPPROTO_ICMP:
908  if (PacketIsICMPv4(p)) {
909  SCJbSetUint(js, "icmp_type", p->icmp_s.type);
910  SCJbSetUint(js, "icmp_code", p->icmp_s.code);
911  }
912  break;
913  case IPPROTO_ICMPV6:
914  if (PacketIsICMPv6(p)) {
915  SCJbSetUint(js, "icmp_type", PacketGetICMPv6(p)->type);
916  SCJbSetUint(js, "icmp_code", PacketGetICMPv6(p)->code);
917  }
918  break;
919  }
920 
921  SCJbSetString(js, "pkt_src", PktSrcToString(p->pkt_src));
922 
923  if (eve_ctx != NULL) {
924  EveAddCommonOptions(&eve_ctx->cfg, p, f, js, dir);
925  }
926 
927  return js;
928 }
929 
930 SCJsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir,
931  const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
932 {
933  SCJsonBuilder *js = CreateEveHeader(p, dir, event_type, addr, eve_ctx);
934  if (unlikely(js == NULL))
935  return NULL;
936 
937  /* tx id for correlation with other events */
938  SCJbSetUint(js, "tx_id", tx_id);
939 
940  return js;
941 }
942 
943 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
944 {
945  OutputJSONMemBufferWrapper *wrapper = data;
946  MemBuffer **memb = wrapper->buffer;
947 
948  if (MEMBUFFER_OFFSET(*memb) + size >= MEMBUFFER_SIZE(*memb)) {
949  MemBufferExpand(memb, wrapper->expand_by);
950  }
951 
952  DEBUG_VALIDATE_BUG_ON(size > UINT32_MAX);
953  MemBufferWriteRaw((*memb), (const uint8_t *)str, (uint32_t)size);
954  return 0;
955 }
956 
957 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
958 {
959  if (file_ctx->sensor_name) {
960  json_object_set_new(js, "host",
961  json_string(file_ctx->sensor_name));
962  }
963 
964  if (file_ctx->is_pcap_offline) {
965  json_object_set_new(js, "pcap_filename", json_string(PcapFileGetFilename()));
966  }
967 
968  if (file_ctx->prefix) {
969  MemBufferWriteRaw((*buffer), (const uint8_t *)file_ctx->prefix, file_ctx->prefix_len);
970  }
971 
972  OutputJSONMemBufferWrapper wrapper = {
973  .buffer = buffer,
974  .expand_by = JSON_OUTPUT_BUFFER_SIZE
975  };
976 
977  int r = json_dump_callback(js, OutputJSONMemBufferCallback, &wrapper,
978  file_ctx->json_flags);
979  if (r != 0)
980  return TM_ECODE_OK;
981 
982  LogFileWrite(file_ctx, *buffer);
983  return 0;
984 }
985 
986 void OutputJsonFlush(OutputJsonThreadCtx *ctx)
987 {
988  LogFileCtx *file_ctx = ctx->file_ctx;
989  LogFileFlush(file_ctx);
990 }
991 
992 void OutputJsonBuilderBuffer(
993  ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
994 {
995  LogFileCtx *file_ctx = ctx->file_ctx;
996  MemBuffer **buffer = &ctx->buffer;
997  if (file_ctx->sensor_name) {
998  SCJbSetString(js, "host", file_ctx->sensor_name);
999  }
1000 
1001  if (file_ctx->is_pcap_offline) {
1002  SCJbSetString(js, "pcap_filename", PcapFileGetFilename());
1003  }
1004 
1005  SCEveRunCallbacks(tv, p, f, js);
1006 
1007  SCJbClose(js);
1008 
1009  MemBufferReset(*buffer);
1010 
1011  if (file_ctx->prefix) {
1012  MemBufferWriteRaw((*buffer), (const uint8_t *)file_ctx->prefix, file_ctx->prefix_len);
1013  }
1014 
1015  size_t jslen = SCJbLen(js);
1016  DEBUG_VALIDATE_BUG_ON(SCJbLen(js) > UINT32_MAX);
1017  size_t remaining = MEMBUFFER_SIZE(*buffer) - MEMBUFFER_OFFSET(*buffer);
1018  if (jslen >= remaining) {
1019  size_t expand_by = jslen + 1 - remaining;
1020  if (MemBufferExpand(buffer, (uint32_t)expand_by) < 0) {
1021  if (!ctx->too_large_warning) {
1022  /* Log a warning once, and include enough of the log
1023  * message to hopefully identify the event_type. */
1024  char partial[120];
1025  size_t partial_len = MIN(sizeof(partial), jslen);
1026  memcpy(partial, SCJbPtr(js), partial_len - 1);
1027  partial[partial_len - 1] = '\0';
1028  SCLogWarning("Formatted JSON EVE record too large, will be dropped: %s", partial);
1029  ctx->too_large_warning = true;
1030  }
1031  return;
1032  }
1033  }
1034 
1035  MemBufferWriteRaw((*buffer), SCJbPtr(js), (uint32_t)jslen);
1036  LogFileWrite(file_ctx, *buffer);
1037 }
1038 
1039 static inline enum LogFileType FileTypeFromConf(const char *typestr)
1040 {
1041  enum LogFileType log_filetype = LOGFILE_TYPE_NOTSET;
1042 
1043  if (typestr == NULL) {
1044  log_filetype = LOGFILE_TYPE_FILE;
1045  } else if (strcmp(typestr, "file") == 0 || strcmp(typestr, "regular") == 0) {
1046  log_filetype = LOGFILE_TYPE_FILE;
1047  } else if (strcmp(typestr, "unix_dgram") == 0) {
1048  log_filetype = LOGFILE_TYPE_UNIX_DGRAM;
1049  } else if (strcmp(typestr, "unix_stream") == 0) {
1050  log_filetype = LOGFILE_TYPE_UNIX_STREAM;
1051  } else if (strcmp(typestr, "redis") == 0) {
1052 #ifdef HAVE_LIBHIREDIS
1053  log_filetype = LOGFILE_TYPE_REDIS;
1054 #else
1055  FatalError("redis JSON output option is not compiled");
1056 #endif
1057  }
1058  SCLogDebug("type %s, file type value %d", typestr, log_filetype);
1059  return log_filetype;
1060 }
1061 
1062 static int LogFileTypePrepare(
1063  OutputJsonCtx *json_ctx, enum LogFileType log_filetype, SCConfNode *conf)
1064 {
1065 
1066  if (log_filetype == LOGFILE_TYPE_FILE || log_filetype == LOGFILE_TYPE_UNIX_DGRAM ||
1067  log_filetype == LOGFILE_TYPE_UNIX_STREAM) {
1068  if (SCConfLogOpenGeneric(conf, json_ctx->file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
1069  return -1;
1070  }
1071  }
1072 #ifdef HAVE_LIBHIREDIS
1073  else if (log_filetype == LOGFILE_TYPE_REDIS) {
1074  SCLogRedisInit();
1075  SCConfNode *redis_node = SCConfNodeLookupChild(conf, "redis");
1076  if (!json_ctx->file_ctx->sensor_name) {
1077  char hostname[1024];
1078  gethostname(hostname, 1023);
1079  json_ctx->file_ctx->sensor_name = SCStrdup(hostname);
1080  }
1081  if (json_ctx->file_ctx->sensor_name == NULL) {
1082  return -1;
1083  }
1084 
1085  if (SCConfLogOpenRedis(redis_node, json_ctx->file_ctx) < 0) {
1086  return -1;
1087  }
1088  }
1089 #endif
1090  else if (log_filetype == LOGFILE_TYPE_FILETYPE) {
1091  if (json_ctx->file_ctx->threaded) {
1092  /* Prepare for threaded log output. */
1093  if (!SCLogOpenThreadedFile(NULL, NULL, json_ctx->file_ctx)) {
1094  return -1;
1095  }
1096  }
1097  if (json_ctx->filetype->Init(conf, json_ctx->file_ctx->threaded,
1098  &json_ctx->file_ctx->filetype.init_data) < 0) {
1099  return -1;
1100  }
1101  if (json_ctx->filetype->ThreadInit) {
1102  if (json_ctx->filetype->ThreadInit(json_ctx->file_ctx->filetype.init_data, 0,
1103  &json_ctx->file_ctx->filetype.thread_data) < 0) {
1104  return -1;
1105  }
1106  }
1107  json_ctx->file_ctx->filetype.filetype = json_ctx->filetype;
1108  }
1109 
1110  return 0;
1111 }
1112 
1113 /**
1114  * \brief Create a new LogFileCtx for "fast" output style.
1115  * \param conf The configuration node for this output.
1116  * \return A LogFileCtx pointer on success, NULL on failure.
1117  */
1118 OutputInitResult OutputJsonInitCtx(SCConfNode *conf)
1119 {
1120  OutputInitResult result = { NULL, false };
1121  OutputCtx *output_ctx = NULL;
1122 
1123  OutputJsonCtx *json_ctx = SCCalloc(1, sizeof(OutputJsonCtx));
1124  if (unlikely(json_ctx == NULL)) {
1125  SCLogDebug("could not create new OutputJsonCtx");
1126  return result;
1127  }
1128 
1129  /* First lookup a sensor-name value in this outputs configuration
1130  * node (deprecated). If that fails, lookup the global one. */
1131  const char *sensor_name = SCConfNodeLookupChildValue(conf, "sensor-name");
1132  if (sensor_name != NULL) {
1133  SCLogWarning("Found deprecated eve-log setting \"sensor-name\". "
1134  "Please set sensor-name globally.");
1135  }
1136  else {
1137  (void)SCConfGet("sensor-name", &sensor_name);
1138  }
1139 
1140  json_ctx->file_ctx = LogFileNewCtx();
1141  if (unlikely(json_ctx->file_ctx == NULL)) {
1142  SCLogDebug("AlertJsonInitCtx: Could not create new LogFileCtx");
1143  goto error_exit;
1144  }
1145 
1146  if (sensor_name) {
1147  json_ctx->file_ctx->sensor_name = SCStrdup(sensor_name);
1148  if (json_ctx->file_ctx->sensor_name == NULL) {
1149  goto error_exit;
1150  }
1151  } else {
1152  json_ctx->file_ctx->sensor_name = NULL;
1153  }
1154 
1155  output_ctx = SCCalloc(1, sizeof(OutputCtx));
1156  if (unlikely(output_ctx == NULL)) {
1157  goto error_exit;
1158  }
1159 
1160  output_ctx->data = json_ctx;
1161  output_ctx->DeInit = OutputJsonDeInitCtx;
1162 
1163  if (conf) {
1164  const char *output_s = SCConfNodeLookupChildValue(conf, "filetype");
1165  // Backwards compatibility
1166  if (output_s == NULL) {
1167  output_s = SCConfNodeLookupChildValue(conf, "type");
1168  }
1169 
1170  enum LogFileType log_filetype = FileTypeFromConf(output_s);
1171  if (log_filetype == LOGFILE_TYPE_NOTSET) {
1172  SCEveFileType *filetype = SCEveFindFileType(output_s);
1173  if (filetype != NULL) {
1174  log_filetype = LOGFILE_TYPE_FILETYPE;
1175  json_ctx->filetype = filetype;
1176  } else
1177  FatalError("Invalid JSON output option: %s", output_s);
1178  }
1179 
1180  const char *prefix = SCConfNodeLookupChildValue(conf, "prefix");
1181  if (prefix != NULL)
1182  {
1183  SCLogInfo("Using prefix '%s' for JSON messages", prefix);
1184  json_ctx->file_ctx->prefix = SCStrdup(prefix);
1185  if (json_ctx->file_ctx->prefix == NULL)
1186  {
1187  FatalError("Failed to allocate memory for eve-log.prefix setting.");
1188  }
1189  json_ctx->file_ctx->prefix_len = (uint32_t)strlen(prefix);
1190  }
1191 
1192  /* Threaded file output */
1193  const SCConfNode *threaded = SCConfNodeLookupChild(conf, "threaded");
1194  if (threaded && threaded->val && SCConfValIsTrue(threaded->val)) {
1195  SCLogConfig("Threaded EVE logging configured");
1196  json_ctx->file_ctx->threaded = true;
1197  } else {
1198  json_ctx->file_ctx->threaded = false;
1199  }
1200  if (LogFileTypePrepare(json_ctx, log_filetype, conf) < 0) {
1201  goto error_exit;
1202  }
1203 
1204  const char *sensor_id_s = SCConfNodeLookupChildValue(conf, "sensor-id");
1205  if (sensor_id_s != NULL) {
1206  if (StringParseUint64((uint64_t *)&sensor_id, 10, 0, sensor_id_s) < 0) {
1207  FatalError("Failed to initialize JSON output, "
1208  "invalid sensor-id: %s",
1209  sensor_id_s);
1210  }
1211  }
1212 
1213  /* Check if top-level metadata should be logged. */
1214  const SCConfNode *metadata = SCConfNodeLookupChild(conf, "metadata");
1215  if (metadata && metadata->val && SCConfValIsFalse(metadata->val)) {
1216  SCLogConfig("Disabling eve metadata logging.");
1217  json_ctx->cfg.include_metadata = false;
1218  } else {
1219  json_ctx->cfg.include_metadata = true;
1220  }
1221 
1222  /* Check if ethernet information should be logged. */
1223  const SCConfNode *ethernet = SCConfNodeLookupChild(conf, "ethernet");
1224  if (ethernet && ethernet->val && SCConfValIsTrue(ethernet->val)) {
1225  SCLogConfig("Enabling Ethernet MAC address logging.");
1226  json_ctx->cfg.include_ethernet = true;
1227  } else {
1228  json_ctx->cfg.include_ethernet = false;
1229  }
1230 
1231  const SCConfNode *suriver = SCConfNodeLookupChild(conf, "suricata-version");
1232  if (suriver && suriver->val && SCConfValIsTrue(suriver->val)) {
1233  SCLogConfig("Enabling Suricata version logging.");
1234  json_ctx->cfg.include_suricata_version = true;
1235  } else {
1236  json_ctx->cfg.include_suricata_version = false;
1237  }
1238 
1239  /* See if we want to enable the community id */
1240  const SCConfNode *community_id = SCConfNodeLookupChild(conf, "community-id");
1241  if (community_id && community_id->val && SCConfValIsTrue(community_id->val)) {
1242  SCLogConfig("Enabling eve community_id logging.");
1243  json_ctx->cfg.include_community_id = true;
1244  } else {
1245  json_ctx->cfg.include_community_id = false;
1246  }
1247  const char *cid_seed = SCConfNodeLookupChildValue(conf, "community-id-seed");
1248  if (cid_seed != NULL) {
1249  if (StringParseUint16(&json_ctx->cfg.community_id_seed,
1250  10, 0, cid_seed) < 0)
1251  {
1252  FatalError("Failed to initialize JSON output, "
1253  "invalid community-id-seed: %s",
1254  cid_seed);
1255  }
1256  }
1257 
1258  /* Do we have a global eve xff configuration? */
1259  const SCConfNode *xff = SCConfNodeLookupChild(conf, "xff");
1260  if (xff != NULL) {
1261  json_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
1262  if (likely(json_ctx->xff_cfg != NULL)) {
1263  HttpXFFGetCfg(conf, json_ctx->xff_cfg);
1264  }
1265  }
1266 
1267  const char *pcapfile_s = SCConfNodeLookupChildValue(conf, "pcap-file");
1268  if (pcapfile_s != NULL && SCConfValIsTrue(pcapfile_s)) {
1269  json_ctx->file_ctx->is_pcap_offline =
1270  (SCRunmodeGet() == RUNMODE_PCAP_FILE || SCRunmodeGet() == RUNMODE_UNIX_SOCKET);
1271  }
1272  json_ctx->file_ctx->type = log_filetype;
1273  }
1274 
1275  SCLogDebug("returning output_ctx %p", output_ctx);
1276 
1277  result.ctx = output_ctx;
1278  result.ok = true;
1279  return result;
1280 
1281 error_exit:
1282  if (json_ctx->file_ctx) {
1283  if (json_ctx->file_ctx->prefix) {
1284  SCFree(json_ctx->file_ctx->prefix);
1285  }
1286  LogFileFreeCtx(json_ctx->file_ctx);
1287  }
1288  SCFree(json_ctx);
1289 
1290  if (output_ctx) {
1291  SCFree(output_ctx);
1292  }
1293  return result;
1294 }
1295 
1296 static void OutputJsonDeInitCtx(OutputCtx *output_ctx)
1297 {
1298  OutputJsonCtx *json_ctx = (OutputJsonCtx *)output_ctx->data;
1299  LogFileCtx *logfile_ctx = json_ctx->file_ctx;
1300  if (logfile_ctx->dropped) {
1301  SCLogWarning("%" PRIu64 " events were dropped due to slow or "
1302  "disconnected socket",
1303  logfile_ctx->dropped);
1304  }
1305  if (json_ctx->xff_cfg != NULL) {
1306  SCFree(json_ctx->xff_cfg);
1307  }
1308  LogFileFreeCtx(logfile_ctx);
1309  SCFree(json_ctx);
1310  SCFree(output_ctx);
1311 }
PKT_IS_TOCLIENT
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:239
Packet_::icmp_s
struct Packet_::@24::@31 icmp_s
util-byte.h
MacSetSide
MacSetSide
Definition: util-macset.h:28
Packet_::proto
uint8_t proto
Definition: decode.h:506
OutputJsonFlush
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
Definition: output-json.c:986
pad0
uint8_t pad0
Definition: decode-template.h:1
SCOutputJsonLogDirection
SCOutputJsonLogDirection
Definition: output-eve-bindgen.h:31
len
uint8_t len
Definition: app-layer-dnp3.h:2
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:551
detect-engine.h
LOGFILE_TYPE_REDIS
@ LOGFILE_TYPE_REDIS
Definition: util-logopenfile.h:42
LogFileCtx_::sensor_name
char * sensor_name
Definition: util-logopenfile.h:115
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:79
Flow_::icmp_s
struct Flow_::@118::@124 icmp_s
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
CreateIsoTimeString
void CreateIsoTimeString(const SCTime_t ts, char *str, size_t size)
Definition: util-time.c:209
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:78
HttpXFFGetCfg
void HttpXFFGetCfg(SCConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:202
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:52
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:692
MemBufferExpand
int MemBufferExpand(MemBuffer **buffer, uint32_t expand_by)
expand membuffer by size of 'expand_by'
Definition: util-buffer.c:60
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:609
Flow_::proto
uint8_t proto
Definition: flow.h:378
FlowVarTypeStr::value_len
uint16_t value_len
Definition: flow-var.h:40
LogFileFlush
void LogFileFlush(LogFileCtx *file_ctx)
Definition: util-logopenfile.c:971
FLOWVAR_TYPE_STR
#define FLOWVAR_TYPE_STR
Definition: flow-var.h:33
CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:834
JSON_OUTPUT_BUFFER_SIZE
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:56
TH_RST
#define TH_RST
Definition: decode-tcp.h:36
util-macset.h
OutputJsonCtx_
Definition: output-json.h:75
LogFileCtx_::json_flags
size_t json_flags
Definition: util-logopenfile.h:150
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:512
Flow_
Flow data structure.
Definition: flow.h:356
File_::state
FileState state
Definition: util-file.h:82
OutputJsonCommonSettings_
Definition: output-json.h:64
TH_FIN
#define TH_FIN
Definition: decode-tcp.h:34
util-syslog.h
ctx
struct Thresholds ctx
LogFileCtx_
Definition: util-logopenfile.h:72
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
SCConfGet
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:350
PktVar_::next
struct PktVar_ * next
Definition: decode.h:298
FILE_STORE
#define FILE_STORE
Definition: util-file.h:55
File_::file_store_id
uint32_t file_store_id
Definition: util-file.h:85
FlowVar_::fv_str
FlowVarTypeStr fv_str
Definition: flow-var.h:58
FlowVar_::keylen
FlowVarKeyLenType keylen
Definition: flow-var.h:52
LOGFILE_TYPE_NOTSET
@ LOGFILE_TYPE_NOTSET
Definition: util-logopenfile.h:45
SCProtoNameValid
bool SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
Definition: util-proto-name.c:453
EveTcpFlags
void EveTcpFlags(const uint8_t flags, SCJsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
Definition: output-json.c:450
output-eve-null.h
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
flow-bit.h
util-var-name.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:400
util-log-redis.h
LOG_DIR_FLOW_TOSERVER
@ LOG_DIR_FLOW_TOSERVER
Definition: output-eve-bindgen.h:35
COMMUNITY_ID_BUF_SIZE
#define COMMUNITY_ID_BUF_SIZE
Definition: output-json.c:585
OutputJsonCommonSettings_::include_community_id
bool include_community_id
Definition: output-json.h:66
SCConfValIsFalse
int SCConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:576
OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition: output-json.h:60
known_proto
const char * known_proto[256]
Definition: util-proto-name.c:40
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:992
FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition: util-file.h:73
proto
uint8_t proto
Definition: decode-template.h:0
CreateEveFlowId
void CreateEveFlowId(SCJsonBuilder *js, const Flow *f)
Definition: output-json.c:700
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:824
Flow_::dp
Port dp
Definition: flow.h:372
JSONMACAddrInfo::dst
SCJsonBuilder * dst
Definition: output-json.c:726
FLOWVAR_TYPE_INT
#define FLOWVAR_TYPE_INT
Definition: flow-var.h:34
JSONMACAddrInfo
struct JSONMACAddrInfo JSONMACAddrInfo
File_::sha1
uint8_t sha1[SC_SHA1_LEN]
Definition: util-file.h:96
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:204
util-unittest.h
SCJsonString
json_t * SCJsonString(const char *val)
Definition: output-json.c:96
OutputJsonCommonSettings_::include_suricata_version
bool include_suricata_version
Definition: output-json.h:68
util-unittest-helper.h
OutputCtx_::data
void * data
Definition: tm-modules.h:87
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:195
OutputJsonRegister
void OutputJsonRegister(void)
Definition: output-json.c:83
OutputCtx_
Definition: tm-modules.h:84
RUNMODE_UNIX_SOCKET
@ RUNMODE_UNIX_SOCKET
Definition: runmodes.h:42
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
OutputJsonThreadCtx_
Definition: output-json.h:83
Packet_::datalink
int datalink
Definition: decode.h:622
File_::name_len
uint16_t name_len
Definition: util-file.h:81
FlowVar_::fv_int
FlowVarTypeInt fv_int
Definition: flow-var.h:59
__attribute__
enum @13 __attribute__
DNP3 application header.
LogFileCtx_::filetype
LogFileTypeCtx filetype
Definition: util-logopenfile.h:91
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:470
Flow_::dst
FlowAddress dst
Definition: flow.h:359
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:45
File_::md5
uint8_t md5[SC_MD5_LEN]
Definition: util-file.h:94
SCRunmodeGet
SCRunMode SCRunmodeGet(void)
Get the current run mode.
Definition: suricata.c:266
LogFileWrite
int LogFileWrite(LogFileCtx *file_ctx, MemBuffer *buffer)
Definition: util-logopenfile.c:977
util-device.h
util-debug.h
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition: rust.h:26
Packet_::pktvar
PktVar * pktvar
Definition: decode.h:580
GenericVar_::next
struct GenericVar_ * next
Definition: util-var.h:55
GET_IPV4_DST_ADDR_PTR
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:199
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:238
Flow_::icmp_d
struct Flow_::@120::@126 icmp_d
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: output-json.c:66
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
Definition: output-json.c:398
File_::end
uint64_t end
Definition: util-file.h:106
DETECT_FLOWINT
@ DETECT_FLOWINT
Definition: detect-engine-register.h:62
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
LogFileCtx_::prefix_len
uint32_t prefix_len
Definition: util-logopenfile.h:132
DETECT_FLOWVAR
@ DETECT_FLOWVAR
Definition: detect-engine-register.h:60
Packet_::ts
SCTime_t ts
Definition: decode.h:538
output-json.h
FlowVar_::idx
uint32_t idx
Definition: flow-var.h:53
JSONMACAddrInfo
Definition: output-json.c:725
PktVar_::value
uint8_t * value
Definition: decode.h:304
OutputRegisterModule
void OutputRegisterModule(const char *, const char *, OutputInitFunc)
OutputJsonInitCtx
OutputInitResult OutputJsonInitCtx(SCConfNode *conf)
Create a new LogFileCtx for "fast" output style.
Definition: output-json.c:1118
util-print.h
FlowVar_::key
uint8_t * key
Definition: flow-var.h:61
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:209
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:231
Packet_::sp
Port sp
Definition: decode.h:491
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:343
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:826
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
util-time.h
JB_SET_TRUE
#define JB_SET_TRUE(jb, key)
Definition: rust.h:27
OutputInitResult_::ok
bool ok
Definition: output.h:48
LiveDevice_::dev
char * dev
Definition: util-device.h:42
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
PktVar_::key
uint8_t * key
Definition: decode.h:303
SyslogInitialize
void SyslogInitialize(void)
Definition: output-eve-syslog.c:99
LogFileCtx_::type
enum LogFileType type
Definition: util-logopenfile.h:103
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-eve-bindgen.h:33
LOGFILE_TYPE_FILE
@ LOGFILE_TYPE_FILE
Definition: util-logopenfile.h:39
MAC_SET_DST
@ MAC_SET_DST
Definition: util-macset.h:30
JsonAddrInfo_::log_port
bool log_port
Definition: output-json.h:48
JsonAddrInfo_
Definition: output-json.h:41
source-pcap-file-helper.h
NullLogInitialize
void NullLogInitialize(void)
Definition: output-eve-null.c:66
Packet_
Definition: decode.h:484
EveFileInfo
void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
Definition: output-json.c:124
OutputJSONMemBufferWrapper_
Definition: output-json.h:59
type
uint16_t type
Definition: decode-vlan.c:106
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:208
MacSet_
Definition: util-macset.c:45
conf.h
JSONFormatAndAddMACAddr
void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
Definition: output-json.c:712
Port
uint16_t Port
Definition: decode.h:218
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:601
File_::name
uint8_t * name
Definition: util-file.h:88
TH_ECN
#define TH_ECN
Definition: decode-tcp.h:41
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
LOGFILE_TYPE_UNIX_DGRAM
@ LOGFILE_TYPE_UNIX_DGRAM
Definition: util-logopenfile.h:40
MacSetGetFlowStorageID
FlowStorageId MacSetGetFlowStorageID(void)
Definition: util-macset.c:115
LogFileTypeCtx_::thread_data
void * thread_data
Definition: util-logopenfile.h:68
SCLogOpenThreadedFile
bool SCLogOpenThreadedFile(const char *log_path, const char *append, LogFileCtx *parent_ctx)
Definition: util-logopenfile.c:361
util-proto-name.h
OutputJsonCommonSettings_::include_ethernet
bool include_ethernet
Definition: output-json.h:67
File_::sid
uint32_t * sid
Definition: util-file.h:108
LOGFILE_TYPE_UNIX_STREAM
@ LOGFILE_TYPE_UNIX_STREAM
Definition: util-logopenfile.h:41
EvePacket
void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
Jsonify a packet.
Definition: output-json.c:425
MemBuffer_
Definition: util-buffer.h:27
File_::sid_cnt
uint32_t sid_cnt
Definition: util-file.h:109
TH_URG
#define TH_URG
Definition: decode-tcp.h:39
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
Definition: output-json.c:375
FlowVarTypeInt_::value
uint32_t value
Definition: flow-var.h:45
Flow_::src
FlowAddress src
Definition: flow.h:359
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:489
SCEveFileType_::Init
int(* Init)(const SCConfNode *conf, const bool threaded, void **init_data)
Function to initialize this filetype.
Definition: output-eve.h:104
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:65
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:46
MAC_SET_SRC
@ MAC_SET_SRC
Definition: util-macset.h:29
File_::flags
uint16_t flags
Definition: util-file.h:80
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:796
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:71
File_
Definition: util-file.h:79
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
flow-storage.h
OutputInitResult_
Definition: output.h:46
FlowVarTypeStr::value
uint8_t * value
Definition: flow-var.h:39
Packet_::flow
struct Flow_ * flow
Definition: decode.h:529
StringParseUint64
int StringParseUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:308
VAR_TYPE_FLOW_BIT
@ VAR_TYPE_FLOW_BIT
Definition: util-var.h:36
GET_IPV4_SRC_ADDR_PTR
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:198
PrintBufferData
#define PrintBufferData(buf, buf_offset_ptr, buf_size,...)
Definition: util-print.h:27
TH_SYN
#define TH_SYN
Definition: decode-tcp.h:35
flags
uint8_t flags
Definition: decode-gre.h:0
OutputJSONMemBufferWrapper_::expand_by
uint32_t expand_by
Definition: output-json.h:61
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:44
FLOW_IPV6
#define FLOW_IPV6
Definition: flow.h:102
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:90
LogFileTypeCtx_::init_data
void * init_data
Definition: util-logopenfile.h:67
VarNameStoreLookupById
const char * VarNameStoreLookupById(const uint32_t id, const enum VarTypes type)
find name for id+type at packet time.
Definition: util-var-name.c:298
MacSetSize
int MacSetSize(const MacSet *ms)
Definition: util-macset.c:247
GenericVar_
Definition: util-var.h:51
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:37
FILE_STORED
#define FILE_STORED
Definition: util-file.h:56
FILE_MD5
#define FILE_MD5
Definition: util-file.h:48
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:906
output-eve-syslog.h
util-classification-config.h
CreateEveHeaderWithTxId
SCJsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
Definition: output-json.c:930
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:502
Flow_::parent_id
int64_t parent_id
Definition: flow.h:430
FlowBit_::idx
uint32_t idx
Definition: flow-bit.h:33
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:59
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
File_::sha256
uint8_t sha256[SC_SHA256_LEN]
Definition: util-file.h:98
File_::start
uint64_t start
Definition: util-file.h:105
JB_SET_FALSE
#define JB_SET_FALSE(jb, key)
Definition: rust.h:28
util-optimize.h
util-validate.h
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:42
FlowBit_
Definition: flow-bit.h:30
str
#define str(s)
Definition: suricata-common.h:300
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(SCConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:466
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:203
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:594
util-logopenfile.h
MacSetGetFirst
uint8_t * MacSetGetFirst(const MacSet *ms, MacSetSide side)
Definition: util-macset.c:234
MEMBUFFER_SIZE
#define MEMBUFFER_SIZE(mem_buffer)
Get the MemBuffers current size.
Definition: util-buffer.h:61
Flow_::flags
uint32_t flags
Definition: flow.h:421
src
uint16_t src
Definition: app-layer-dnp3.h:5
util-buffer.h
TH_CWR
#define TH_CWR
Definition: decode-tcp.h:43
VAR_TYPE_FLOW_VAR
@ VAR_TYPE_FLOW_VAR
Definition: util-var.h:38
MacSetForEach
int MacSetForEach(const MacSet *ms, MacSetIteratorFunc IterFunc, void *data)
Definition: util-macset.c:221
LogFileCtx_::prefix
char * prefix
Definition: util-logopenfile.h:131
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:43
VAR_TYPE_FLOW_INT
@ VAR_TYPE_FLOW_INT
Definition: util-var.h:37
LogFileCtx_::is_pcap_offline
bool is_pcap_offline
Definition: util-logopenfile.h:156
PcapFileGetFilename
const char * PcapFileGetFilename(void)
Definition: source-pcap-file-helper.c:118
GenericVar_::type
uint16_t type
Definition: util-var.h:52
PktVar_::value_len
uint16_t value_len
Definition: decode.h:302
MAX_JSON_SIZE
#define MAX_JSON_SIZE
Definition: output-json.c:69
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:76
OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition: output-json.c:943
JSONMACAddrInfo::src
SCJsonBuilder * src
Definition: output-json.c:726
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:957
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:50
LogFileType
LogFileType
Definition: util-logopenfile.h:38
MemBufferWriteRaw
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.c:115
SCEveFindFileType
SCEveFileType * SCEveFindFileType(const char *name)
Definition: output-eve.c:82
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-eve-bindgen.h:32
LOG_DIR_FLOW_TOCLIENT
@ LOG_DIR_FLOW_TOCLIENT
Definition: output-eve-bindgen.h:34
PktVar_
Definition: decode.h:296
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:511
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:1207
SCEveFileType_::ThreadInit
int(* ThreadInit)(const void *init_data, const ThreadId thread_id, void **thread_data)
Initialize thread specific data.
Definition: output-eve.h:125
Flow_::sp
Port sp
Definition: flow.h:361
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
PROG_VER
#define PROG_VER
Definition: suricata.h:71
LogFileTypeCtx_::filetype
SCEveFileType * filetype
Definition: util-logopenfile.h:66
OutputJsonCommonSettings_::community_id_seed
uint16_t community_id_seed
Definition: output-json.h:69
flow.h
MEMBUFFER_OFFSET
#define MEMBUFFER_OFFSET(mem_buffer)
Get the MemBuffers current offset.
Definition: util-buffer.h:56
Packet_::dp
Port dp
Definition: decode.h:499
PktVar_::key_len
uint16_t key_len
Definition: decode.h:301
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition: runmodes.h:30
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCConfNode_
Definition: conf.h:32
flow-var.h
SCConfNode_::val
char * val
Definition: conf.h:34
FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition: util-file.h:75
FlowVar_
Definition: flow-var.h:49
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Flow_::tenant_id
uint32_t tenant_id
Definition: flow.h:416
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:33
LOGFILE_TYPE_FILETYPE
@ LOGFILE_TYPE_FILETYPE
Definition: util-logopenfile.h:44
FlowVar_::datatype
uint8_t datatype
Definition: flow-var.h:51
FILE_HAS_GAPS
#define FILE_HAS_GAPS
Definition: util-file.h:59
output.h
PktVar_::id
uint32_t id
Definition: decode.h:297
SCEveRunCallbacks
void SCEveRunCallbacks(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *jb)
Definition: output-eve.c:53
LogFileCtx_::threaded
bool threaded
Definition: util-logopenfile.h:98
FlowVar_::data
union FlowVar_::@113 data
MODULE_NAME
#define MODULE_NAME
Definition: output-json.c:67
SCEveFileType_
Structure used to define an EVE output file type plugin.
Definition: output-eve.h:74
OutputJsonCtx_::filetype
SCEveFileType * filetype
Definition: output-json.h:80