suricata
output-json.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  *
23  * Logs detection and monitoring events in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "flow.h"
29 #include "conf.h"
30 
31 #include "util-debug.h"
32 #include "util-time.h"
33 #include "util-var-name.h"
34 #include "util-macset.h"
35 
36 #include "util-unittest.h"
37 #include "util-unittest-helper.h"
38 
39 #include "detect-engine.h"
40 #include "util-classification-config.h"
41 #include "util-syslog.h"
42 
43 /* Internal output plugins */
44 #include "output-eve-syslog.h"
45 #include "output-eve-null.h"
46 
47 #include "output.h"
48 #include "output-json.h"
49 
50 #include "util-byte.h"
51 #include "util-print.h"
52 #include "util-proto-name.h"
53 #include "util-optimize.h"
54 #include "util-buffer.h"
55 #include "util-logopenfile.h"
56 #include "util-log-redis.h"
57 #include "util-device.h"
58 #include "util-validate.h"
59 
60 #include "flow-var.h"
61 #include "flow-bit.h"
62 #include "flow-storage.h"
63 
64 #include "source-pcap-file-helper.h"
65 
66 #define DEFAULT_LOG_FILENAME "eve.json"
67 #define MODULE_NAME "OutputJSON"
68 
69 #define MAX_JSON_SIZE 2048
70 
71 static void OutputJsonDeInitCtx(OutputCtx *);
72 static void CreateEveCommunityFlowId(JsonBuilder *js, const Flow *f, const uint16_t seed);
73 static int CreateJSONEther(
74  JsonBuilder *parent, const Packet *p, const Flow *f, enum OutputJsonLogDirection dir);
75 
76 static const char *TRAFFIC_ID_PREFIX = "traffic/id/";
77 static const char *TRAFFIC_LABEL_PREFIX = "traffic/label/";
78 static size_t traffic_id_prefix_len = 0;
79 static size_t traffic_label_prefix_len = 0;
80 
81 const JsonAddrInfo json_addr_info_zero;
82 
83 void OutputJsonRegister (void)
84 {
85  OutputRegisterModule(MODULE_NAME, "eve-log", OutputJsonInitCtx);
86 
87  traffic_id_prefix_len = strlen(TRAFFIC_ID_PREFIX);
88  traffic_label_prefix_len = strlen(TRAFFIC_LABEL_PREFIX);
89 
90  // Register output file types that use the new eve filetype registration
91  // API.
92  SyslogInitialize();
93  NullLogInitialize();
94 }
95 
96 json_t *SCJsonString(const char *val)
97 {
98  if (val == NULL){
99  return NULL;
100  }
101  json_t * retval = json_string(val);
102  char retbuf[MAX_JSON_SIZE] = {0};
103  if (retval == NULL) {
104  uint32_t u = 0;
105  uint32_t offset = 0;
106  for (u = 0; u < strlen(val); u++) {
107  if (isprint(val[u])) {
108  PrintBufferData(retbuf, &offset, MAX_JSON_SIZE-1, "%c",
109  val[u]);
110  } else {
111  PrintBufferData(retbuf, &offset, MAX_JSON_SIZE-1,
112  "\\x%02X", val[u]);
113  }
114  }
115  retbuf[offset] = '\0';
116  retval = json_string(retbuf);
117  }
118  return retval;
119 }
120 
121 /* Default Sensor ID value */
122 static int64_t sensor_id = -1; /* -1 = not defined */
123 
124 void EveFileInfo(JsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
125 {
126  jb_set_string_from_bytes(jb, "filename", ff->name, ff->name_len);
127 
128  if (ff->sid_cnt > 0) {
129  jb_open_array(jb, "sid");
130  for (uint32_t i = 0; ff->sid != NULL && i < ff->sid_cnt; i++) {
131  jb_append_uint(jb, ff->sid[i]);
132  }
133  jb_close(jb);
134  }
135 
136 #ifdef HAVE_MAGIC
137  if (ff->magic)
138  jb_set_string(jb, "magic", (char *)ff->magic);
139 #endif
140  jb_set_bool(jb, "gaps", ff->flags & FILE_HAS_GAPS);
141  switch (ff->state) {
142  case FILE_STATE_CLOSED:
143  JB_SET_STRING(jb, "state", "CLOSED");
144  if (ff->flags & FILE_MD5) {
145  jb_set_hex(jb, "md5", (uint8_t *)ff->md5, (uint32_t)sizeof(ff->md5));
146  }
147  if (ff->flags & FILE_SHA1) {
148  jb_set_hex(jb, "sha1", (uint8_t *)ff->sha1, (uint32_t)sizeof(ff->sha1));
149  }
150  break;
151  case FILE_STATE_TRUNCATED:
152  JB_SET_STRING(jb, "state", "TRUNCATED");
153  break;
154  case FILE_STATE_ERROR:
155  JB_SET_STRING(jb, "state", "ERROR");
156  break;
157  default:
158  JB_SET_STRING(jb, "state", "UNKNOWN");
159  break;
160  }
161 
162  if (ff->flags & FILE_SHA256) {
163  jb_set_hex(jb, "sha256", (uint8_t *)ff->sha256, (uint32_t)sizeof(ff->sha256));
164  }
165 
166  if (flags & FILE_STORED) {
167  JB_SET_TRUE(jb, "stored");
168  jb_set_uint(jb, "file_id", ff->file_store_id);
169  } else {
170  JB_SET_FALSE(jb, "stored");
171  if (flags & FILE_STORE) {
172  JB_SET_TRUE(jb, "storing");
173  }
174  }
175 
176  jb_set_uint(jb, "size", FileTrackedSize(ff));
177  if (ff->end > 0) {
178  jb_set_uint(jb, "start", ff->start);
179  jb_set_uint(jb, "end", ff->end);
180  }
181  jb_set_uint(jb, "tx_id", tx_id);
182 }
183 
184 static void EveAddPacketVars(const Packet *p, JsonBuilder *js_vars)
185 {
186  if (p == NULL || p->pktvar == NULL) {
187  return;
188  }
189  PktVar *pv = p->pktvar;
190  bool open = false;
191  while (pv != NULL) {
192  if (pv->key || pv->id > 0) {
193  if (!open) {
194  jb_open_array(js_vars, "pktvars");
195  open = true;
196  }
197  jb_start_object(js_vars);
198 
199  if (pv->key != NULL) {
200  uint32_t offset = 0;
201  uint8_t keybuf[pv->key_len + 1];
202  PrintStringsToBuffer(keybuf, &offset, pv->key_len + 1, pv->key, pv->key_len);
203  uint32_t len = pv->value_len;
204  uint8_t printable_buf[len + 1];
205  offset = 0;
206  PrintStringsToBuffer(printable_buf, &offset, len + 1, pv->value, pv->value_len);
207  jb_set_string(js_vars, (char *)keybuf, (char *)printable_buf);
208  } else {
209  const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR);
210  uint32_t len = pv->value_len;
211  uint8_t printable_buf[len + 1];
212  uint32_t offset = 0;
213  PrintStringsToBuffer(printable_buf, &offset, len + 1, pv->value, pv->value_len);
214  jb_set_string(js_vars, varname, (char *)printable_buf);
215  }
216  jb_close(js_vars);
217  }
218  pv = pv->next;
219  }
220  if (open) {
221  jb_close(js_vars);
222  }
223 }
224 
225 /**
226  * \brief Check if string s has prefix prefix.
227  *
228  * \retval true if string has prefix
229  * \retval false if string does not have prefix
230  *
231  * TODO: Move to file with other string handling functions.
232  */
233 static bool SCStringHasPrefix(const char *s, const char *prefix)
234 {
235  if (strncmp(s, prefix, strlen(prefix)) == 0) {
236  return true;
237  }
238  return false;
239 }
240 
241 static void EveAddFlowVars(const Flow *f, JsonBuilder *js_root, JsonBuilder **js_traffic)
242 {
243  if (f == NULL || f->flowvar == NULL) {
244  return;
245  }
246  JsonBuilder *js_flowvars = NULL;
247  JsonBuilder *js_traffic_id = NULL;
248  JsonBuilder *js_traffic_label = NULL;
249  JsonBuilder *js_flowints = NULL;
250  JsonBuilder *js_flowbits = NULL;
251  GenericVar *gv = f->flowvar;
252  while (gv != NULL) {
253  if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) {
254  FlowVar *fv = (FlowVar *)gv;
255  if (fv->datatype == FLOWVAR_TYPE_STR && fv->key == NULL) {
256  const char *varname = VarNameStoreLookupById(fv->idx,
257  VAR_TYPE_FLOW_VAR);
258  if (varname) {
259  if (js_flowvars == NULL) {
260  js_flowvars = jb_new_array();
261  if (js_flowvars == NULL)
262  break;
263  }
264 
265  uint32_t len = fv->data.fv_str.value_len;
266  uint8_t printable_buf[len + 1];
267  uint32_t offset = 0;
268  PrintStringsToBuffer(printable_buf, &offset, len + 1, fv->data.fv_str.value,
269  fv->data.fv_str.value_len);
270 
271  jb_start_object(js_flowvars);
272  jb_set_string(js_flowvars, varname, (char *)printable_buf);
273  jb_close(js_flowvars);
274  }
275  } else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) {
276  if (js_flowvars == NULL) {
277  js_flowvars = jb_new_array();
278  if (js_flowvars == NULL)
279  break;
280  }
281 
282  uint8_t keybuf[fv->keylen + 1];
283  uint32_t offset = 0;
284  PrintStringsToBuffer(keybuf, &offset, fv->keylen + 1, fv->key, fv->keylen);
285 
286  uint32_t len = fv->data.fv_str.value_len;
287  uint8_t printable_buf[len + 1];
288  offset = 0;
289  PrintStringsToBuffer(printable_buf, &offset, len + 1, fv->data.fv_str.value,
290  fv->data.fv_str.value_len);
291 
292  jb_start_object(js_flowvars);
293  jb_set_string(js_flowvars, (const char *)keybuf, (char *)printable_buf);
294  jb_close(js_flowvars);
295  } else if (fv->datatype == FLOWVAR_TYPE_INT) {
296  const char *varname = VarNameStoreLookupById(fv->idx,
297  VAR_TYPE_FLOW_INT);
298  if (varname) {
299  if (js_flowints == NULL) {
300  js_flowints = jb_new_object();
301  if (js_flowints == NULL)
302  break;
303  }
304  jb_set_uint(js_flowints, varname, fv->data.fv_int.value);
305  }
306 
307  }
308  } else if (gv->type == DETECT_FLOWBITS) {
309  FlowBit *fb = (FlowBit *)gv;
310  const char *varname = VarNameStoreLookupById(fb->idx,
311  VAR_TYPE_FLOW_BIT);
312  if (varname) {
313  if (SCStringHasPrefix(varname, TRAFFIC_ID_PREFIX)) {
314  if (js_traffic_id == NULL) {
315  js_traffic_id = jb_new_array();
316  if (unlikely(js_traffic_id == NULL)) {
317  break;
318  }
319  }
320  jb_append_string(js_traffic_id, &varname[traffic_id_prefix_len]);
321  } else if (SCStringHasPrefix(varname, TRAFFIC_LABEL_PREFIX)) {
322  if (js_traffic_label == NULL) {
323  js_traffic_label = jb_new_array();
324  if (unlikely(js_traffic_label == NULL)) {
325  break;
326  }
327  }
328  jb_append_string(js_traffic_label, &varname[traffic_label_prefix_len]);
329  } else {
330  if (js_flowbits == NULL) {
331  js_flowbits = jb_new_array();
332  if (unlikely(js_flowbits == NULL))
333  break;
334  }
335  jb_append_string(js_flowbits, varname);
336  }
337  }
338  }
339  gv = gv->next;
340  }
341  if (js_flowbits) {
342  jb_close(js_flowbits);
343  jb_set_object(js_root, "flowbits", js_flowbits);
344  jb_free(js_flowbits);
345  }
346  if (js_flowints) {
347  jb_close(js_flowints);
348  jb_set_object(js_root, "flowints", js_flowints);
349  jb_free(js_flowints);
350  }
351  if (js_flowvars) {
352  jb_close(js_flowvars);
353  jb_set_object(js_root, "flowvars", js_flowvars);
354  jb_free(js_flowvars);
355  }
356 
357  if (js_traffic_id != NULL || js_traffic_label != NULL) {
358  *js_traffic = jb_new_object();
359  if (likely(*js_traffic != NULL)) {
360  if (js_traffic_id != NULL) {
361  jb_close(js_traffic_id);
362  jb_set_object(*js_traffic, "id", js_traffic_id);
363  jb_free(js_traffic_id);
364  }
365  if (js_traffic_label != NULL) {
366  jb_close(js_traffic_label);
367  jb_set_object(*js_traffic, "label", js_traffic_label);
368  jb_free(js_traffic_label);
369  }
370  jb_close(*js_traffic);
371  }
372  }
373 }
374 
375 void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js)
376 {
377  if ((p && p->pktvar) || (f && f->flowvar)) {
378  JsonBuilder *js_vars = jb_new_object();
379  if (js_vars) {
380  if (f && f->flowvar) {
381  JsonBuilder *js_traffic = NULL;
382  EveAddFlowVars(f, js_vars, &js_traffic);
383  if (js_traffic != NULL) {
384  jb_set_object(js, "traffic", js_traffic);
385  jb_free(js_traffic);
386  }
387  }
388  if (p && p->pktvar) {
389  EveAddPacketVars(p, js_vars);
390  }
391  jb_close(js_vars);
392  jb_set_object(js, "metadata", js_vars);
393  jb_free(js_vars);
394  }
395  }
396 }
397 
398 void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f,
399  JsonBuilder *js, enum OutputJsonLogDirection dir)
400 {
401  if (cfg->include_metadata) {
402  EveAddMetadata(p, f, js);
403  }
404  if (cfg->include_ethernet) {
405  CreateJSONEther(js, p, f, dir);
406  }
407  if (cfg->include_community_id && f != NULL) {
408  CreateEveCommunityFlowId(js, f, cfg->community_id_seed);
409  }
410  if (f != NULL && f->tenant_id > 0) {
411  jb_set_uint(js, "tenant_id", f->tenant_id);
412  }
413 }
414 
415 /**
416  * \brief Jsonify a packet
417  *
418  * \param p Packet
419  * \param js JSON object
420  * \param max_length If non-zero, restricts the number of packet data bytes handled.
421  */
422 void EvePacket(const Packet *p, JsonBuilder *js, uint32_t max_length)
423 {
424  uint32_t max_len = max_length == 0 ? GET_PKT_LEN(p) : max_length;
425  jb_set_base64(js, "packet", GET_PKT_DATA(p), max_len);
426 
427  if (!jb_open_object(js, "packet_info")) {
428  return;
429  }
430  if (!jb_set_uint(js, "linktype", p->datalink)) {
431  return;
432  }
433  jb_close(js);
434 }
435 
436 /** \brief jsonify tcp flags field
437  * Only add 'true' fields in an attempt to keep things reasonably compact.
438  */
439 void EveTcpFlags(const uint8_t flags, JsonBuilder *js)
440 {
441  if (flags & TH_SYN)
442  JB_SET_TRUE(js, "syn");
443  if (flags & TH_FIN)
444  JB_SET_TRUE(js, "fin");
445  if (flags & TH_RST)
446  JB_SET_TRUE(js, "rst");
447  if (flags & TH_PUSH)
448  JB_SET_TRUE(js, "psh");
449  if (flags & TH_ACK)
450  JB_SET_TRUE(js, "ack");
451  if (flags & TH_URG)
452  JB_SET_TRUE(js, "urg");
453  if (flags & TH_ECN)
454  JB_SET_TRUE(js, "ecn");
455  if (flags & TH_CWR)
456  JB_SET_TRUE(js, "cwr");
457 }
458 
459 void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
460 {
461  char srcip[46] = {0}, dstip[46] = {0};
462  Port sp, dp;
463 
464  switch (dir) {
465  case LOG_DIR_PACKET:
466  if (PacketIsIPv4(p)) {
467  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
468  srcip, sizeof(srcip));
469  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
470  dstip, sizeof(dstip));
471  } else if (PacketIsIPv6(p)) {
472  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
473  srcip, sizeof(srcip));
474  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
475  dstip, sizeof(dstip));
476  } else {
477  /* Not an IP packet so don't do anything */
478  return;
479  }
480  sp = p->sp;
481  dp = p->dp;
482  break;
483  case LOG_DIR_FLOW:
484  case LOG_DIR_FLOW_TOSERVER:
485  if ((PKT_IS_TOSERVER(p))) {
486  if (PacketIsIPv4(p)) {
487  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
488  srcip, sizeof(srcip));
489  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
490  dstip, sizeof(dstip));
491  } else if (PacketIsIPv6(p)) {
492  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
493  srcip, sizeof(srcip));
494  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
495  dstip, sizeof(dstip));
496  }
497  sp = p->sp;
498  dp = p->dp;
499  } else {
500  if (PacketIsIPv4(p)) {
501  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
502  srcip, sizeof(srcip));
503  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
504  dstip, sizeof(dstip));
505  } else if (PacketIsIPv6(p)) {
506  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
507  srcip, sizeof(srcip));
508  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
509  dstip, sizeof(dstip));
510  }
511  sp = p->dp;
512  dp = p->sp;
513  }
514  break;
515  case LOG_DIR_FLOW_TOCLIENT:
516  if ((PKT_IS_TOCLIENT(p))) {
517  if (PacketIsIPv4(p)) {
518  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
519  srcip, sizeof(srcip));
520  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
521  dstip, sizeof(dstip));
522  } else if (PacketIsIPv6(p)) {
523  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
524  srcip, sizeof(srcip));
525  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
526  dstip, sizeof(dstip));
527  }
528  sp = p->sp;
529  dp = p->dp;
530  } else {
531  if (PacketIsIPv4(p)) {
532  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
533  srcip, sizeof(srcip));
534  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
535  dstip, sizeof(dstip));
536  } else if (PacketIsIPv6(p)) {
537  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
538  srcip, sizeof(srcip));
539  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
540  dstip, sizeof(dstip));
541  }
542  sp = p->dp;
543  dp = p->sp;
544  }
545  break;
546  default:
547  DEBUG_VALIDATE_BUG_ON(1);
548  return;
549  }
550 
551  strlcpy(addr->src_ip, srcip, JSON_ADDR_LEN);
552  strlcpy(addr->dst_ip, dstip, JSON_ADDR_LEN);
553 
554  switch (p->proto) {
555  case IPPROTO_UDP:
556  case IPPROTO_TCP:
557  case IPPROTO_SCTP:
558  addr->sp = sp;
559  addr->dp = dp;
560  addr->log_port = true;
561  break;
562  default:
563  addr->log_port = false;
564  break;
565  }
566 
567  if (SCProtoNameValid(PacketGetIPProto(p))) {
568  strlcpy(addr->proto, known_proto[PacketGetIPProto(p)], sizeof(addr->proto));
569  } else {
570  snprintf(addr->proto, sizeof(addr->proto), "%" PRIu32, PacketGetIPProto(p));
571  }
572 }
573 
574 #define COMMUNITY_ID_BUF_SIZE 64
575 
576 static bool CalculateCommunityFlowIdv4(const Flow *f,
577  const uint16_t seed, unsigned char *base64buf)
578 {
579  struct {
580  uint16_t seed;
581  uint32_t src;
582  uint32_t dst;
583  uint8_t proto;
584  uint8_t pad0;
585  uint16_t sp;
586  uint16_t dp;
587  } __attribute__((__packed__)) ipv4;
588 
589  uint32_t src = f->src.addr_data32[0];
590  uint32_t dst = f->dst.addr_data32[0];
591  uint16_t sp = f->sp;
592  if (f->proto == IPPROTO_ICMP)
593  sp = f->icmp_s.type;
594  sp = htons(sp);
595  uint16_t dp = f->dp;
596  if (f->proto == IPPROTO_ICMP)
597  dp = f->icmp_d.type;
598  dp = htons(dp);
599 
600  ipv4.seed = htons(seed);
601  if (ntohl(src) < ntohl(dst) || (src == dst && sp < dp)) {
602  ipv4.src = src;
603  ipv4.dst = dst;
604  ipv4.sp = sp;
605  ipv4.dp = dp;
606  } else {
607  ipv4.src = dst;
608  ipv4.dst = src;
609  ipv4.sp = dp;
610  ipv4.dp = sp;
611  }
612  ipv4.proto = f->proto;
613  ipv4.pad0 = 0;
614 
615  uint8_t hash[20];
616  if (SCSha1HashBuffer((const uint8_t *)&ipv4, sizeof(ipv4), hash, sizeof(hash)) == 1) {
617  strlcpy((char *)base64buf, "1:", COMMUNITY_ID_BUF_SIZE);
618  unsigned long out_len = COMMUNITY_ID_BUF_SIZE - 2;
619  if (SCBase64Encode(hash, sizeof(hash), base64buf + 2, &out_len) == SC_BASE64_OK) {
620  return true;
621  }
622  }
623  return false;
624 }
625 
626 static bool CalculateCommunityFlowIdv6(const Flow *f,
627  const uint16_t seed, unsigned char *base64buf)
628 {
629  struct {
630  uint16_t seed;
631  uint32_t src[4];
632  uint32_t dst[4];
633  uint8_t proto;
634  uint8_t pad0;
635  uint16_t sp;
636  uint16_t dp;
637  } __attribute__((__packed__)) ipv6;
638 
639  uint16_t sp = f->sp;
640  if (f->proto == IPPROTO_ICMPV6)
641  sp = f->icmp_s.type;
642  sp = htons(sp);
643  uint16_t dp = f->dp;
644  if (f->proto == IPPROTO_ICMPV6)
645  dp = f->icmp_d.type;
646  dp = htons(dp);
647 
648  ipv6.seed = htons(seed);
649  int cmp_r = memcmp(&f->src, &f->dst, sizeof(f->src));
650  if ((cmp_r < 0) || (cmp_r == 0 && sp < dp)) {
651  memcpy(&ipv6.src, &f->src.addr_data32, 16);
652  memcpy(&ipv6.dst, &f->dst.addr_data32, 16);
653  ipv6.sp = sp;
654  ipv6.dp = dp;
655  } else {
656  memcpy(&ipv6.src, &f->dst.addr_data32, 16);
657  memcpy(&ipv6.dst, &f->src.addr_data32, 16);
658  ipv6.sp = dp;
659  ipv6.dp = sp;
660  }
661  ipv6.proto = f->proto;
662  ipv6.pad0 = 0;
663 
664  uint8_t hash[20];
665  if (SCSha1HashBuffer((const uint8_t *)&ipv6, sizeof(ipv6), hash, sizeof(hash)) == 1) {
666  strlcpy((char *)base64buf, "1:", COMMUNITY_ID_BUF_SIZE);
667  unsigned long out_len = COMMUNITY_ID_BUF_SIZE - 2;
668  if (SCBase64Encode(hash, sizeof(hash), base64buf + 2, &out_len) == SC_BASE64_OK) {
669  return true;
670  }
671  }
672  return false;
673 }
674 
675 static void CreateEveCommunityFlowId(JsonBuilder *js, const Flow *f, const uint16_t seed)
676 {
677  unsigned char buf[COMMUNITY_ID_BUF_SIZE];
678  if (f->flags & FLOW_IPV4) {
679  if (CalculateCommunityFlowIdv4(f, seed, buf)) {
680  jb_set_string(js, "community_id", (const char *)buf);
681  }
682  } else if (f->flags & FLOW_IPV6) {
683  if (CalculateCommunityFlowIdv6(f, seed, buf)) {
684  jb_set_string(js, "community_id", (const char *)buf);
685  }
686  }
687 }
688 
689 void CreateEveFlowId(JsonBuilder *js, const Flow *f)
690 {
691  if (f == NULL) {
692  return;
693  }
694  int64_t flow_id = FlowGetId(f);
695  jb_set_uint(js, "flow_id", flow_id);
696  if (f->parent_id) {
697  jb_set_uint(js, "parent_id", f->parent_id);
698  }
699 }
700 
701 void JSONFormatAndAddMACAddr(JsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
702 {
703  char eth_addr[19];
704  (void) snprintf(eth_addr, 19, "%02x:%02x:%02x:%02x:%02x:%02x",
705  val[0], val[1], val[2], val[3], val[4], val[5]);
706  if (is_array) {
707  jb_append_string(js, eth_addr);
708  } else {
709  jb_set_string(js, key, eth_addr);
710  }
711 }
712 
713 /* only required to traverse the MAC address set */
714 typedef struct JSONMACAddrInfo {
715  JsonBuilder *src, *dst;
716 } JSONMACAddrInfo;
717 
718 static int MacSetIterateToJSON(uint8_t *val, MacSetSide side, void *data)
719 {
720  JSONMACAddrInfo *info = (JSONMACAddrInfo*) data;
721  if (side == MAC_SET_DST) {
722  JSONFormatAndAddMACAddr(info->dst, NULL, val, true);
723  } else {
724  JSONFormatAndAddMACAddr(info->src, NULL, val, true);
725  }
726  return 0;
727 }
728 
729 static int CreateJSONEther(
730  JsonBuilder *js, const Packet *p, const Flow *f, enum OutputJsonLogDirection dir)
731 {
732  if (p != NULL) {
733  /* this is a packet context, so we need to add scalar fields */
734  if (PacketIsEthernet(p)) {
735  const EthernetHdr *ethh = PacketGetEthernet(p);
736  jb_open_object(js, "ether");
737  jb_set_uint(js, "ether_type", ethh->eth_type);
738  const uint8_t *src;
739  const uint8_t *dst;
740  switch (dir) {
741  case LOG_DIR_FLOW_TOSERVER:
742  // fallthrough
743  case LOG_DIR_FLOW:
744  if (PKT_IS_TOCLIENT(p)) {
745  src = ethh->eth_dst;
746  dst = ethh->eth_src;
747  } else {
748  src = ethh->eth_src;
749  dst = ethh->eth_dst;
750  }
751  break;
752  case LOG_DIR_FLOW_TOCLIENT:
753  if (PKT_IS_TOSERVER(p)) {
754  src = ethh->eth_dst;
755  dst = ethh->eth_src;
756  } else {
757  src = ethh->eth_src;
758  dst = ethh->eth_dst;
759  }
760  break;
761  case LOG_DIR_PACKET:
762  default:
763  src = ethh->eth_src;
764  dst = ethh->eth_dst;
765  break;
766  }
767  JSONFormatAndAddMACAddr(js, "src_mac", src, false);
768  JSONFormatAndAddMACAddr(js, "dest_mac", dst, false);
769  jb_close(js);
770  } else if (f != NULL) {
771  /* When pseudopackets do not have associated ethernet metadata,
772  use the first set of mac addresses stored with their flow.
773  The first set of macs should come from the flow's first packet,
774  providing the most fitting representation of the event's ethernet. */
775  MacSet *ms = FlowGetStorageById(f, MacSetGetFlowStorageID());
776  if (ms != NULL && MacSetSize(ms) > 0) {
777  uint8_t *src = MacSetGetFirst(ms, MAC_SET_SRC);
778  uint8_t *dst = MacSetGetFirst(ms, MAC_SET_DST);
779  if (dst != NULL && src != NULL) {
780  jb_open_object(js, "ether");
781  JSONFormatAndAddMACAddr(js, "src_mac", src, false);
782  JSONFormatAndAddMACAddr(js, "dest_mac", dst, false);
783  jb_close(js);
784  }
785  }
786  }
787  } else if (f != NULL) {
788  /* we are creating an ether object in a flow context, so we need to
789  append to arrays */
790  MacSet *ms = FlowGetStorageById(f, MacSetGetFlowStorageID());
791  if (ms != NULL && MacSetSize(ms) > 0) {
792  jb_open_object(js, "ether");
793  JSONMACAddrInfo info;
794  info.dst = jb_new_array();
795  info.src = jb_new_array();
796  int ret = MacSetForEach(ms, MacSetIterateToJSON, &info);
797  if (unlikely(ret != 0)) {
798  /* should not happen, JSONFlowAppendMACAddrs is sane */
799  jb_free(info.dst);
800  jb_free(info.src);
801  jb_close(js);
802  return ret;
803  }
804  jb_close(info.dst);
805  jb_close(info.src);
806  /* case is handling netflow too so may need to revert */
807  if (dir == LOG_DIR_FLOW_TOCLIENT) {
808  jb_set_object(js, "dest_macs", info.src);
809  jb_set_object(js, "src_macs", info.dst);
810  } else {
811  DEBUG_VALIDATE_BUG_ON(dir != LOG_DIR_FLOW_TOSERVER && dir != LOG_DIR_FLOW);
812  jb_set_object(js, "dest_macs", info.dst);
813  jb_set_object(js, "src_macs", info.src);
814  }
815  jb_free(info.dst);
816  jb_free(info.src);
817  jb_close(js);
818  }
819  }
820  return 0;
821 }
822 
823 JsonBuilder *CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir,
824  const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
825 {
826  char timebuf[64];
827  const Flow *f = (const Flow *)p->flow;
828 
829  JsonBuilder *js = jb_new_object();
830  if (unlikely(js == NULL)) {
831  return NULL;
832  }
833 
834  CreateIsoTimeString(p->ts, timebuf, sizeof(timebuf));
835 
836  jb_set_string(js, "timestamp", timebuf);
837 
838  CreateEveFlowId(js, f);
839 
840  /* sensor id */
841  if (sensor_id >= 0) {
842  jb_set_uint(js, "sensor_id", sensor_id);
843  }
844 
845  /* input interface */
846  if (p->livedev) {
847  jb_set_string(js, "in_iface", p->livedev->dev);
848  }
849 
850  /* pcap_cnt */
851  if (p->pcap_cnt != 0) {
852  jb_set_uint(js, "pcap_cnt", p->pcap_cnt);
853  }
854 
855  if (event_type) {
856  jb_set_string(js, "event_type", event_type);
857  }
858 
859  /* vlan */
860  if (p->vlan_idx > 0) {
861  jb_open_array(js, "vlan");
862  jb_append_uint(js, p->vlan_id[0]);
863  if (p->vlan_idx > 1) {
864  jb_append_uint(js, p->vlan_id[1]);
865  }
866  if (p->vlan_idx > 2) {
867  jb_append_uint(js, p->vlan_id[2]);
868  }
869  jb_close(js);
870  }
871 
872  /* 5-tuple */
873  JsonAddrInfo addr_info = json_addr_info_zero;
874  if (addr == NULL) {
875  JsonAddrInfoInit(p, dir, &addr_info);
876  addr = &addr_info;
877  }
878  if (addr->src_ip[0] != '\0') {
879  jb_set_string(js, "src_ip", addr->src_ip);
880  }
881  if (addr->log_port) {
882  jb_set_uint(js, "src_port", addr->sp);
883  }
884  if (addr->dst_ip[0] != '\0') {
885  jb_set_string(js, "dest_ip", addr->dst_ip);
886  }
887  if (addr->log_port) {
888  jb_set_uint(js, "dest_port", addr->dp);
889  }
890  if (addr->proto[0] != '\0') {
891  jb_set_string(js, "proto", addr->proto);
892  }
893 
894  /* icmp */
895  switch (p->proto) {
896  case IPPROTO_ICMP:
897  if (PacketIsICMPv4(p)) {
898  jb_set_uint(js, "icmp_type", p->icmp_s.type);
899  jb_set_uint(js, "icmp_code", p->icmp_s.code);
900  }
901  break;
902  case IPPROTO_ICMPV6:
903  if (PacketIsICMPv6(p)) {
904  jb_set_uint(js, "icmp_type", PacketGetICMPv6(p)->type);
905  jb_set_uint(js, "icmp_code", PacketGetICMPv6(p)->code);
906  }
907  break;
908  }
909 
910  jb_set_string(js, "pkt_src", PktSrcToString(p->pkt_src));
911 
912  if (eve_ctx != NULL) {
913  EveAddCommonOptions(&eve_ctx->cfg, p, f, js, dir);
914  }
915 
916  return js;
917 }
918 
919 JsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir,
920  const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
921 {
922  JsonBuilder *js = CreateEveHeader(p, dir, event_type, addr, eve_ctx);
923  if (unlikely(js == NULL))
924  return NULL;
925 
926  /* tx id for correlation with other events */
927  jb_set_uint(js, "tx_id", tx_id);
928 
929  return js;
930 }
931 
932 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
933 {
934  OutputJSONMemBufferWrapper *wrapper = data;
935  MemBuffer **memb = wrapper->buffer;
936 
937  if (MEMBUFFER_OFFSET(*memb) + size >= MEMBUFFER_SIZE(*memb)) {
938  MemBufferExpand(memb, wrapper->expand_by);
939  }
940 
941  DEBUG_VALIDATE_BUG_ON(size > UINT32_MAX);
942  MemBufferWriteRaw((*memb), (const uint8_t *)str, (uint32_t)size);
943  return 0;
944 }
945 
946 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
947 {
948  if (file_ctx->sensor_name) {
949  json_object_set_new(js, "host",
950  json_string(file_ctx->sensor_name));
951  }
952 
953  if (file_ctx->is_pcap_offline) {
954  json_object_set_new(js, "pcap_filename", json_string(PcapFileGetFilename()));
955  }
956 
957  if (file_ctx->prefix) {
958  MemBufferWriteRaw((*buffer), (const uint8_t *)file_ctx->prefix, file_ctx->prefix_len);
959  }
960 
961  OutputJSONMemBufferWrapper wrapper = {
962  .buffer = buffer,
963  .expand_by = JSON_OUTPUT_BUFFER_SIZE
964  };
965 
966  int r = json_dump_callback(js, OutputJSONMemBufferCallback, &wrapper,
967  file_ctx->json_flags);
968  if (r != 0)
969  return TM_ECODE_OK;
970 
971  LogFileWrite(file_ctx, *buffer);
972  return 0;
973 }
974 
975 void OutputJsonFlush(OutputJsonThreadCtx *ctx)
976 {
977  LogFileCtx *file_ctx = ctx->file_ctx;
978  LogFileFlush(file_ctx);
979 }
980 
981 void OutputJsonBuilderBuffer(
982  ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *js, OutputJsonThreadCtx *ctx)
983 {
984  LogFileCtx *file_ctx = ctx->file_ctx;
985  MemBuffer **buffer = &ctx->buffer;
986  if (file_ctx->sensor_name) {
987  jb_set_string(js, "host", file_ctx->sensor_name);
988  }
989 
990  if (file_ctx->is_pcap_offline) {
991  jb_set_string(js, "pcap_filename", PcapFileGetFilename());
992  }
993 
994  SCEveRunCallbacks(tv, p, f, js);
995 
996  jb_close(js);
997 
998  MemBufferReset(*buffer);
999 
1000  if (file_ctx->prefix) {
1001  MemBufferWriteRaw((*buffer), (const uint8_t *)file_ctx->prefix, file_ctx->prefix_len);
1002  }
1003 
1004  size_t jslen = jb_len(js);
1005  DEBUG_VALIDATE_BUG_ON(jb_len(js) > UINT32_MAX);
1006  size_t remaining = MEMBUFFER_SIZE(*buffer) - MEMBUFFER_OFFSET(*buffer);
1007  if (jslen >= remaining) {
1008  size_t expand_by = jslen + 1 - remaining;
1009  if (MemBufferExpand(buffer, (uint32_t)expand_by) < 0) {
1010  if (!ctx->too_large_warning) {
1011  /* Log a warning once, and include enough of the log
1012  * message to hopefully identify the event_type. */
1013  char partial[120];
1014  size_t partial_len = MIN(sizeof(partial), jslen);
1015  memcpy(partial, jb_ptr(js), partial_len - 1);
1016  partial[partial_len - 1] = '\0';
1017  SCLogWarning("Formatted JSON EVE record too large, will be dropped: %s", partial);
1018  ctx->too_large_warning = true;
1019  }
1020  return;
1021  }
1022  }
1023 
1024  MemBufferWriteRaw((*buffer), jb_ptr(js), (uint32_t)jslen);
1025  LogFileWrite(file_ctx, *buffer);
1026 }
1027 
1028 static inline enum LogFileType FileTypeFromConf(const char *typestr)
1029 {
1030  enum LogFileType log_filetype = LOGFILE_TYPE_NOTSET;
1031 
1032  if (typestr == NULL) {
1033  log_filetype = LOGFILE_TYPE_FILE;
1034  } else if (strcmp(typestr, "file") == 0 || strcmp(typestr, "regular") == 0) {
1035  log_filetype = LOGFILE_TYPE_FILE;
1036  } else if (strcmp(typestr, "unix_dgram") == 0) {
1037  log_filetype = LOGFILE_TYPE_UNIX_DGRAM;
1038  } else if (strcmp(typestr, "unix_stream") == 0) {
1039  log_filetype = LOGFILE_TYPE_UNIX_STREAM;
1040  } else if (strcmp(typestr, "redis") == 0) {
1041 #ifdef HAVE_LIBHIREDIS
1042  log_filetype = LOGFILE_TYPE_REDIS;
1043 #else
1044  FatalError("redis JSON output option is not compiled");
1045 #endif
1046  }
1047  SCLogDebug("type %s, file type value %d", typestr, log_filetype);
1048  return log_filetype;
1049 }
1050 
1051 static int LogFileTypePrepare(
1052  OutputJsonCtx *json_ctx, enum LogFileType log_filetype, ConfNode *conf)
1053 {
1054 
1055  if (log_filetype == LOGFILE_TYPE_FILE || log_filetype == LOGFILE_TYPE_UNIX_DGRAM ||
1056  log_filetype == LOGFILE_TYPE_UNIX_STREAM) {
1057  if (SCConfLogOpenGeneric(conf, json_ctx->file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
1058  return -1;
1059  }
1060  OutputRegisterFileRotationFlag(&json_ctx->file_ctx->rotation_flag);
1061  }
1062 #ifdef HAVE_LIBHIREDIS
1063  else if (log_filetype == LOGFILE_TYPE_REDIS) {
1064  SCLogRedisInit();
1065  ConfNode *redis_node = ConfNodeLookupChild(conf, "redis");
1066  if (!json_ctx->file_ctx->sensor_name) {
1067  char hostname[1024];
1068  gethostname(hostname, 1023);
1069  json_ctx->file_ctx->sensor_name = SCStrdup(hostname);
1070  }
1071  if (json_ctx->file_ctx->sensor_name == NULL) {
1072  return -1;
1073  }
1074 
1075  if (SCConfLogOpenRedis(redis_node, json_ctx->file_ctx) < 0) {
1076  return -1;
1077  }
1078  }
1079 #endif
1080  else if (log_filetype == LOGFILE_TYPE_FILETYPE) {
1081  if (json_ctx->file_ctx->threaded) {
1082  /* Prepare for threaded log output. */
1083  if (!SCLogOpenThreadedFile(NULL, NULL, json_ctx->file_ctx)) {
1084  return -1;
1085  }
1086  }
1087  if (json_ctx->filetype->Init(conf, json_ctx->file_ctx->threaded,
1088  &json_ctx->file_ctx->filetype.init_data) < 0) {
1089  return -1;
1090  }
1091  if (json_ctx->filetype->ThreadInit) {
1092  if (json_ctx->filetype->ThreadInit(json_ctx->file_ctx->filetype.init_data, 0,
1093  &json_ctx->file_ctx->filetype.thread_data) < 0) {
1094  return -1;
1095  }
1096  }
1097  json_ctx->file_ctx->filetype.filetype = json_ctx->filetype;
1098  }
1099 
1100  return 0;
1101 }
1102 
1103 /**
1104  * \brief Create a new LogFileCtx for "fast" output style.
1105  * \param conf The configuration node for this output.
1106  * \return A LogFileCtx pointer on success, NULL on failure.
1107  */
1108 OutputInitResult OutputJsonInitCtx(ConfNode *conf)
1109 {
1110  OutputInitResult result = { NULL, false };
1111  OutputCtx *output_ctx = NULL;
1112 
1113  OutputJsonCtx *json_ctx = SCCalloc(1, sizeof(OutputJsonCtx));
1114  if (unlikely(json_ctx == NULL)) {
1115  SCLogDebug("could not create new OutputJsonCtx");
1116  return result;
1117  }
1118 
1119  /* First lookup a sensor-name value in this outputs configuration
1120  * node (deprecated). If that fails, lookup the global one. */
1121  const char *sensor_name = ConfNodeLookupChildValue(conf, "sensor-name");
1122  if (sensor_name != NULL) {
1123  SCLogWarning("Found deprecated eve-log setting \"sensor-name\". "
1124  "Please set sensor-name globally.");
1125  }
1126  else {
1127  (void)ConfGet("sensor-name", &sensor_name);
1128  }
1129 
1130  json_ctx->file_ctx = LogFileNewCtx();
1131  if (unlikely(json_ctx->file_ctx == NULL)) {
1132  SCLogDebug("AlertJsonInitCtx: Could not create new LogFileCtx");
1133  goto error_exit;
1134  }
1135 
1136  if (sensor_name) {
1137  json_ctx->file_ctx->sensor_name = SCStrdup(sensor_name);
1138  if (json_ctx->file_ctx->sensor_name == NULL) {
1139  goto error_exit;
1140  }
1141  } else {
1142  json_ctx->file_ctx->sensor_name = NULL;
1143  }
1144 
1145  output_ctx = SCCalloc(1, sizeof(OutputCtx));
1146  if (unlikely(output_ctx == NULL)) {
1147  goto error_exit;
1148  }
1149 
1150  output_ctx->data = json_ctx;
1151  output_ctx->DeInit = OutputJsonDeInitCtx;
1152 
1153  if (conf) {
1154  const char *output_s = ConfNodeLookupChildValue(conf, "filetype");
1155  // Backwards compatibility
1156  if (output_s == NULL) {
1157  output_s = ConfNodeLookupChildValue(conf, "type");
1158  }
1159 
1160  enum LogFileType log_filetype = FileTypeFromConf(output_s);
1161  if (log_filetype == LOGFILE_TYPE_NOTSET) {
1162  SCEveFileType *filetype = SCEveFindFileType(output_s);
1163  if (filetype != NULL) {
1164  log_filetype = LOGFILE_TYPE_FILETYPE;
1165  json_ctx->filetype = filetype;
1166  } else
1167  FatalError("Invalid JSON output option: %s", output_s);
1168  }
1169 
1170  const char *prefix = ConfNodeLookupChildValue(conf, "prefix");
1171  if (prefix != NULL)
1172  {
1173  SCLogInfo("Using prefix '%s' for JSON messages", prefix);
1174  json_ctx->file_ctx->prefix = SCStrdup(prefix);
1175  if (json_ctx->file_ctx->prefix == NULL)
1176  {
1177  FatalError("Failed to allocate memory for eve-log.prefix setting.");
1178  }
1179  json_ctx->file_ctx->prefix_len = (uint32_t)strlen(prefix);
1180  }
1181 
1182  /* Threaded file output */
1183  const ConfNode *threaded = ConfNodeLookupChild(conf, "threaded");
1184  if (threaded && threaded->val && ConfValIsTrue(threaded->val)) {
1185  SCLogConfig("Threaded EVE logging configured");
1186  json_ctx->file_ctx->threaded = true;
1187  } else {
1188  json_ctx->file_ctx->threaded = false;
1189  }
1190  if (LogFileTypePrepare(json_ctx, log_filetype, conf) < 0) {
1191  goto error_exit;
1192  }
1193 
1194  const char *sensor_id_s = ConfNodeLookupChildValue(conf, "sensor-id");
1195  if (sensor_id_s != NULL) {
1196  if (StringParseUint64((uint64_t *)&sensor_id, 10, 0, sensor_id_s) < 0) {
1197  FatalError("Failed to initialize JSON output, "
1198  "invalid sensor-id: %s",
1199  sensor_id_s);
1200  }
1201  }
1202 
1203  /* Check if top-level metadata should be logged. */
1204  const ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
1205  if (metadata && metadata->val && ConfValIsFalse(metadata->val)) {
1206  SCLogConfig("Disabling eve metadata logging.");
1207  json_ctx->cfg.include_metadata = false;
1208  } else {
1209  json_ctx->cfg.include_metadata = true;
1210  }
1211 
1212  /* Check if ethernet information should be logged. */
1213  const ConfNode *ethernet = ConfNodeLookupChild(conf, "ethernet");
1214  if (ethernet && ethernet->val && ConfValIsTrue(ethernet->val)) {
1215  SCLogConfig("Enabling Ethernet MAC address logging.");
1216  json_ctx->cfg.include_ethernet = true;
1217  } else {
1218  json_ctx->cfg.include_ethernet = false;
1219  }
1220 
1221  /* See if we want to enable the community id */
1222  const ConfNode *community_id = ConfNodeLookupChild(conf, "community-id");
1223  if (community_id && community_id->val && ConfValIsTrue(community_id->val)) {
1224  SCLogConfig("Enabling eve community_id logging.");
1225  json_ctx->cfg.include_community_id = true;
1226  } else {
1227  json_ctx->cfg.include_community_id = false;
1228  }
1229  const char *cid_seed = ConfNodeLookupChildValue(conf, "community-id-seed");
1230  if (cid_seed != NULL) {
1231  if (StringParseUint16(&json_ctx->cfg.community_id_seed,
1232  10, 0, cid_seed) < 0)
1233  {
1234  FatalError("Failed to initialize JSON output, "
1235  "invalid community-id-seed: %s",
1236  cid_seed);
1237  }
1238  }
1239 
1240  /* Do we have a global eve xff configuration? */
1241  const ConfNode *xff = ConfNodeLookupChild(conf, "xff");
1242  if (xff != NULL) {
1243  json_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
1244  if (likely(json_ctx->xff_cfg != NULL)) {
1245  HttpXFFGetCfg(conf, json_ctx->xff_cfg);
1246  }
1247  }
1248 
1249  const char *pcapfile_s = ConfNodeLookupChildValue(conf, "pcap-file");
1250  if (pcapfile_s != NULL && ConfValIsTrue(pcapfile_s)) {
1251  json_ctx->file_ctx->is_pcap_offline =
1252  (SCRunmodeGet() == RUNMODE_PCAP_FILE || SCRunmodeGet() == RUNMODE_UNIX_SOCKET);
1253  }
1254  json_ctx->file_ctx->type = log_filetype;
1255  }
1256 
1257  SCLogDebug("returning output_ctx %p", output_ctx);
1258 
1259  result.ctx = output_ctx;
1260  result.ok = true;
1261  return result;
1262 
1263 error_exit:
1264  if (json_ctx->file_ctx) {
1265  if (json_ctx->file_ctx->prefix) {
1266  SCFree(json_ctx->file_ctx->prefix);
1267  }
1268  LogFileFreeCtx(json_ctx->file_ctx);
1269  }
1270  SCFree(json_ctx);
1271 
1272  if (output_ctx) {
1273  SCFree(output_ctx);
1274  }
1275  return result;
1276 }
1277 
1278 static void OutputJsonDeInitCtx(OutputCtx *output_ctx)
1279 {
1280  OutputJsonCtx *json_ctx = (OutputJsonCtx *)output_ctx->data;
1281  LogFileCtx *logfile_ctx = json_ctx->file_ctx;
1282  if (logfile_ctx->dropped) {
1283  SCLogWarning("%" PRIu64 " events were dropped due to slow or "
1284  "disconnected socket",
1285  logfile_ctx->dropped);
1286  }
1287  if (json_ctx->xff_cfg != NULL) {
1288  SCFree(json_ctx->xff_cfg);
1289  }
1290  LogFileFreeCtx(logfile_ctx);
1291  SCFree(json_ctx);
1292  SCFree(output_ctx);
1293 }
PKT_IS_TOCLIENT
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:235
LogFileCtx_::rotation_flag
int rotation_flag
Definition: util-logopenfile.h:153
util-byte.h
JSONFormatAndAddMACAddr
void JSONFormatAndAddMACAddr(JsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
Definition: output-json.c:701
MacSetSide
MacSetSide
Definition: util-macset.h:28
Packet_::proto
uint8_t proto
Definition: decode.h:498
OutputJsonFlush
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
Definition: output-json.c:975
pad0
uint8_t pad0
Definition: decode-template.h:1
len
uint8_t len
Definition: app-layer-dnp3.h:2
detect-engine.h
LOGFILE_TYPE_REDIS
@ LOGFILE_TYPE_REDIS
Definition: util-logopenfile.h:42
SCRunmodeGet
int SCRunmodeGet(void)
Get the current run mode.
Definition: suricata.c:264
LogFileCtx_::sensor_name
char * sensor_name
Definition: util-logopenfile.h:115
RUNMODE_UNIX_SOCKET
@ RUNMODE_UNIX_SOCKET
Definition: runmodes.h:41
EvePacket
void EvePacket(const Packet *p, JsonBuilder *js, uint32_t max_length)
Jsonify a packet.
Definition: output-json.c:422
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:85
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
CreateIsoTimeString
void CreateIsoTimeString(const SCTime_t ts, char *str, size_t size)
Definition: util-time.c:209
ConfNode_::val
char * val
Definition: conf.h:34
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:84
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FILE_SHA256
#define FILE_SHA256
Definition: util-file.h:52
Packet_::icmp_s
struct Packet_::@27::@34 icmp_s
LogFileNewCtx
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
Definition: util-logopenfile.c:697
MemBufferExpand
int MemBufferExpand(MemBuffer **buffer, uint32_t expand_by)
expand membuffer by size of 'expand_by'
Definition: util-buffer.c:60
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:595
Flow_::proto
uint8_t proto
Definition: flow.h:376
FlowVarTypeStr::value_len
uint16_t value_len
Definition: flow-var.h:40
LogFileFlush
void LogFileFlush(LogFileCtx *file_ctx)
Definition: util-logopenfile.c:976
FLOWVAR_TYPE_STR
#define FLOWVAR_TYPE_STR
Definition: flow-var.h:33
JSON_OUTPUT_BUFFER_SIZE
#define JSON_OUTPUT_BUFFER_SIZE
Definition: output-json.h:63
TH_RST
#define TH_RST
Definition: decode-tcp.h:36
util-macset.h
OutputJsonCtx_
Definition: output-json.h:81
LogFileCtx_::json_flags
size_t json_flags
Definition: util-logopenfile.h:150
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:504
Flow_
Flow data structure.
Definition: flow.h:354
File_::state
FileState state
Definition: util-file.h:82
OutputJsonCommonSettings_
Definition: output-json.h:71
TH_FIN
#define TH_FIN
Definition: decode-tcp.h:34
util-syslog.h
ctx
struct Thresholds ctx
LogFileCtx_
Definition: util-logopenfile.h:72
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:981
PktVar_::next
struct PktVar_ * next
Definition: decode.h:292
FILE_STORE
#define FILE_STORE
Definition: util-file.h:55
File_::file_store_id
uint32_t file_store_id
Definition: util-file.h:85
FlowVar_::fv_str
FlowVarTypeStr fv_str
Definition: flow-var.h:58
FlowVar_::keylen
FlowVarKeyLenType keylen
Definition: flow-var.h:52
LOGFILE_TYPE_NOTSET
@ LOGFILE_TYPE_NOTSET
Definition: util-logopenfile.h:45
SCProtoNameValid
bool SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
Definition: util-proto-name.c:453
output-eve-null.h
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
flow-bit.h
util-var-name.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:400
util-log-redis.h
COMMUNITY_ID_BUF_SIZE
#define COMMUNITY_ID_BUF_SIZE
Definition: output-json.c:574
OutputJsonCommonSettings_::include_community_id
bool include_community_id
Definition: output-json.h:73
EveFileInfo
void EveFileInfo(JsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
Definition: output-json.c:124
OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition: output-json.h:67
known_proto
const char * known_proto[256]
Definition: util-proto-name.c:40
FILE_STATE_TRUNCATED
@ FILE_STATE_TRUNCATED
Definition: util-file.h:73
proto
uint8_t proto
Definition: decode-template.h:0
Flow_::dp
Port dp
Definition: flow.h:370
FLOWVAR_TYPE_INT
#define FLOWVAR_TYPE_INT
Definition: flow-var.h:34
JSONMACAddrInfo
struct JSONMACAddrInfo JSONMACAddrInfo
File_::sha1
uint8_t sha1[SC_SHA1_LEN]
Definition: util-file.h:96
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:98
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:200
util-unittest.h
SCJsonString
json_t * SCJsonString(const char *val)
Definition: output-json.c:96
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:536
util-unittest-helper.h
OutputCtx_::data
void * data
Definition: tm-modules.h:87
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
PrintStringsToBuffer
void PrintStringsToBuffer(uint8_t *dst_buf, uint32_t *dst_buf_offset_ptr, uint32_t dst_buf_size, const uint8_t *src_buf, const uint32_t src_buf_len)
Definition: util-print.c:195
OutputJsonRegister
void OutputJsonRegister(void)
Definition: output-json.c:83
OutputCtx_
Definition: tm-modules.h:84
SCConfLogOpenGeneric
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
Definition: util-logopenfile.c:467
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
OutputJsonThreadCtx_
Definition: output-json.h:89
Packet_::datalink
int datalink
Definition: decode.h:608
File_::name_len
uint16_t name_len
Definition: util-file.h:81
FlowVar_::fv_int
FlowVarTypeInt fv_int
Definition: flow-var.h:59
__attribute__
enum @16 __attribute__
DNP3 application header.
OutputRegisterFileRotationFlag
void OutputRegisterFileRotationFlag(int *flag)
Register a flag for file rotation notification.
Definition: output.c:666
EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js)
Definition: output-json.c:375
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:335
LogFileCtx_::filetype
LogFileTypeCtx filetype
Definition: util-logopenfile.h:91
Flow_::dst
FlowAddress dst
Definition: flow.h:357
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:51
File_::md5
uint8_t md5[SC_MD5_LEN]
Definition: util-file.h:94
LogFileWrite
int LogFileWrite(LogFileCtx *file_ctx, MemBuffer *buffer)
Definition: util-logopenfile.c:982
util-device.h
util-debug.h
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition: rust.h:26
Packet_::pktvar
PktVar * pktvar
Definition: decode.h:566
GenericVar_::next
struct GenericVar_ * next
Definition: util-var.h:53
GET_IPV4_DST_ADDR_PTR
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:195
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:234
DEFAULT_LOG_FILENAME
#define DEFAULT_LOG_FILENAME
Definition: output-json.c:66
File_::end
uint64_t end
Definition: util-file.h:106
DETECT_FLOWINT
@ DETECT_FLOWINT
Definition: detect-engine-register.h:64
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
LogFileCtx_::prefix_len
uint32_t prefix_len
Definition: util-logopenfile.h:132
DETECT_FLOWVAR
@ DETECT_FLOWVAR
Definition: detect-engine-register.h:62
Packet_::ts
SCTime_t ts
Definition: decode.h:524
output-json.h
FlowVar_::idx
uint32_t idx
Definition: flow-var.h:53
JSONMACAddrInfo
Definition: output-json.c:714
PktVar_::value
uint8_t * value
Definition: decode.h:298
OutputRegisterModule
void OutputRegisterModule(const char *, const char *, OutputInitFunc)
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:823
util-print.h
FlowVar_::key
uint8_t * key
Definition: flow-var.h:61
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:205
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:231
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, JsonBuilder *js, enum OutputJsonLogDirection dir)
Definition: output-json.c:398
Packet_::sp
Port sp
Definition: decode.h:483
FileTrackedSize
uint64_t FileTrackedSize(const File *file)
get the size of the file
Definition: util-file.c:343
EveTcpFlags
void EveTcpFlags(const uint8_t flags, JsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
Definition: output-json.c:439
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:825
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
util-time.h
JB_SET_TRUE
#define JB_SET_TRUE(jb, key)
Definition: rust.h:27
OutputInitResult_::ok
bool ok
Definition: output.h:48
LiveDevice_::dev
char * dev
Definition: util-device.h:51
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
PktVar_::key
uint8_t * key
Definition: decode.h:297
SyslogInitialize
void SyslogInitialize(void)
Definition: output-eve-syslog.c:99
LogFileCtx_::type
enum LogFileType type
Definition: util-logopenfile.h:103
LOGFILE_TYPE_FILE
@ LOGFILE_TYPE_FILE
Definition: util-logopenfile.h:39
MAC_SET_DST
@ MAC_SET_DST
Definition: util-macset.h:30
CreateEveHeaderWithTxId
JsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
Definition: output-json.c:919
JsonAddrInfo_::log_port
bool log_port
Definition: output-json.h:54
JsonAddrInfo_
Definition: output-json.h:47
source-pcap-file-helper.h
NullLogInitialize
void NullLogInitialize(void)
Definition: output-eve-null.c:66
Packet_
Definition: decode.h:476
OutputJSONMemBufferWrapper_
Definition: output-json.h:66
type
uint16_t type
Definition: decode-vlan.c:106
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:204
MacSet_
Definition: util-macset.c:45
conf.h
SCEveRunCallbacks
void SCEveRunCallbacks(ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *jb)
Definition: output-eve.c:53
Port
uint16_t Port
Definition: decode.h:214
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:587
File_::name
uint8_t * name
Definition: util-file.h:88
TH_ECN
#define TH_ECN
Definition: decode-tcp.h:41
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
LOGFILE_TYPE_UNIX_DGRAM
@ LOGFILE_TYPE_UNIX_DGRAM
Definition: util-logopenfile.h:40
MacSetGetFlowStorageID
FlowStorageId MacSetGetFlowStorageID(void)
Definition: util-macset.c:114
LOG_DIR_FLOW_TOCLIENT
@ LOG_DIR_FLOW_TOCLIENT
Definition: output-json.h:39
LogFileTypeCtx_::thread_data
void * thread_data
Definition: util-logopenfile.h:68
SCLogOpenThreadedFile
bool SCLogOpenThreadedFile(const char *log_path, const char *append, LogFileCtx *parent_ctx)
Definition: util-logopenfile.c:361
util-proto-name.h
OutputJsonCommonSettings_::include_ethernet
bool include_ethernet
Definition: output-json.h:74
File_::sid
uint32_t * sid
Definition: util-file.h:108
LOGFILE_TYPE_UNIX_STREAM
@ LOGFILE_TYPE_UNIX_STREAM
Definition: util-logopenfile.h:41
MemBuffer_
Definition: util-buffer.h:27
File_::sid_cnt
uint32_t sid_cnt
Definition: util-file.h:109
TH_URG
#define TH_URG
Definition: decode-tcp.h:39
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
FlowVarTypeInt_::value
uint32_t value
Definition: flow-var.h:45
Flow_::src
FlowAddress src
Definition: flow.h:357
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:487
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:72
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:52
ConfNodeLookupChild
ConfNode * ConfNodeLookupChild(const ConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:781
MAC_SET_SRC
@ MAC_SET_SRC
Definition: util-macset.h:29
File_::flags
uint16_t flags
Definition: util-file.h:80
FlowVar_::data
union FlowVar_::@107 data
OutputJsonInitCtx
OutputInitResult OutputJsonInitCtx(ConfNode *conf)
Create a new LogFileCtx for "fast" output style.
Definition: output-json.c:1108
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:71
File_
Definition: util-file.h:79
TH_PUSH
#define TH_PUSH
Definition: decode-tcp.h:37
flow-storage.h
OutputInitResult_
Definition: output.h:46
FlowVarTypeStr::value
uint8_t * value
Definition: flow-var.h:39
Packet_::flow
struct Flow_ * flow
Definition: decode.h:515
StringParseUint64
int StringParseUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:308
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:37
VAR_TYPE_FLOW_BIT
@ VAR_TYPE_FLOW_BIT
Definition: util-var.h:36
GET_IPV4_SRC_ADDR_PTR
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:194
PrintBufferData
#define PrintBufferData(buf, buf_offset_ptr, buf_size,...)
Definition: util-print.h:27
TH_SYN
#define TH_SYN
Definition: decode-tcp.h:35
flags
uint8_t flags
Definition: decode-gre.h:0
JSONMACAddrInfo::src
JsonBuilder * src
Definition: output-json.c:715
OutputJSONMemBufferWrapper_::expand_by
uint32_t expand_by
Definition: output-json.h:68
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:50
FLOW_IPV6
#define FLOW_IPV6
Definition: flow.h:100
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:90
LogFileTypeCtx_::init_data
void * init_data
Definition: util-logopenfile.h:67
VarNameStoreLookupById
const char * VarNameStoreLookupById(const uint32_t id, const enum VarTypes type)
find name for id+type at packet time.
Definition: util-var-name.c:298
MacSetSize
int MacSetSize(const MacSet *ms)
Definition: util-macset.c:246
GenericVar_
Definition: util-var.h:49
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:43
FILE_STORED
#define FILE_STORED
Definition: util-file.h:56
FILE_MD5
#define FILE_MD5
Definition: util-file.h:48
LogFileFreeCtx
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
Definition: util-logopenfile.c:911
output-eve-syslog.h
util-classification-config.h
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:502
Flow_::parent_id
int64_t parent_id
Definition: flow.h:428
OutputJsonLogDirection
OutputJsonLogDirection
Definition: output-json.h:36
FlowBit_::idx
uint32_t idx
Definition: flow-bit.h:33
Flow_::icmp_d
struct Flow_::@114::@120 icmp_d
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:61
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
File_::sha256
uint8_t sha256[SC_SHA256_LEN]
Definition: util-file.h:98
File_::start
uint64_t start
Definition: util-file.h:105
JB_SET_FALSE
#define JB_SET_FALSE(jb, key)
Definition: rust.h:28
Flow_::icmp_s
struct Flow_::@112::@118 icmp_s
util-optimize.h
util-validate.h
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-json.h:38
CreateEveFlowId
void CreateEveFlowId(JsonBuilder *js, const Flow *f)
Definition: output-json.c:689
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:48
FlowBit_
Definition: flow-bit.h:30
str
#define str(s)
Definition: suricata-common.h:300
LOG_DIR_FLOW_TOSERVER
@ LOG_DIR_FLOW_TOSERVER
Definition: output-json.h:40
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:199
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:580
ConfNode_
Definition: conf.h:32
util-logopenfile.h
MacSetGetFirst
uint8_t * MacSetGetFirst(const MacSet *ms, MacSetSide side)
Definition: util-macset.c:233
MEMBUFFER_SIZE
#define MEMBUFFER_SIZE(mem_buffer)
Get the MemBuffers current size.
Definition: util-buffer.h:61
Flow_::flags
uint32_t flags
Definition: flow.h:419
src
uint16_t src
Definition: app-layer-dnp3.h:5
util-buffer.h
TH_CWR
#define TH_CWR
Definition: decode-tcp.h:43
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:561
VAR_TYPE_FLOW_VAR
@ VAR_TYPE_FLOW_VAR
Definition: util-var.h:38
MacSetForEach
int MacSetForEach(const MacSet *ms, MacSetIteratorFunc IterFunc, void *data)
Definition: util-macset.c:220
LogFileCtx_::prefix
char * prefix
Definition: util-logopenfile.h:131
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:49
VAR_TYPE_FLOW_INT
@ VAR_TYPE_FLOW_INT
Definition: util-var.h:37
LogFileCtx_::is_pcap_offline
bool is_pcap_offline
Definition: util-logopenfile.h:156
PcapFileGetFilename
const char * PcapFileGetFilename(void)
Definition: source-pcap-file-helper.c:118
GenericVar_::type
uint16_t type
Definition: util-var.h:50
PktVar_::value_len
uint16_t value_len
Definition: decode.h:296
MAX_JSON_SIZE
#define MAX_JSON_SIZE
Definition: output-json.c:69
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:82
OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition: output-json.c:932
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:946
FILE_SHA1
#define FILE_SHA1
Definition: util-file.h:50
LogFileType
LogFileType
Definition: util-logopenfile.h:38
MemBufferWriteRaw
uint32_t MemBufferWriteRaw(MemBuffer *dst, const uint8_t *raw, const uint32_t raw_len)
Write a raw buffer to the MemBuffer dst.
Definition: util-buffer.c:115
SCEveFindFileType
SCEveFileType * SCEveFindFileType(const char *name)
Definition: output-eve.c:82
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:459
PktVar_
Definition: decode.h:290
HttpXFFGetCfg
void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result)
Function to return XFF configuration from a configuration node.
Definition: app-layer-htp-xff.c:202
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:503
SCEveFileType_::Init
int(* Init)(const ConfNode *conf, const bool threaded, void **init_data)
Function to initialize this filetype.
Definition: output-eve.h:104
likely
#define likely(expr)
Definition: util-optimize.h:32
IPPROTO_SCTP
#define IPPROTO_SCTP
Definition: decode.h:1192
SCEveFileType_::ThreadInit
int(* ThreadInit)(const void *init_data, const ThreadId thread_id, void **thread_data)
Initialize thread specific data.
Definition: output-eve.h:125
Flow_::sp
Port sp
Definition: flow.h:359
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
LogFileTypeCtx_::filetype
SCEveFileType * filetype
Definition: util-logopenfile.h:66
OutputJsonCommonSettings_::community_id_seed
uint16_t community_id_seed
Definition: output-json.h:75
flow.h
MEMBUFFER_OFFSET
#define MEMBUFFER_OFFSET(mem_buffer)
Get the MemBuffers current offset.
Definition: util-buffer.h:56
Packet_::dp
Port dp
Definition: decode.h:491
PktVar_::key_len
uint16_t key_len
Definition: decode.h:295
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
JSONMACAddrInfo::dst
JsonBuilder * dst
Definition: output-json.c:715
flow-var.h
FILE_STATE_ERROR
@ FILE_STATE_ERROR
Definition: util-file.h:75
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition: runmodes.h:30
FlowVar_
Definition: flow-var.h:49
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Flow_::tenant_id
uint32_t tenant_id
Definition: flow.h:414
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:33
LOGFILE_TYPE_FILETYPE
@ LOGFILE_TYPE_FILETYPE
Definition: util-logopenfile.h:44
FlowVar_::datatype
uint8_t datatype
Definition: flow-var.h:51
FILE_HAS_GAPS
#define FILE_HAS_GAPS
Definition: util-file.h:59
output.h
PktVar_::id
uint32_t id
Definition: decode.h:291
LogFileCtx_::threaded
bool threaded
Definition: util-logopenfile.h:98
MODULE_NAME
#define MODULE_NAME
Definition: output-json.c:67
SCEveFileType_
Structure used to define an EVE output file type plugin.
Definition: output-eve.h:74
OutputJsonCtx_::filetype
SCEveFileType * filetype
Definition: output-json.h:86
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:809