suricata
output-json.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  */
23 
24 #ifndef __OUTPUT_JSON_H__
25 #define __OUTPUT_JSON_H__
26 
27 #include "suricata-common.h"
28 #include "util-buffer.h"
29 #include "util-logopenfile.h"
30 #include "output.h"
31 #include "rust.h"
32 
33 #include "app-layer-htp-xff.h"
34 #include "suricata-plugin.h"
35 
36 void OutputJsonRegister(void);
37 
38 enum OutputJsonLogDirection {
39  LOG_DIR_PACKET = 0,
40  LOG_DIR_FLOW,
41  LOG_DIR_FLOW_TOCLIENT,
42  LOG_DIR_FLOW_TOSERVER,
43 };
44 
45 #define JSON_ADDR_LEN 46
46 #define JSON_PROTO_LEN 16
47 
48 /* A struct to contain address info for rendering to JSON. */
49 typedef struct JsonAddrInfo_ {
50  char src_ip[JSON_ADDR_LEN];
51  char dst_ip[JSON_ADDR_LEN];
52  Port sp;
53  Port dp;
54  char proto[JSON_PROTO_LEN];
55 } JsonAddrInfo;
56 
57 extern const JsonAddrInfo json_addr_info_zero;
58 
59 void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir,
60  JsonAddrInfo *addr);
61 
62 /* Suggested output buffer size */
63 #define JSON_OUTPUT_BUFFER_SIZE 65535
64 
65 /* helper struct for OutputJSONMemBufferCallback */
66 typedef struct OutputJSONMemBufferWrapper_ {
67  MemBuffer **buffer; /**< buffer to use & expand as needed */
68  size_t expand_by; /**< expand by this size */
69 } OutputJSONMemBufferWrapper;
70 
71 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);
72 
73 void CreateEveFlowId(JsonBuilder *js, const Flow *f);
74 void EveFileInfo(JsonBuilder *js, const File *file, const bool stored);
75 void EveTcpFlags(uint8_t flags, JsonBuilder *js);
76 void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length);
77 JsonBuilder *CreateEveHeader(const Packet *p,
78  enum OutputJsonLogDirection dir, const char *event_type,
79  JsonAddrInfo *addr);
80 JsonBuilder *CreateEveHeaderWithTxId(const Packet *p,
81  enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr,
82  uint64_t tx_id);
83 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer);
84 int OutputJsonBuilderBuffer(JsonBuilder *js, LogFileCtx *file_ctx, MemBuffer **buffer);
85 OutputInitResult OutputJsonInitCtx(ConfNode *);
86 
87 OutputInitResult OutputJsonLogInitSub(ConfNode *conf, OutputCtx *parent_ctx);
88 TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data);
89 TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data);
90 
91 typedef struct OutputJsonCommonSettings_ {
92  bool include_metadata;
93  bool include_community_id;
94  bool include_ethernet;
95  uint16_t community_id_seed;
96 } OutputJsonCommonSettings;
97 
98 /*
99  * Global configuration context data
100  */
101 typedef struct OutputJsonCtx_ {
102  LogFileCtx *file_ctx;
103  enum LogFileType json_out;
104  OutputJsonCommonSettings cfg;
105  HttpXFFCfg *xff_cfg;
106  SCPluginFileType *plugin;
107 } OutputJsonCtx;
108 
109 typedef struct OutputJsonThreadCtx_ {
110  OutputJsonCtx *ctx;
111  LogFileCtx *file_ctx;
112  MemBuffer *buffer;
113 } OutputJsonThreadCtx;
114 
115 json_t *SCJsonBool(int val);
116 json_t *SCJsonString(const char *val);
117 void SCJsonDecref(json_t *js);
118 
119 void EveAddCommonOptions(const OutputJsonCommonSettings *cfg,
120  const Packet *p, const Flow *f, JsonBuilder *js);
121 
122 #endif /* __OUTPUT_JSON_H__ */
suricata-plugin.h
CreateEveHeaderWithTxId
JsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id)
Definition: output-json.c:923
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, JsonBuilder *js)
Definition: output-json.c:444
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:105
OutputJsonCommonSettings
struct OutputJsonCommonSettings_ OutputJsonCommonSettings
OutputJsonThreadCtx_::ctx
OutputJsonCtx * ctx
Definition: output-json.h:110
SCJsonString
json_t * SCJsonString(const char *val)
Definition: output-json.c:113
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:978
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:104
OutputJsonCtx
struct OutputJsonCtx_ OutputJsonCtx
OutputJsonLogInitSub
OutputInitResult OutputJsonLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
Definition: output-json-common.c:50
EvePacket
void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length)
Jsonify a packet.
Definition: output-json.c:467
OutputJsonCtx_
Definition: output-json.h:101
Flow_
Flow data structure.
Definition: flow.h:347
OutputJsonCommonSettings_
Definition: output-json.h:91
LogFileCtx_
Definition: util-logopenfile.h:60
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr)
Definition: output-json.c:846
OutputJsonCtx_::plugin
SCPluginFileType * plugin
Definition: output-json.h:106
OutputJsonCtx_::json_out
enum LogFileType json_out
Definition: output-json.h:103
rust.h
OutputJsonCommonSettings_::include_community_id
bool include_community_id
Definition: output-json.h:93
OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition: output-json.h:67
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:89
JsonLogThreadDeinit
TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data)
Definition: output-json-common.c:109
OutputCtx_
Definition: tm-modules.h:78
OutputJsonThreadCtx
struct OutputJsonThreadCtx_ OutputJsonThreadCtx
app-layer-htp-xff.h
OutputJsonThreadCtx_
Definition: output-json.h:109
CreateEveFlowId
void CreateEveFlowId(JsonBuilder *js, const Flow *f)
Definition: output-json.c:760
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:53
SCJsonDecref
void SCJsonDecref(json_t *js)
Definition: output-json.c:108
EveFileInfo
void EveFileInfo(JsonBuilder *js, const File *file, const bool stored)
Definition: output-json.c:141
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
JsonAddrInfo_
Definition: output-json.h:49
Packet_
Definition: decode.h:412
OutputJSONMemBufferWrapper_
Definition: output-json.h:66
Port
uint16_t Port
Definition: decode.h:239
TmEcode
TmEcode
Definition: tm-threads-common.h:79
OutputJsonThreadCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:111
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
LOG_DIR_FLOW_TOCLIENT
@ LOG_DIR_FLOW_TOCLIENT
Definition: output-json.h:41
OutputJsonCommonSettings_::include_ethernet
bool include_ethernet
Definition: output-json.h:94
MemBuffer_
Definition: util-buffer.h:27
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:92
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:54
SCJsonBool
json_t * SCJsonBool(int val)
Definition: output-json.c:99
File_
Definition: util-file.h:63
OutputInitResult_
Definition: output.h:43
OutputJsonThreadCtx_::buffer
MemBuffer * buffer
Definition: output-json.h:112
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:52
OutputJSONMemBufferWrapper_::expand_by
size_t expand_by
Definition: output-json.h:68
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:45
OutputJsonLogDirection
OutputJsonLogDirection
Definition: output-json.h:38
EveTcpFlags
void EveTcpFlags(uint8_t flags, JsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
Definition: output-json.c:488
OutputJsonRegister
void OutputJsonRegister(void)
Definition: output-json.c:91
SCPluginFileType_
Definition: suricata-plugin.h:49
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-json.h:40
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:50
str
#define str(s)
Definition: suricata-common.h:273
LOG_DIR_FLOW_TOSERVER
@ LOG_DIR_FLOW_TOSERVER
Definition: output-json.h:42
ConfNode_
Definition: conf.h:32
util-logopenfile.h
JsonAddrInfo
struct JsonAddrInfo_ JsonAddrInfo
util-buffer.h
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:51
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:102
LogFileType
LogFileType
Definition: util-logopenfile.h:40
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:949
OutputJsonCommonSettings_::community_id_seed
uint16_t community_id_seed
Definition: output-json.h:95
OutputJSONMemBufferWrapper
struct OutputJSONMemBufferWrapper_ OutputJSONMemBufferWrapper
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:508
OutputJsonInitCtx
OutputInitResult OutputJsonInitCtx(ConfNode *)
Create a new LogFileCtx for "fast" output style.
Definition: output-json.c:1010
JSON_PROTO_LEN
#define JSON_PROTO_LEN
Definition: output-json.h:46
OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition: output-json.c:936
output.h
JsonLogThreadInit
TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data)
Definition: output-json-common.c:75