suricata
output-json.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs detection and monitoring events in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "flow.h"
29 #include "conf.h"
30 
31 #include "util-debug.h"
32 #include "util-time.h"
33 #include "util-var-name.h"
34 #include "util-macset.h"
35 
36 #include "util-unittest.h"
37 #include "util-unittest-helper.h"
38 
39 #include "detect-engine.h"
40 #include "util-classification-config.h"
41 #include "util-syslog.h"
42 
43 /* Internal output plugins */
44 #include "output-eve-syslog.h"
45 #include "output-eve-null.h"
46 
47 #include "output.h"
48 #include "output-json.h"
49 
50 #include "util-byte.h"
51 #include "util-print.h"
52 #include "util-proto-name.h"
53 #include "util-optimize.h"
54 #include "util-buffer.h"
55 #include "util-logopenfile.h"
56 #include "util-log-redis.h"
57 #include "util-device-private.h"
58 #include "util-validate.h"
59 
60 #include "flow-var.h"
61 #include "flow-bit.h"
62 #include "flow-storage.h"
63 
64 #include "source-pcap-file-helper.h"
65 
66 #define DEFAULT_LOG_FILENAME "eve.json"
67 #define MODULE_NAME "OutputJSON"
68 
69 #define MAX_JSON_SIZE 2048
70 
71 static void OutputJsonDeInitCtx(OutputCtx *);
72 static void CreateEveCommunityFlowId(SCJsonBuilder *js, const Flow *f, const uint16_t seed);
73 static int CreateJSONEther(
74  SCJsonBuilder *parent, const Packet *p, const Flow *f, enum SCOutputJsonLogDirection dir);
75 
76 static const char *TRAFFIC_ID_PREFIX = "traffic/id/";
77 static const char *TRAFFIC_LABEL_PREFIX = "traffic/label/";
78 static size_t traffic_id_prefix_len = 0;
79 static size_t traffic_label_prefix_len = 0;
80 
81 const JsonAddrInfo json_addr_info_zero;
82 
83 void OutputJsonRegister (void)
84 {
85  OutputRegisterModule(MODULE_NAME, "eve-log", OutputJsonInitCtx);
86 
87  traffic_id_prefix_len = strlen(TRAFFIC_ID_PREFIX);
88  traffic_label_prefix_len = strlen(TRAFFIC_LABEL_PREFIX);
89 
90  // Register output file types that use the new eve filetype registration
91  // API.
92  SyslogInitialize();
93  NullLogInitialize();
94 }
95 
96 json_t *SCJsonString(const char *val)
97 {
98  if (val == NULL){
99  return NULL;
100  }
101  json_t * retval = json_string(val);
102  char retbuf[MAX_JSON_SIZE] = {0};
103  if (retval == NULL) {
104  uint32_t u = 0;
105  uint32_t offset = 0;
106  for (u = 0; u < strlen(val); u++) {
107  if (isprint(val[u])) {
108  PrintBufferData(retbuf, &offset, MAX_JSON_SIZE-1, "%c",
109  val[u]);
110  } else {
111  PrintBufferData(retbuf, &offset, MAX_JSON_SIZE-1,
112  "\\x%02X", val[u]);
113  }
114  }
115  retbuf[offset] = '\0';
116  retval = json_string(retbuf);
117  }
118  return retval;
119 }
120 
121 /* Default Sensor ID value */
122 static int64_t sensor_id = -1; /* -1 = not defined */
123 
124 void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
125 {
126  SCJbSetStringFromBytes(jb, "filename", ff->name, ff->name_len);
127 
128  if (ff->sid_cnt > 0) {
129  SCJbOpenArray(jb, "sid");
130  for (uint32_t i = 0; ff->sid != NULL && i < ff->sid_cnt; i++) {
131  SCJbAppendUint(jb, ff->sid[i]);
132  }
133  SCJbClose(jb);
134  }
135 
136 #ifdef HAVE_MAGIC
137  if (ff->magic)
138  SCJbSetString(jb, "magic", (char *)ff->magic);
139 #endif
140  SCJbSetBool(jb, "gaps", ff->flags & FILE_HAS_GAPS);
141  switch (ff->state) {
142  case FILE_STATE_CLOSED:
143  JB_SET_STRING(jb, "state", "CLOSED");
144  if (ff->flags & FILE_MD5) {
145  SCJbSetHex(jb, "md5", (uint8_t *)ff->md5, (uint32_t)sizeof(ff->md5));
146  }
147  if (ff->flags & FILE_SHA1) {
148  SCJbSetHex(jb, "sha1", (uint8_t *)ff->sha1, (uint32_t)sizeof(ff->sha1));
149  }
150  break;
151  case FILE_STATE_TRUNCATED:
152  JB_SET_STRING(jb, "state", "TRUNCATED");
153  break;
154  case FILE_STATE_ERROR:
155  JB_SET_STRING(jb, "state", "ERROR");
156  break;
157  default:
158  JB_SET_STRING(jb, "state", "UNKNOWN");
159  break;
160  }
161 
162  if (ff->flags & FILE_SHA256) {
163  SCJbSetHex(jb, "sha256", (uint8_t *)ff->sha256, (uint32_t)sizeof(ff->sha256));
164  }
165 
166  if (flags & FILE_STORED) {
167  JB_SET_TRUE(jb, "stored");
168  SCJbSetUint(jb, "file_id", ff->file_store_id);
169  } else {
170  JB_SET_FALSE(jb, "stored");
171  if (flags & FILE_STORE) {
172  JB_SET_TRUE(jb, "storing");
173  }
174  }
175 
176  SCJbSetUint(jb, "size", FileTrackedSize(ff));
177  if (ff->end > 0) {
178  SCJbSetUint(jb, "start", ff->start);
179  SCJbSetUint(jb, "end", ff->end);
180  }
181  SCJbSetUint(jb, "tx_id", tx_id);
182 }
183 
184 static void EveAddPacketVars(const Packet *p, SCJsonBuilder *js_vars)
185 {
186  if (p == NULL || p->pktvar == NULL) {
187  return;
188  }
189  PktVar *pv = p->pktvar;
190  bool open = false;
191  while (pv != NULL) {
192  if (pv->key || pv->id > 0) {
193  if (!open) {
194  SCJbOpenArray(js_vars, "pktvars");
195  open = true;
196  }
197  SCJbStartObject(js_vars);
198 
199  if (pv->key != NULL) {
200  uint32_t offset = 0;
201  uint8_t keybuf[pv->key_len + 1];
202  PrintStringsToBuffer(keybuf, &offset, pv->key_len + 1, pv->key, pv->key_len);
203  SCJbSetPrintAsciiString(js_vars, (char *)keybuf, pv->value, pv->value_len);
204  } else {
205  const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR);
206  SCJbSetPrintAsciiString(js_vars, varname, pv->value, pv->value_len);
207  }
208  SCJbClose(js_vars);
209  }
210  pv = pv->next;
211  }
212  if (open) {
213  SCJbClose(js_vars);
214  }
215 }
216 
217 /**
218  * \brief Check if string s has prefix prefix.
219  *
220  * \retval true if string has prefix
221  * \retval false if string does not have prefix
222  *
223  * TODO: Move to file with other string handling functions.
224  */
225 static bool SCStringHasPrefix(const char *s, const char *prefix)
226 {
227  if (strncmp(s, prefix, strlen(prefix)) == 0) {
228  return true;
229  }
230  return false;
231 }
232 
233 static void EveAddFlowVars(const Flow *f, SCJsonBuilder *js_root, SCJsonBuilder **js_traffic)
234 {
235  if (f == NULL || f->flowvar == NULL) {
236  return;
237  }
238  SCJsonBuilder *js_flowvars = NULL;
239  SCJsonBuilder *js_traffic_id = NULL;
240  SCJsonBuilder *js_traffic_label = NULL;
241  SCJsonBuilder *js_flowints = NULL;
242  SCJsonBuilder *js_entropyvals = NULL;
243  SCJsonBuilder *js_flowbits = NULL;
244  GenericVar *gv = f->flowvar;
245  while (gv != NULL) {
246  if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) {
247  FlowVar *fv = (FlowVar *)gv;
248  if (fv->datatype == FLOWVAR_TYPE_STR && fv->key == NULL) {
249  const char *varname = VarNameStoreLookupById(fv->idx,
250  VAR_TYPE_FLOW_VAR);
251  if (varname) {
252  if (js_flowvars == NULL) {
253  js_flowvars = SCJbNewArray();
254  if (js_flowvars == NULL)
255  break;
256  }
257 
258  SCJbStartObject(js_flowvars);
259  SCJbSetPrintAsciiString(
260  js_flowvars, varname, fv->data.fv_str.value, fv->data.fv_str.value_len);
261  SCJbClose(js_flowvars);
262  }
263  } else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) {
264  if (js_flowvars == NULL) {
265  js_flowvars = SCJbNewArray();
266  if (js_flowvars == NULL)
267  break;
268  }
269 
270  uint8_t keybuf[fv->keylen + 1];
271  uint32_t offset = 0;
272  PrintStringsToBuffer(keybuf, &offset, fv->keylen + 1, fv->key, fv->keylen);
273 
274  SCJbStartObject(js_flowvars);
275  SCJbSetPrintAsciiString(js_flowvars, (const char *)keybuf, fv->data.fv_str.value,
276  fv->data.fv_str.value_len);
277  SCJbClose(js_flowvars);
278  } else if (fv->datatype == FLOWVAR_TYPE_FLOAT) {
279  const char *varname = VarNameStoreLookupById(fv->idx, VAR_TYPE_FLOW_FLOAT);
280  if (varname) {
281  if (js_entropyvals == NULL) {
282  js_entropyvals = SCJbNewObject();
283  if (js_entropyvals == NULL)
284  break;
285  }
286  SCJbSetFloat(js_entropyvals, varname, fv->data.fv_float.value);
287  }
288 
289  } else if (fv->datatype == FLOWVAR_TYPE_INT) {
290  const char *varname = VarNameStoreLookupById(fv->idx,
291  VAR_TYPE_FLOW_INT);
292  if (varname) {
293  if (js_flowints == NULL) {
294  js_flowints = SCJbNewObject();
295  if (js_flowints == NULL)
296  break;
297  }
298  SCJbSetUint(js_flowints, varname, fv->data.fv_int.value);
299  }
300  }
301  } else if (gv->type == DETECT_FLOWBITS) {
302  FlowBit *fb = (FlowBit *)gv;
303  const char *varname = VarNameStoreLookupById(fb->idx,
304  VAR_TYPE_FLOW_BIT);
305  if (varname) {
306  if (SCStringHasPrefix(varname, TRAFFIC_ID_PREFIX)) {
307  if (js_traffic_id == NULL) {
308  js_traffic_id = SCJbNewArray();
309  if (unlikely(js_traffic_id == NULL)) {
310  break;
311  }
312  }
313  SCJbAppendString(js_traffic_id, &varname[traffic_id_prefix_len]);
314  } else if (SCStringHasPrefix(varname, TRAFFIC_LABEL_PREFIX)) {
315  if (js_traffic_label == NULL) {
316  js_traffic_label = SCJbNewArray();
317  if (unlikely(js_traffic_label == NULL)) {
318  break;
319  }
320  }
321  SCJbAppendString(js_traffic_label, &varname[traffic_label_prefix_len]);
322  } else {
323  if (js_flowbits == NULL) {
324  js_flowbits = SCJbNewArray();
325  if (unlikely(js_flowbits == NULL))
326  break;
327  }
328  SCJbAppendString(js_flowbits, varname);
329  }
330  }
331  }
332  gv = gv->next;
333  }
334  if (js_flowbits) {
335  SCJbClose(js_flowbits);
336  SCJbSetObject(js_root, "flowbits", js_flowbits);
337  SCJbFree(js_flowbits);
338  }
339  if (js_flowints) {
340  SCJbClose(js_flowints);
341  SCJbSetObject(js_root, "flowints", js_flowints);
342  SCJbFree(js_flowints);
343  }
344  if (js_entropyvals) {
345  SCJbClose(js_entropyvals);
346  SCJbSetObject(js_root, "entropy", js_entropyvals);
347  SCJbFree(js_entropyvals);
348  }
349  if (js_flowvars) {
350  SCJbClose(js_flowvars);
351  SCJbSetObject(js_root, "flowvars", js_flowvars);
352  SCJbFree(js_flowvars);
353  }
354 
355  if (js_traffic_id != NULL || js_traffic_label != NULL) {
356  *js_traffic = SCJbNewObject();
357  if (likely(*js_traffic != NULL)) {
358  if (js_traffic_id != NULL) {
359  SCJbClose(js_traffic_id);
360  SCJbSetObject(*js_traffic, "id", js_traffic_id);
361  SCJbFree(js_traffic_id);
362  }
363  if (js_traffic_label != NULL) {
364  SCJbClose(js_traffic_label);
365  SCJbSetObject(*js_traffic, "label", js_traffic_label);
366  SCJbFree(js_traffic_label);
367  }
368  SCJbClose(*js_traffic);
369  }
370  }
371 }
372 
373 void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
374 {
375  if ((p && p->pktvar) || (f && f->flowvar)) {
376  SCJsonBuilder *js_vars = SCJbNewObject();
377  if (js_vars) {
378  if (f && f->flowvar) {
379  SCJsonBuilder *js_traffic = NULL;
380  EveAddFlowVars(f, js_vars, &js_traffic);
381  if (js_traffic != NULL) {
382  SCJbSetObject(js, "traffic", js_traffic);
383  SCJbFree(js_traffic);
384  }
385  }
386  if (p && p->pktvar) {
387  EveAddPacketVars(p, js_vars);
388  }
389  SCJbClose(js_vars);
390  SCJbSetObject(js, "metadata", js_vars);
391  SCJbFree(js_vars);
392  }
393  }
394 }
395 
396 void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f,
397  SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
398 {
399  if (cfg->include_suricata_version) {
400  SCJbSetString(js, "suricata_version", PROG_VER);
401  }
402  if (cfg->include_metadata) {
403  EveAddMetadata(p, f, js);
404  }
405  if (cfg->include_ethernet) {
406  CreateJSONEther(js, p, f, dir);
407  }
408  if (cfg->include_community_id && f != NULL) {
409  CreateEveCommunityFlowId(js, f, cfg->community_id_seed);
410  }
411  if (f != NULL && f->tenant_id > 0) {
412  SCJbSetUint(js, "tenant_id", f->tenant_id);
413  }
414 }
415 
416 /**
417  * \brief Jsonify a packet
418  *
419  * \param p Packet
420  * \param js JSON object
421  * \param max_length If non-zero, restricts the number of packet data bytes handled.
422  */
423 void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
424 {
425  uint32_t max_len = max_length == 0 ? GET_PKT_LEN(p) : max_length;
426  SCJbSetBase64(js, "packet", GET_PKT_DATA(p), max_len);
427 
428  if (!SCJbOpenObject(js, "packet_info")) {
429  return;
430  }
431  if (!SCJbSetUint(js, "linktype", p->datalink)) {
432  SCJbClose(js);
433  return;
434  }
435 
436  const char *dl_name = DatalinkValueToName(p->datalink);
437 
438  // Intentionally ignore the return value from SCJbSetString and proceed
439  // so the jb object is closed
440  (void)SCJbSetString(js, "linktype_name", dl_name == NULL ? "n/a" : dl_name);
441 
442  SCJbClose(js);
443 }
444 
445 /** \brief jsonify tcp flags field
446  * Only add 'true' fields in an attempt to keep things reasonably compact.
447  */
448 void EveTcpFlags(const uint8_t flags, SCJsonBuilder *js)
449 {
450  if (flags & TH_SYN)
451  JB_SET_TRUE(js, "syn");
452  if (flags & TH_FIN)
453  JB_SET_TRUE(js, "fin");
454  if (flags & TH_RST)
455  JB_SET_TRUE(js, "rst");
456  if (flags & TH_PUSH)
457  JB_SET_TRUE(js, "psh");
458  if (flags & TH_ACK)
459  JB_SET_TRUE(js, "ack");
460  if (flags & TH_URG)
461  JB_SET_TRUE(js, "urg");
462  if (flags & TH_ECN)
463  JB_SET_TRUE(js, "ecn");
464  if (flags & TH_CWR)
465  JB_SET_TRUE(js, "cwr");
466 }
467 
468 void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
469 {
470  char srcip[46] = {0}, dstip[46] = {0};
471  Port sp, dp;
472 
473  switch (dir) {
474  case LOG_DIR_PACKET:
475  if (PacketIsIPv4(p)) {
476  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
477  srcip, sizeof(srcip));
478  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
479  dstip, sizeof(dstip));
480  } else if (PacketIsIPv6(p)) {
481  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
482  srcip, sizeof(srcip));
483  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
484  dstip, sizeof(dstip));
485  } else {
486  /* Not an IP packet so don't do anything */
487  return;
488  }
489  sp = p->sp;
490  dp = p->dp;
491  break;
492  case LOG_DIR_FLOW:
493  case LOG_DIR_FLOW_TOSERVER:
494  if ((PKT_IS_TOSERVER(p))) {
495  if (PacketIsIPv4(p)) {
496  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
497  srcip, sizeof(srcip));
498  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
499  dstip, sizeof(dstip));
500  } else if (PacketIsIPv6(p)) {
501  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
502  srcip, sizeof(srcip));
503  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
504  dstip, sizeof(dstip));
505  }
506  sp = p->sp;
507  dp = p->dp;
508  } else {
509  if (PacketIsIPv4(p)) {
510  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
511  srcip, sizeof(srcip));
512  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
513  dstip, sizeof(dstip));
514  } else if (PacketIsIPv6(p)) {
515  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
516  srcip, sizeof(srcip));
517  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
518  dstip, sizeof(dstip));
519  }
520  sp = p->dp;
521  dp = p->sp;
522  }
523  break;
524  case LOG_DIR_FLOW_TOCLIENT:
525  if ((PKT_IS_TOCLIENT(p))) {
526  if (PacketIsIPv4(p)) {
527  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
528  srcip, sizeof(srcip));
529  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
530  dstip, sizeof(dstip));
531  } else if (PacketIsIPv6(p)) {
532  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
533  srcip, sizeof(srcip));
534  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
535  dstip, sizeof(dstip));
536  }
537  sp = p->sp;
538  dp = p->dp;
539  } else {
540  if (PacketIsIPv4(p)) {
541  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
542  srcip, sizeof(srcip));
543  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
544  dstip, sizeof(dstip));
545  } else if (PacketIsIPv6(p)) {
546  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
547  srcip, sizeof(srcip));
548  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
549  dstip, sizeof(dstip));
550  }
551  sp = p->dp;
552  dp = p->sp;
553  }
554  break;
555  default:
556  DEBUG_VALIDATE_BUG_ON(1);
557  return;
558  }
559 
560  strlcpy(addr->src_ip, srcip, JSON_ADDR_LEN);
561  strlcpy(addr->dst_ip, dstip, JSON_ADDR_LEN);
562 
563  switch (p->proto) {
564  case IPPROTO_UDP:
565  case IPPROTO_TCP:
566  case IPPROTO_SCTP:
567  addr->sp = sp;
568  addr->dp = dp;
569  addr->log_port = true;
570  break;
571  default:
572  addr->log_port = false;
573  break;
574  }
575 
576  if (SCProtoNameValid(PacketGetIPProto(p))) {
577  strlcpy(addr->proto, known_proto[PacketGetIPProto(p)], sizeof(addr->proto));
578  } else {
579  snprintf(addr->proto, sizeof(addr->proto), "%" PRIu32, PacketGetIPProto(p));
580  }
581 }
582 
583 #define COMMUNITY_ID_BUF_SIZE 64
584 
585 static bool CalculateCommunityFlowIdv4(const Flow *f,
586  const uint16_t seed, unsigned char *base64buf)
587 {
588  struct {
589  uint16_t seed;
590  uint32_t src;
591  uint32_t dst;
592  uint8_t proto;
593  uint8_t pad0;
594  uint16_t sp;
595  uint16_t dp;
596  } __attribute__((__packed__)) ipv4;
597 
598  uint32_t src = f->src.addr_data32[0];
599  uint32_t dst = f->dst.addr_data32[0];
600  uint16_t sp = f->sp;
601  if (f->proto == IPPROTO_ICMP)
602  sp = f->icmp_s.type;
603  sp = htons(sp);
604  uint16_t dp = f->dp;
605  if (f->proto == IPPROTO_ICMP)
606  dp = f->icmp_d.type;
607  dp = htons(dp);
608 
609  ipv4.seed = htons(seed);
610  if (ntohl(src) < ntohl(dst) || (src == dst && ntohs(sp) < ntohs(dp))) {
611  ipv4.src = src;
612  ipv4.dst = dst;
613  ipv4.sp = sp;
614  ipv4.dp = dp;
615  } else {
616  ipv4.src = dst;
617  ipv4.dst = src;
618  ipv4.sp = dp;
619  ipv4.dp = sp;
620  }
621  ipv4.proto = f->proto;
622  ipv4.pad0 = 0;
623 
624  uint8_t hash[20];
625  if (SCSha1HashBuffer((const uint8_t *)&ipv4, sizeof(ipv4), hash, sizeof(hash)) == 1) {
626  strlcpy((char *)base64buf, "1:", COMMUNITY_ID_BUF_SIZE);
627  unsigned long out_len = COMMUNITY_ID_BUF_SIZE - 2;
628  if (SCBase64Encode(hash, sizeof(hash), base64buf + 2, &out_len) == SC_BASE64_OK) {
629  return true;
630  }
631  }
632  return false;
633 }
634 
635 static bool CalculateCommunityFlowIdv6(const Flow *f,
636  const uint16_t seed, unsigned char *base64buf)
637 {
638  struct {
639  uint16_t seed;
640  uint32_t src[4];
641  uint32_t dst[4];
642  uint8_t proto;
643  uint8_t pad0;
644  uint16_t sp;
645  uint16_t dp;
646  } __attribute__((__packed__)) ipv6;
647 
648  uint16_t sp = f->sp;
649  if (f->proto == IPPROTO_ICMPV6)
650  sp = f->icmp_s.type;
651  sp = htons(sp);
652  uint16_t dp = f->dp;
653  if (f->proto == IPPROTO_ICMPV6)
654  dp = f->icmp_d.type;
655  dp = htons(dp);
656 
657  ipv6.seed = htons(seed);
658  int cmp_r = memcmp(&f->src, &f->dst, sizeof(f->src));
659  if ((cmp_r < 0) || (cmp_r == 0 && ntohs(sp) < ntohs(dp))) {
660  memcpy(&ipv6.src, &f->src.addr_data32, 16);
661  memcpy(&ipv6.dst, &f->dst.addr_data32, 16);
662  ipv6.sp = sp;
663  ipv6.dp = dp;
664  } else {
665  memcpy(&ipv6.src, &f->dst.addr_data32, 16);
666  memcpy(&ipv6.dst, &f->src.addr_data32, 16);
667  ipv6.sp = dp;
668  ipv6.dp = sp;
669  }
670  ipv6.proto = f->proto;
671  ipv6.pad0 = 0;
672 
673  uint8_t hash[20];
674  if (SCSha1HashBuffer((const uint8_t *)&ipv6, sizeof(ipv6), hash, sizeof(hash)) == 1) {
675  strlcpy((char *)base64buf, "1:", COMMUNITY_ID_BUF_SIZE);
676  unsigned long out_len = COMMUNITY_ID_BUF_SIZE - 2;
677  if (SCBase64Encode(hash, sizeof(hash), base64buf + 2, &out_len) == SC_BASE64_OK) {
678  return true;
679  }
680  }
681  return false;
682 }
683 
684 static void CreateEveCommunityFlowId(SCJsonBuilder *js, const Flow *f, const uint16_t seed)
685 {
686  unsigned char buf[COMMUNITY_ID_BUF_SIZE];
687  if (f->flags & FLOW_IPV4) {
688  if (CalculateCommunityFlowIdv4(f, seed, buf)) {
689  SCJbSetString(js, "community_id", (const char *)buf);
690  }
691  } else if (f->flags & FLOW_IPV6) {
692  if (CalculateCommunityFlowIdv6(f, seed, buf)) {
693  SCJbSetString(js, "community_id", (const char *)buf);
694  }
695  }
696 }
697 
698 void CreateEveFlowId(SCJsonBuilder *js, const Flow *f)
699 {
700  if (f == NULL) {
701  return;
702  }
703  uint64_t flow_id = FlowGetId(f);
704  SCJbSetUint(js, "flow_id", flow_id);
705  if (f->parent_id) {
706  SCJbSetUint(js, "parent_id", f->parent_id);
707  }
708 }
709 
710 void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
711 {
712  char eth_addr[19];
713  (void) snprintf(eth_addr, 19, "%02x:%02x:%02x:%02x:%02x:%02x",
714  val[0], val[1], val[2], val[3], val[4], val[5]);
715  if (is_array) {
716  SCJbAppendString(js, eth_addr);
717  } else {
718  SCJbSetString(js, key, eth_addr);
719  }
720 }
721 
722 /* only required to traverse the MAC address set */
723 typedef struct JSONMACAddrInfo {
724  SCJsonBuilder *src, *dst;
725 } JSONMACAddrInfo;
726 
727 static int MacSetIterateToJSON(uint8_t *val, MacSetSide side, void *data)
728 {
729  JSONMACAddrInfo *info = (JSONMACAddrInfo*) data;
730  if (side == MAC_SET_DST) {
731  JSONFormatAndAddMACAddr(info->dst, NULL, val, true);
732  } else {
733  JSONFormatAndAddMACAddr(info->src, NULL, val, true);
734  }
735  return 0;
736 }
737 
738 static int CreateJSONEther(
739  SCJsonBuilder *js, const Packet *p, const Flow *f, enum SCOutputJsonLogDirection dir)
740 {
741  if (p != NULL) {
742  /* this is a packet context, so we need to add scalar fields */
743  if (PacketIsEthernet(p)) {
744  const EthernetHdr *ethh = PacketGetEthernet(p);
745  SCJbOpenObject(js, "ether");
746  SCJbSetUint(js, "ether_type", SCNtohs(ethh->eth_type));
747  const uint8_t *src;
748  const uint8_t *dst;
749  switch (dir) {
750  case LOG_DIR_FLOW_TOSERVER:
751  // fallthrough
752  case LOG_DIR_FLOW:
753  if (PKT_IS_TOCLIENT(p)) {
754  src = ethh->eth_dst;
755  dst = ethh->eth_src;
756  } else {
757  src = ethh->eth_src;
758  dst = ethh->eth_dst;
759  }
760  break;
761  case LOG_DIR_FLOW_TOCLIENT:
762  if (PKT_IS_TOSERVER(p)) {
763  src = ethh->eth_dst;
764  dst = ethh->eth_src;
765  } else {
766  src = ethh->eth_src;
767  dst = ethh->eth_dst;
768  }
769  break;
770  case LOG_DIR_PACKET:
771  default:
772  src = ethh->eth_src;
773  dst = ethh->eth_dst;
774  break;
775  }
776  JSONFormatAndAddMACAddr(js, "src_mac", src, false);
777  JSONFormatAndAddMACAddr(js, "dest_mac", dst, false);
778  SCJbClose(js);
779  } else if (f != NULL) {
780  /* When pseudopackets do not have associated ethernet metadata,
781  use the first set of mac addresses stored with their flow.
782  The first set of macs should come from the flow's first packet,
783  providing the most fitting representation of the event's ethernet. */
784  MacSet *ms = FlowGetStorageById(f, MacSetGetFlowStorageID());
785  if (ms != NULL && MacSetSize(ms) > 0) {
786  uint8_t *src = MacSetGetFirst(ms, MAC_SET_SRC);
787  uint8_t *dst = MacSetGetFirst(ms, MAC_SET_DST);
788  if (dst != NULL && src != NULL) {
789  SCJbOpenObject(js, "ether");
790  JSONFormatAndAddMACAddr(js, "src_mac", src, false);
791  JSONFormatAndAddMACAddr(js, "dest_mac", dst, false);
792  SCJbClose(js);
793  }
794  }
795  }
796  } else if (f != NULL) {
797  /* we are creating an ether object in a flow context, so we need to
798  append to arrays */
799  MacSet *ms = FlowGetStorageById(f, MacSetGetFlowStorageID());
800  if (ms != NULL && MacSetSize(ms) > 0) {
801  SCJbOpenObject(js, "ether");
802  JSONMACAddrInfo info;
803  info.dst = SCJbNewArray();
804  info.src = SCJbNewArray();
805  int ret = MacSetForEach(ms, MacSetIterateToJSON, &info);
806  if (unlikely(ret != 0)) {
807  /* should not happen, JSONFlowAppendMACAddrs is sane */
808  SCJbFree(info.dst);
809  SCJbFree(info.src);
810  SCJbClose(js);
811  return ret;
812  }
813  SCJbClose(info.dst);
814  SCJbClose(info.src);
815  /* case is handling netflow too so may need to revert */
816  if (dir == LOG_DIR_FLOW_TOCLIENT) {
817  SCJbSetObject(js, "dest_macs", info.src);
818  SCJbSetObject(js, "src_macs", info.dst);
819  } else {
820  DEBUG_VALIDATE_BUG_ON(dir != LOG_DIR_FLOW_TOSERVER && dir != LOG_DIR_FLOW);
821  SCJbSetObject(js, "dest_macs", info.dst);
822  SCJbSetObject(js, "src_macs", info.src);
823  }
824  SCJbFree(info.dst);
825  SCJbFree(info.src);
826  SCJbClose(js);
827  }
828  }
829  return 0;
830 }
831 
832 SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir,
833  const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
834 {
835  char timebuf[64];
836  const Flow *f = (const Flow *)p->flow;
837 
838  SCJsonBuilder *js = SCJbNewObject();
839  if (unlikely(js == NULL)) {
840  return NULL;
841  }
842 
843  CreateIsoTimeString(p->ts, timebuf, sizeof(timebuf));
844 
845  SCJbSetString(js, "timestamp", timebuf);
846 
847  CreateEveFlowId(js, f);
848 
849  /* sensor id */
850  if (sensor_id >= 0) {
851  SCJbSetUint(js, "sensor_id", sensor_id);
852  }
853 
854  /* input interface */
855  if (p->livedev) {
856  SCJbSetString(js, "in_iface", p->livedev->dev);
857  }
858 
859  /* pcap_cnt */
860  if (p->pcap_cnt != 0) {
861  SCJbSetUint(js, "pcap_cnt", p->pcap_cnt);
862  }
863 
864  if (event_type) {
865  SCJbSetString(js, "event_type", event_type);
866  }
867 
868  /* vlan */
869  if (p->vlan_idx > 0) {
870  SCJbOpenArray(js, "vlan");
871  SCJbAppendUint(js, p->vlan_id[0]);
872  if (p->vlan_idx > 1) {
873  SCJbAppendUint(js, p->vlan_id[1]);
874  }
875  if (p->vlan_idx > 2) {
876  SCJbAppendUint(js, p->vlan_id[2]);
877  }
878  SCJbClose(js);
879  }
880 
881  /* 5-tuple */
882  JsonAddrInfo addr_info = json_addr_info_zero;
883  if (addr == NULL) {
884  JsonAddrInfoInit(p, dir, &addr_info);
885  addr = &addr_info;
886  }
887  if (addr->src_ip[0] != '\0') {
888  SCJbSetString(js, "src_ip", addr->src_ip);
889  }
890  if (addr->log_port) {
891  SCJbSetUint(js, "src_port", addr->sp);
892  }
893  if (addr->dst_ip[0] != '\0') {
894  SCJbSetString(js, "dest_ip", addr->dst_ip);
895  }
896  if (addr->log_port) {
897  SCJbSetUint(js, "dest_port", addr->dp);
898  }
899  if (addr->proto[0] != '\0') {
900  SCJbSetString(js, "proto", addr->proto);
901  }
902 
903  /* ip version */
904  if (PacketIsIPv4(p)) {
905  SCJbSetUint(js, "ip_v", 4);
906  } else if (PacketIsIPv6(p)) {
907  SCJbSetUint(js, "ip_v", 6);
908  }
909 
910  /* icmp */
911  switch (p->proto) {
912  case IPPROTO_ICMP:
913  if (PacketIsICMPv4(p)) {
914  SCJbSetUint(js, "icmp_type", p->icmp_s.type);
915  SCJbSetUint(js, "icmp_code", p->icmp_s.code);
916  }
917  break;
918  case IPPROTO_ICMPV6:
919  if (PacketIsICMPv6(p)) {
920  SCJbSetUint(js, "icmp_type", PacketGetICMPv6(p)->type);
921  SCJbSetUint(js, "icmp_code", PacketGetICMPv6(p)->code);
922  }
923  break;
924  }
925 
926  SCJbSetString(js, "pkt_src", PktSrcToString(p->pkt_src));
927 
928  if (eve_ctx != NULL) {
929  EveAddCommonOptions(&eve_ctx->cfg, p, f, js, dir);
930  }
931 
932  return js;
933 }
934 
935 SCJsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir,
936  const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
937 {
938  SCJsonBuilder *js = CreateEveHeader(p, dir, event_type, addr, eve_ctx);
939  if (unlikely(js == NULL))
940  return NULL;
941 
942  /* tx id for correlation with other events */
943  SCJbSetUint(js, "tx_id", tx_id);
944 
945  return js;
946 }
947 
948 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
949 {
950  OutputJSONMemBufferWrapper *wrapper = data;
951  MemBuffer **memb = wrapper->buffer;
952 
953  if (MEMBUFFER_OFFSET(*memb) + size >= MEMBUFFER_SIZE(*memb)) {
954  MemBufferExpand(memb, wrapper->expand_by);
955  }
956 
957  DEBUG_VALIDATE_BUG_ON(size > UINT32_MAX);
958  MemBufferWriteRaw((*memb), (const uint8_t *)str, (uint32_t)size);
959  return 0;
960 }
961 
962 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
963 {
964  if (file_ctx->sensor_name) {
965  json_object_set_new(js, "host",
966  json_string(file_ctx->sensor_name));
967  }
968 
969  if (file_ctx->is_pcap_offline) {
970  json_object_set_new(js, "pcap_filename", json_string(PcapFileGetFilename()));
971  }
972 
973  if (file_ctx->prefix) {
974  MemBufferWriteRaw((*buffer), (const uint8_t *)file_ctx->prefix, file_ctx->prefix_len);
975  }
976 
977  OutputJSONMemBufferWrapper wrapper = {
978  .buffer = buffer,
979  .expand_by = JSON_OUTPUT_BUFFER_SIZE
980  };
981 
982  int r = json_dump_callback(js, OutputJSONMemBufferCallback, &wrapper,
983  file_ctx->json_flags);
984  if (r != 0)
985  return TM_ECODE_OK;
986 
987  LogFileWrite(file_ctx, *buffer);
988  return 0;
989 }
990 
991 void OutputJsonFlush(OutputJsonThreadCtx *ctx)
992 {
993  LogFileCtx *file_ctx = ctx->file_ctx;
994  LogFileFlush(file_ctx);
995 }
996 
997 void OutputJsonBuilderBuffer(
998  ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
999 {
1000  LogFileCtx *file_ctx = ctx->file_ctx;
1001  MemBuffer **buffer = &ctx->buffer;
1002  if (file_ctx->sensor_name) {
1003  SCJbSetString(js, "host", file_ctx->sensor_name);
1004  }
1005 
1006  if (file_ctx->is_pcap_offline) {
1007  SCJbSetString(js, "pcap_filename", PcapFileGetFilename());
1008  }
1009 
1010  SCEveRunCallbacks(tv, p, f, js);
1011 
1012  SCJbClose(js);
1013 
1014  MemBufferReset(*buffer);
1015 
1016  if (file_ctx->prefix) {
1017  MemBufferWriteRaw((*buffer), (const uint8_t *)file_ctx->prefix, file_ctx->prefix_len);
1018  }
1019 
1020  size_t jslen = SCJbLen(js);
1021  DEBUG_VALIDATE_BUG_ON(SCJbLen(js) > UINT32_MAX);
1022  size_t remaining = MEMBUFFER_SIZE(*buffer) - MEMBUFFER_OFFSET(*buffer);
1023  if (jslen >= remaining) {
1024  size_t expand_by = jslen + 1 - remaining;
1025  if (MemBufferExpand(buffer, (uint32_t)expand_by) < 0) {
1026  if (!ctx->too_large_warning) {
1027  /* Log a warning once, and include enough of the log
1028  * message to hopefully identify the event_type. */
1029  char partial[120];
1030  size_t partial_len = MIN(sizeof(partial), jslen);
1031  memcpy(partial, SCJbPtr(js), partial_len - 1);
1032  partial[partial_len - 1] = '\0';
1033  SCLogWarning("Formatted JSON EVE record too large, will be dropped: %s", partial);
1034  ctx->too_large_warning = true;
1035  }
1036  return;
1037  }
1038  }
1039 
1040  MemBufferWriteRaw((*buffer), SCJbPtr(js), (uint32_t)jslen);
1041  LogFileWrite(file_ctx, *buffer);
1042 }
1043 
1044 static inline enum LogFileType FileTypeFromConf(const char *typestr)
1045 {
1046  enum LogFileType log_filetype = LOGFILE_TYPE_NOTSET;
1047 
1048  if (typestr == NULL) {
1049  log_filetype = LOGFILE_TYPE_FILE;
1050  } else if (strcmp(typestr, "file") == 0 || strcmp(typestr, "regular") == 0) {
1051  log_filetype = LOGFILE_TYPE_FILE;
1052  } else if (strcmp(typestr, "unix_dgram") == 0) {
1053  log_filetype = LOGFILE_TYPE_UNIX_DGRAM;
1054  } else if (strcmp(typestr, "unix_stream") == 0) {
1055  log_filetype = LOGFILE_TYPE_UNIX_STREAM;
1056  } else if (strcmp(typestr, "redis") == 0) {
1057 #ifdef HAVE_LIBHIREDIS
1058  log_filetype = LOGFILE_TYPE_REDIS;
1059 #else
1060  FatalError("redis JSON output option is not compiled");
1061 #endif
1062  }
1063  SCLogDebug("type %s, file type value %d", typestr, log_filetype);
1064  return log_filetype;
1065 }
1066 
1067 static int LogFileTypePrepare(
1068  OutputJsonCtx *json_ctx, enum LogFileType log_filetype, SCConfNode *conf)
1069 {
1070 
1071  if (log_filetype == LOGFILE_TYPE_FILE || log_filetype == LOGFILE_TYPE_UNIX_DGRAM ||
1072  log_filetype == LOGFILE_TYPE_UNIX_STREAM) {
1073  if (SCConfLogOpenGeneric(conf, json_ctx->file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
1074  return -1;
1075  }
1076  }
1077 #ifdef HAVE_LIBHIREDIS
1078  else if (log_filetype == LOGFILE_TYPE_REDIS) {
1079  SCLogRedisInit();
1080  SCConfNode *redis_node = SCConfNodeLookupChild(conf, "redis");
1081  if (!json_ctx->file_ctx->sensor_name) {
1082  char hostname[1024];
1083  gethostname(hostname, 1023);
1084  json_ctx->file_ctx->sensor_name = SCStrdup(hostname);
1085  }
1086  if (json_ctx->file_ctx->sensor_name == NULL) {
1087  return -1;
1088  }
1089 
1090  if (SCConfLogOpenRedis(redis_node, json_ctx->file_ctx) < 0) {
1091  return -1;
1092  }
1093  }
1094 #endif
1095  else if (log_filetype == LOGFILE_TYPE_FILETYPE) {
1096  if (json_ctx->file_ctx->threaded) {
1097  /* Prepare for threaded log output. */
1098  if (!SCLogOpenThreadedFile(NULL, NULL, json_ctx->file_ctx)) {
1099  return -1;
1100  }
1101  }
1102  if (json_ctx->filetype->Init(conf, json_ctx->file_ctx->threaded,
1103  &json_ctx->file_ctx->filetype.init_data) < 0) {
1104  return -1;
1105  }
1106  if (json_ctx->filetype->ThreadInit) {
1107  if (json_ctx->filetype->ThreadInit(json_ctx->file_ctx->filetype.init_data, 0,
1108  &json_ctx->file_ctx->filetype.thread_data) < 0) {
1109  return -1;
1110  }
1111  }
1112  json_ctx->file_ctx->filetype.filetype = json_ctx->filetype;
1113  }
1114 
1115  return 0;
1116 }
1117 
1118 /**
1119  * \brief Create a new LogFileCtx for "fast" output style.
1120  * \param conf The configuration node for this output.
1121  * \return A LogFileCtx pointer on success, NULL on failure.
1122  */
1123 OutputInitResult OutputJsonInitCtx(SCConfNode *conf)
1124 {
1125  OutputInitResult result = { NULL, false };
1126  OutputCtx *output_ctx = NULL;
1127 
1128  OutputJsonCtx *json_ctx = SCCalloc(1, sizeof(OutputJsonCtx));
1129  if (unlikely(json_ctx == NULL)) {
1130  SCLogDebug("could not create new OutputJsonCtx");
1131  return result;
1132  }
1133 
1134  /* First lookup a sensor-name value in this outputs configuration
1135  * node (deprecated). If that fails, lookup the global one. */
1136  const char *sensor_name = SCConfNodeLookupChildValue(conf, "sensor-name");
1137  if (sensor_name != NULL) {
1138  SCLogWarning("Found deprecated eve-log setting \"sensor-name\". "
1139  "Please set sensor-name globally.");
1140  }
1141  else {
1142  (void)SCConfGet("sensor-name", &sensor_name);
1143  }
1144 
1145  json_ctx->file_ctx = LogFileNewCtx();
1146  if (unlikely(json_ctx->file_ctx == NULL)) {
1147  SCLogDebug("AlertJsonInitCtx: Could not create new LogFileCtx");
1148  goto error_exit;
1149  }
1150 
1151  if (sensor_name) {
1152  json_ctx->file_ctx->sensor_name = SCStrdup(sensor_name);
1153  if (json_ctx->file_ctx->sensor_name == NULL) {
1154  goto error_exit;
1155  }
1156  } else {
1157  json_ctx->file_ctx->sensor_name = NULL;
1158  }
1159 
1160  output_ctx = SCCalloc(1, sizeof(OutputCtx));
1161  if (unlikely(output_ctx == NULL)) {
1162  goto error_exit;
1163  }
1164 
1165  output_ctx->data = json_ctx;
1166  output_ctx->DeInit = OutputJsonDeInitCtx;
1167 
1168  if (conf) {
1169  const char *output_s = SCConfNodeLookupChildValue(conf, "filetype");
1170  // Backwards compatibility
1171  if (output_s == NULL) {
1172  output_s = SCConfNodeLookupChildValue(conf, "type");
1173  }
1174 
1175  enum LogFileType log_filetype = FileTypeFromConf(output_s);
1176  if (log_filetype == LOGFILE_TYPE_NOTSET) {
1177  SCEveFileType *filetype = SCEveFindFileType(output_s);
1178  if (filetype != NULL) {
1179  log_filetype = LOGFILE_TYPE_FILETYPE;
1180  json_ctx->filetype = filetype;
1181  } else
1182  FatalError("Invalid JSON output option: %s", output_s);
1183  }
1184 
1185  const char *prefix = SCConfNodeLookupChildValue(conf, "prefix");
1186  if (prefix != NULL)
1187  {
1188  SCLogInfo("Using prefix '%s' for JSON messages", prefix);
1189  json_ctx->file_ctx->prefix = SCStrdup(prefix);
1190  if (json_ctx->file_ctx->prefix == NULL)
1191  {
1192  FatalError("Failed to allocate memory for eve-log.prefix setting.");
1193  }
1194  json_ctx->file_ctx->prefix_len = (uint32_t)strlen(prefix);
1195  }
1196 
1197  /* Threaded file output */
1198  const SCConfNode *threaded = SCConfNodeLookupChild(conf, "threaded");
1199  if (threaded && threaded->val && SCConfValIsTrue(threaded->val)) {
1200  SCLogConfig("Threaded EVE logging configured");
1201  json_ctx->file_ctx->threaded = true;
1202  } else {
1203  json_ctx->file_ctx->threaded = false;
1204  }
1205  if (LogFileTypePrepare(json_ctx, log_filetype, conf) < 0) {
1206  goto error_exit;
1207  }
1208 
1209  const char *sensor_id_s = SCConfNodeLookupChildValue(conf, "sensor-id");
1210  if (sensor_id_s != NULL) {
1211  if (StringParseUint64((uint64_t *)&sensor_id, 10, 0, sensor_id_s) < 0) {
1212  FatalError("Failed to initialize JSON output, "
1213  "invalid sensor-id: %s",
1214  sensor_id_s);
1215  }
1216  }
1217 
1218  /* Check if top-level metadata should be logged. */
1219  const SCConfNode *metadata = SCConfNodeLookupChild(conf, "metadata");
1220  if (metadata && metadata->val && SCConfValIsFalse(metadata->val)) {
1221  SCLogConfig("Disabling eve metadata logging.");
1222  json_ctx->cfg.include_metadata = false;
1223  } else {
1224  json_ctx->cfg.include_metadata = true;
1225  }
1226 
1227  /* Check if ethernet information should be logged. */
1228  const SCConfNode *ethernet = SCConfNodeLookupChild(conf, "ethernet");
1229  if (ethernet && ethernet->val && SCConfValIsTrue(ethernet->val)) {
1230  SCLogConfig("Enabling Ethernet MAC address logging.");
1231  json_ctx->cfg.include_ethernet = true;
1232  } else {
1233  json_ctx->cfg.include_ethernet = false;
1234  }
1235 
1236  const SCConfNode *suriver = SCConfNodeLookupChild(conf, "suricata-version");
1237  if (suriver && suriver->val && SCConfValIsTrue(suriver->val)) {
1238  SCLogConfig("Enabling Suricata version logging.");
1239  json_ctx->cfg.include_suricata_version = true;
1240  } else {
1241  json_ctx->cfg.include_suricata_version = false;
1242  }
1243 
1244  /* See if we want to enable the community id */
1245  const SCConfNode *community_id = SCConfNodeLookupChild(conf, "community-id");
1246  if (community_id && community_id->val && SCConfValIsTrue(community_id->val)) {
1247  SCLogConfig("Enabling eve community_id logging.");
1248  json_ctx->cfg.include_community_id = true;
1249  } else {
1250  json_ctx->cfg.include_community_id = false;
1251  }
1252  const char *cid_seed = SCConfNodeLookupChildValue(conf, "community-id-seed");
1253  if (cid_seed != NULL) {
1254  if (StringParseUint16(&json_ctx->cfg.community_id_seed,
1255  10, 0, cid_seed) < 0)
1256  {
1257  FatalError("Failed to initialize JSON output, "
1258  "invalid community-id-seed: %s",
1259  cid_seed);
1260  }
1261  }
1262 
1263  /* Do we have a global eve xff configuration? */
1264  const SCConfNode *xff = SCConfNodeLookupChild(conf, "xff");
1265  if (xff != NULL) {
1266  json_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
1267  if (likely(json_ctx->xff_cfg != NULL)) {
1268  HttpXFFGetCfg(conf, json_ctx->xff_cfg);
1269  }
1270  }
1271 
1272  const char *pcapfile_s = SCConfNodeLookupChildValue(conf, "pcap-file");
1273  if (pcapfile_s != NULL && SCConfValIsTrue(pcapfile_s)) {
1274  json_ctx->file_ctx->is_pcap_offline =
1275  (SCRunmodeGet() == RUNMODE_PCAP_FILE || SCRunmodeGet() == RUNMODE_UNIX_SOCKET);
1276  }
1277  json_ctx->file_ctx->type = log_filetype;
1278  }
1279 
1280  SCLogDebug("returning output_ctx %p", output_ctx);
1281 
1282  result.ctx = output_ctx;
1283  result.ok = true;
1284  return result;
1285 
1286 error_exit:
1287  if (json_ctx->file_ctx) {
1288  if (json_ctx->file_ctx->prefix) {
1289  SCFree(json_ctx->file_ctx->prefix);
1290  }
1291  LogFileFreeCtx(json_ctx->file_ctx);
1292  }
1293  SCFree(json_ctx);
1294 
1295  if (output_ctx) {
1296  SCFree(output_ctx);
1297  }
1298  return result;
1299 }
1300 
1301 static void OutputJsonDeInitCtx(OutputCtx *output_ctx)
1302 {
1303  OutputJsonCtx *json_ctx = (OutputJsonCtx *)output_ctx->data;
1304  LogFileCtx *logfile_ctx = json_ctx->file_ctx;
1305  if (logfile_ctx->dropped) {
1306  SCLogWarning("%" PRIu64 " events were dropped due to slow or "
1307  "disconnected socket",
1308  logfile_ctx->dropped);
1309  }
1310  if (json_ctx->xff_cfg != NULL) {
1311  SCFree(json_ctx->xff_cfg);
1312  }
1313  LogFileFreeCtx(logfile_ctx);
1314  SCFree(json_ctx);
1315  SCFree(output_ctx);
1316 }
PKT_IS_TOCLIENT
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:239
FlowVar_::fv_float
FlowVarTypeFloat fv_float
Definition: flow-var.h:66
util-device-private.h
util-byte.h
MacSetSide
MacSetSide
Definition: util-macset.h:28
Packet_::proto
uint8_t proto
Definition: decode.h:523
OutputJsonFlush
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
Definition: output-json.c:991
pad0
uint8_t pad0
Definition: decode-template.h:1
SCOutputJsonLogDirection
SCOutputJsonLogDirection
Definition: output-eve-bindgen.h:31
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:551
detect-engine.h
LOGFILE_TYPE_REDIS
@ LOGFILE_TYPE_REDIS
Definition: util-logopenfile.h:42
LogFileCtx_::sensor_name
char * sensor_name
Definition: util-logopenfile.h:115
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:79
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
CreateIsoTimeString
void CreateIsoTimeString(const SCTime_t ts, char *str, size_t size)
Definition: util-time.c:209
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:78
HttpXFFGetCfg
void HttpXFFGetCfg(SCConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:202
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:80
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:692
MemBufferExpand
int MemBufferExpand(MemBuffer **buffer, uint32_t expand_by)
expand membuffer by size of 'expand_by'
Definition: util-buffer.c:60
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:626
Flow_::proto
uint8_t proto
Definition: flow.h:370
FlowVarTypeStr::value_len
uint16_t value_len
Definition: flow-var.h:41
LogFileFlush
void LogFileFlush(LogFileCtx *file_ctx)
Definition: util-logopenfile.c:971
FLOWVAR_TYPE_STR
#define FLOWVAR_TYPE_STR
Definition: flow-var.h:33
CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:832
Flow_::icmp_d
struct Flow_::@129::@135 icmp_d
JSON_OUTPUT_BUFFER_SIZE
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:56
TH_RST
#define TH_RST
Definition: decode-tcp.h:36
util-macset.h
OutputJsonCtx_
Definition: output-json.h:75
LogFileCtx_::json_flags
size_t json_flags
Definition: util-logopenfile.h:150
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:529
Flow_
Flow data structure.
Definition: flow.h:348
File_::state
FileState state
Definition: util-file.h:110
OutputJsonCommonSettings_
Definition: output-json.h:64
TH_FIN
#define TH_FIN
Definition: decode-tcp.h:34
util-syslog.h
ctx
struct Thresholds ctx
LogFileCtx_
Definition: util-logopenfile.h:72
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:343
SCConfGet
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:350
PktVar_::next
struct PktVar_ * next
Definition: decode.h:313
FILE_STORE
#define FILE_STORE
Definition: util-file.h:83
File_::file_store_id
uint32_t file_store_id
Definition: util-file.h:113
FlowVar_::fv_str
FlowVarTypeStr fv_str
Definition: flow-var.h:64
FlowVar_::keylen
FlowVarKeyLenType keylen
Definition: flow-var.h:58
LOGFILE_TYPE_NOTSET
@ LOGFILE_TYPE_NOTSET
Definition: util-logopenfile.h:45
SCProtoNameValid
bool SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
Definition: util-proto-name.c:453
EveTcpFlags
void EveTcpFlags(const uint8_t flags, SCJsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
Definition: output-json.c:448
output-eve-null.h
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
flow-bit.h
util-var-name.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:408
util-log-redis.h
LOG_DIR_FLOW_TOSERVER
@ LOG_DIR_FLOW_TOSERVER
Definition: output-eve-bindgen.h:35
COMMUNITY_ID_BUF_SIZE
#define COMMUNITY_ID_BUF_SIZE
Definition: output-json.c:583
OutputJsonCommonSettings_::include_community_id
bool include_community_id
Definition: output-json.h:66
SCConfValIsFalse
int SCConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:576
OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition: output-json.h:60
known_proto
const char * known_proto[256]
Definition: util-proto-name.c:40
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:997
FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition: util-file.h:101
proto
uint8_t proto
Definition: decode-template.h:0
CreateEveFlowId
void CreateEveFlowId(SCJsonBuilder *js, const Flow *f)
Definition: output-json.c:698
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:824
Flow_::dp
Port dp
Definition: flow.h:364
JSONMACAddrInfo::dst
SCJsonBuilder * dst
Definition: output-json.c:724
Packet_::icmp_s
struct Packet_::@33::@40 icmp_s
FLOWVAR_TYPE_INT
#define FLOWVAR_TYPE_INT
Definition: flow-var.h:34
JSONMACAddrInfo
struct JSONMACAddrInfo JSONMACAddrInfo
File_::sha1
uint8_t sha1[SC_SHA1_LEN]
Definition: util-file.h:124
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:204
util-unittest.h
SCJsonString
json_t * SCJsonString(const char *val)
Definition: output-json.c:96
OutputJsonCommonSettings_::include_suricata_version
bool include_suricata_version
Definition: output-json.h:68
util-unittest-helper.h
OutputCtx_::data
void * data
Definition: tm-modules.h:91
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:195
OutputJsonRegister
void OutputJsonRegister(void)
Definition: output-json.c:83
OutputCtx_
Definition: tm-modules.h:88
RUNMODE_UNIX_SOCKET
@ RUNMODE_UNIX_SOCKET
Definition: runmodes.h:42
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
OutputJsonThreadCtx_
Definition: output-json.h:83
Packet_::datalink
int datalink
Definition: decode.h:639
File_::name_len
uint16_t name_len
Definition: util-file.h:109
FlowVar_::fv_int
FlowVarTypeInt fv_int
Definition: flow-var.h:65
LogFileCtx_::filetype
LogFileTypeCtx filetype
Definition: util-logopenfile.h:91
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:468
Flow_::dst
FlowAddress dst
Definition: flow.h:351
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:45
File_::md5
uint8_t md5[SC_MD5_LEN]
Definition: util-file.h:122
SCRunmodeGet
SCRunMode SCRunmodeGet(void)
Get the current run mode.
Definition: suricata.c:279
LogFileWrite
int LogFileWrite(LogFileCtx *file_ctx, MemBuffer *buffer)
Definition: util-logopenfile.c:977
util-debug.h
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition: rust.h:31
Packet_::pktvar
PktVar * pktvar
Definition: decode.h:597
GenericVar_::next
struct GenericVar_ * next
Definition: util-var.h:57
GET_IPV4_DST_ADDR_PTR
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:199
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:238
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: output-json.c:66
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
Definition: output-json.c:396
File_::end
uint64_t end
Definition: util-file.h:134
DETECT_FLOWINT
@ DETECT_FLOWINT
Definition: detect-engine-register.h:62
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
LogFileCtx_::prefix_len
uint32_t prefix_len
Definition: util-logopenfile.h:132
DETECT_FLOWVAR
@ DETECT_FLOWVAR
Definition: detect-engine-register.h:60
Packet_::ts
SCTime_t ts
Definition: decode.h:555
output-json.h
FlowVar_::idx
uint32_t idx
Definition: flow-var.h:59
JSONMACAddrInfo
Definition: output-json.c:723
PktVar_::value
uint8_t * value
Definition: decode.h:319
OutputRegisterModule
void OutputRegisterModule(const char *, const char *, OutputInitFunc)
OutputJsonInitCtx
OutputInitResult OutputJsonInitCtx(SCConfNode *conf)
Create a new LogFileCtx for "fast" output style.
Definition: output-json.c:1123
util-print.h
FlowVar_::key
uint8_t * key
Definition: flow-var.h:68
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:209
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:231
FlowVarTypeFloat_::value
double value
Definition: flow-var.h:51
Packet_::sp
Port sp
Definition: decode.h:508
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:325
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:860
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
util-time.h
JB_SET_TRUE
#define JB_SET_TRUE(jb, key)
Definition: rust.h:32
OutputInitResult_::ok
bool ok
Definition: output.h:48
LiveDevice_::dev
char * dev
Definition: util-device-private.h:33
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:259
PktVar_::key
uint8_t * key
Definition: decode.h:318
SyslogInitialize
void SyslogInitialize(void)
Definition: output-eve-syslog.c:99
LogFileCtx_::type
enum LogFileType type
Definition: util-logopenfile.h:103
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-eve-bindgen.h:33
LOGFILE_TYPE_FILE
@ LOGFILE_TYPE_FILE
Definition: util-logopenfile.h:39
MAC_SET_DST
@ MAC_SET_DST
Definition: util-macset.h:30
JsonAddrInfo_::log_port
bool log_port
Definition: output-json.h:48
JsonAddrInfo_
Definition: output-json.h:41
source-pcap-file-helper.h
NullLogInitialize
void NullLogInitialize(void)
Definition: output-eve-null.c:66
Packet_
Definition: decode.h:501
EveFileInfo
void EveFileInfo(SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
Definition: output-json.c:124
OutputJSONMemBufferWrapper_
Definition: output-json.h:59
type
uint16_t type
Definition: decode-vlan.c:106
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:208
FlowVar_::data
union FlowVar_::@122 data
MacSet_
Definition: util-macset.c:45
conf.h
JSONFormatAndAddMACAddr
void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
Definition: output-json.c:710
Port
uint16_t Port
Definition: decode.h:218
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:618
File_::name
uint8_t * name
Definition: util-file.h:116
TH_ECN
#define TH_ECN
Definition: decode-tcp.h:41
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
LOGFILE_TYPE_UNIX_DGRAM
@ LOGFILE_TYPE_UNIX_DGRAM
Definition: util-logopenfile.h:40
MacSetGetFlowStorageID
FlowStorageId MacSetGetFlowStorageID(void)
Definition: util-macset.c:115
LogFileTypeCtx_::thread_data
void * thread_data
Definition: util-logopenfile.h:68
SCLogOpenThreadedFile
bool SCLogOpenThreadedFile(const char *log_path, const char *append, LogFileCtx *parent_ctx)
Definition: util-logopenfile.c:361
util-proto-name.h
OutputJsonCommonSettings_::include_ethernet
bool include_ethernet
Definition: output-json.h:67
__attribute__
typedef __attribute__
DNP3 application header.
File_::sid
uint32_t * sid
Definition: util-file.h:136
LOGFILE_TYPE_UNIX_STREAM
@ LOGFILE_TYPE_UNIX_STREAM
Definition: util-logopenfile.h:41
EvePacket
void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
Jsonify a packet.
Definition: output-json.c:423
MemBuffer_
Definition: util-buffer.h:27
File_::sid_cnt
uint32_t sid_cnt
Definition: util-file.h:137
TH_URG
#define TH_URG
Definition: decode-tcp.h:39
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:229
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
Definition: output-json.c:373
VAR_TYPE_FLOW_FLOAT
@ VAR_TYPE_FLOW_FLOAT
Definition: util-var.h:38
FlowVarTypeInt_::value
uint32_t value
Definition: flow-var.h:46
Flow_::src
FlowAddress src
Definition: flow.h:351
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:481
SCEveFileType_::Init
int(* Init)(const SCConfNode *conf, const bool threaded, void **init_data)
Function to initialize this filetype.
Definition: output-eve.h:103
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:65
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:46
MAC_SET_SRC
@ MAC_SET_SRC
Definition: util-macset.h:29
File_::flags
uint16_t flags
Definition: util-file.h:108
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:796
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:99
File_
Definition: util-file.h:107
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
flow-storage.h
OutputInitResult_
Definition: output.h:46
FlowVarTypeStr::value
uint8_t * value
Definition: flow-var.h:40
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
StringParseUint64
int StringParseUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:311
VAR_TYPE_FLOW_BIT
@ VAR_TYPE_FLOW_BIT
Definition: util-var.h:36
GET_IPV4_SRC_ADDR_PTR
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:198
PrintBufferData
#define PrintBufferData(buf, buf_offset_ptr, buf_size,...)
Definition: util-print.h:27
TH_SYN
#define TH_SYN
Definition: decode-tcp.h:35
flags
uint8_t flags
Definition: decode-gre.h:0
OutputJSONMemBufferWrapper_::expand_by
uint32_t expand_by
Definition: output-json.h:61
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:431
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:44
FLOW_IPV6
#define FLOW_IPV6
Definition: flow.h:102
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:94
LogFileTypeCtx_::init_data
void * init_data
Definition: util-logopenfile.h:67
VarNameStoreLookupById
const char * VarNameStoreLookupById(const uint32_t id, const enum VarTypes type)
find name for id+type at packet time. As the active store won't be modified, we don't need locks.
Definition: util-var-name.c:306
MacSetSize
int MacSetSize(const MacSet *ms)
Definition: util-macset.c:247
GenericVar_
Definition: util-var.h:53
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:37
FILE_STORED
#define FILE_STORED
Definition: util-file.h:84
FLOWVAR_TYPE_FLOAT
#define FLOWVAR_TYPE_FLOAT
Definition: flow-var.h:35
FILE_MD5
#define FILE_MD5
Definition: util-file.h:76
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:906
output-eve-syslog.h
util-classification-config.h
CreateEveHeaderWithTxId
SCJsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
Definition: output-json.c:935
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:514
Flow_::parent_id
int64_t parent_id
Definition: flow.h:422
FlowBit_::idx
uint32_t idx
Definition: flow-bit.h:33
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:59
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
File_::sha256
uint8_t sha256[SC_SHA256_LEN]
Definition: util-file.h:126
File_::start
uint64_t start
Definition: util-file.h:133
JB_SET_FALSE
#define JB_SET_FALSE(jb, key)
Definition: rust.h:33
util-optimize.h
util-validate.h
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:42
FlowBit_
Definition: flow-bit.h:30
str
#define str(s)
Definition: suricata-common.h:308
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(SCConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:466
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:203
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:611
util-logopenfile.h
MacSetGetFirst
uint8_t * MacSetGetFirst(const MacSet *ms, MacSetSide side)
Definition: util-macset.c:234
MEMBUFFER_SIZE
#define MEMBUFFER_SIZE(mem_buffer)
Get the MemBuffers current size.
Definition: util-buffer.h:61
Flow_::flags
uint32_t flags
Definition: flow.h:413
src
uint16_t src
Definition: app-layer-dnp3.h:5
util-buffer.h
TH_CWR
#define TH_CWR
Definition: decode-tcp.h:43
VAR_TYPE_FLOW_VAR
@ VAR_TYPE_FLOW_VAR
Definition: util-var.h:39
MacSetForEach
int MacSetForEach(const MacSet *ms, MacSetIteratorFunc IterFunc, void *data)
Definition: util-macset.c:221
LogFileCtx_::prefix
char * prefix
Definition: util-logopenfile.h:131
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:43
VAR_TYPE_FLOW_INT
@ VAR_TYPE_FLOW_INT
Definition: util-var.h:37
LogFileCtx_::is_pcap_offline
bool is_pcap_offline
Definition: util-logopenfile.h:156
PcapFileGetFilename
const char * PcapFileGetFilename(void)
Definition: source-pcap-file-helper.c:118
GenericVar_::type
uint16_t type
Definition: util-var.h:54
PktVar_::value_len
uint16_t value_len
Definition: decode.h:317
MAX_JSON_SIZE
#define MAX_JSON_SIZE
Definition: output-json.c:69
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:76
Flow_::icmp_s
struct Flow_::@127::@133 icmp_s
OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition: output-json.c:948
JSONMACAddrInfo::src
SCJsonBuilder * src
Definition: output-json.c:724
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:962
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:78
LogFileType
LogFileType
Definition: util-logopenfile.h:38
MemBufferWriteRaw
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.c:115
SCEveFindFileType
SCEveFileType * SCEveFindFileType(const char *name)
Definition: output-eve.c:82
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-eve-bindgen.h:32
LOG_DIR_FLOW_TOCLIENT
@ LOG_DIR_FLOW_TOCLIENT
Definition: output-eve-bindgen.h:34
PktVar_
Definition: decode.h:311
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:528
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:1230
SCEveFileType_::ThreadInit
int(* ThreadInit)(const void *init_data, const ThreadId thread_id, void **thread_data)
Initialize thread specific data.
Definition: output-eve.h:124
Flow_::sp
Port sp
Definition: flow.h:353
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
PROG_VER
#define PROG_VER
Definition: suricata.h:76
LogFileTypeCtx_::filetype
SCEveFileType * filetype
Definition: util-logopenfile.h:66
OutputJsonCommonSettings_::community_id_seed
uint16_t community_id_seed
Definition: output-json.h:69
flow.h
MEMBUFFER_OFFSET
#define MEMBUFFER_OFFSET(mem_buffer)
Get the MemBuffers current offset.
Definition: util-buffer.h:56
Packet_::dp
Port dp
Definition: decode.h:516
PktVar_::key_len
uint16_t key_len
Definition: decode.h:316
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition: runmodes.h:30
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCConfNode_
Definition: conf.h:37
flow-var.h
SCConfNode_::val
char * val
Definition: conf.h:39
FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition: util-file.h:103
FlowVar_
Definition: flow-var.h:55
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Flow_::tenant_id
uint32_t tenant_id
Definition: flow.h:408
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:33
LOGFILE_TYPE_FILETYPE
@ LOGFILE_TYPE_FILETYPE
Definition: util-logopenfile.h:44
FlowVar_::datatype
uint8_t datatype
Definition: flow-var.h:57
FILE_HAS_GAPS
#define FILE_HAS_GAPS
Definition: util-file.h:87
output.h
PktVar_::id
uint32_t id
Definition: decode.h:312
SCEveRunCallbacks
void SCEveRunCallbacks(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *jb)
Definition: output-eve.c:53
LogFileCtx_::threaded
bool threaded
Definition: util-logopenfile.h:98
MODULE_NAME
#define MODULE_NAME
Definition: output-json.c:67
SCEveFileType_
Structure used to define an EVE output file type.
Definition: output-eve.h:73
OutputJsonCtx_::filetype
SCEveFileType * filetype
Definition: output-json.h:80