suricata
output-json.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  */
23 
24 #ifndef __OUTPUT_JSON_H__
25 #define __OUTPUT_JSON_H__
26 
27 #include "suricata-common.h"
28 #include "util-buffer.h"
29 #include "util-logopenfile.h"
30 #include "output.h"
31 #include "rust.h"
32 
33 #include "app-layer-htp-xff.h"
34 #include "suricata-plugin.h"
35 
36 void OutputJsonRegister(void);
37 
38 enum OutputJsonLogDirection {
39  LOG_DIR_PACKET = 0,
40  LOG_DIR_FLOW,
41  LOG_DIR_FLOW_TOCLIENT,
42  LOG_DIR_FLOW_TOSERVER,
43 };
44 
45 #define JSON_ADDR_LEN 46
46 #define JSON_PROTO_LEN 16
47 
48 /* A struct to contain address info for rendering to JSON. */
49 typedef struct JsonAddrInfo_ {
50  char src_ip[JSON_ADDR_LEN];
51  char dst_ip[JSON_ADDR_LEN];
52  Port sp;
53  Port dp;
54  char proto[JSON_PROTO_LEN];
55 } JsonAddrInfo;
56 
57 extern const JsonAddrInfo json_addr_info_zero;
58 
59 void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir,
60  JsonAddrInfo *addr);
61 
62 /* Suggested output buffer size */
63 #define JSON_OUTPUT_BUFFER_SIZE 65535
64 
65 /* helper struct for OutputJSONMemBufferCallback */
66 typedef struct OutputJSONMemBufferWrapper_ {
67  MemBuffer **buffer; /**< buffer to use & expand as needed */
68  size_t expand_by; /**< expand by this size */
69 } OutputJSONMemBufferWrapper;
70 
71 typedef struct OutputJsonCommonSettings_ {
72  bool include_metadata;
73  bool include_community_id;
74  bool include_ethernet;
75  uint16_t community_id_seed;
76 } OutputJsonCommonSettings;
77 
78 /*
79  * Global configuration context data
80  */
81 typedef struct OutputJsonCtx_ {
82  LogFileCtx *file_ctx;
83  enum LogFileType json_out;
84  OutputJsonCommonSettings cfg;
85  HttpXFFCfg *xff_cfg;
86  SCEveFileType *plugin;
87 } OutputJsonCtx;
88 
89 typedef struct OutputJsonThreadCtx_ {
90  OutputJsonCtx *ctx;
91  LogFileCtx *file_ctx;
92  MemBuffer *buffer;
93 } OutputJsonThreadCtx;
94 
95 json_t *SCJsonString(const char *val);
96 
97 void CreateEveFlowId(JsonBuilder *js, const Flow *f);
98 void EveFileInfo(JsonBuilder *js, const File *file, const uint64_t tx_id, const bool stored);
99 void EveTcpFlags(uint8_t flags, JsonBuilder *js);
100 void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length);
101 JsonBuilder *CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir,
102  const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx);
103 JsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir,
104  const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx);
105 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer);
106 int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx);
107 OutputInitResult OutputJsonInitCtx(ConfNode *);
108 
109 OutputInitResult OutputJsonLogInitSub(ConfNode *conf, OutputCtx *parent_ctx);
110 TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data);
111 TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data);
112 
113 void EveAddCommonOptions(const OutputJsonCommonSettings *cfg,
114  const Packet *p, const Flow *f, JsonBuilder *js);
115 void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js);
116 
117 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);
118 
119 OutputJsonThreadCtx *CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx);
120 void FreeEveThreadCtx(OutputJsonThreadCtx *ctx);
121 
122 #endif /* __OUTPUT_JSON_H__ */
suricata-plugin.h
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, JsonBuilder *js)
Definition: output-json.c:412
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:85
OutputJsonCommonSettings
struct OutputJsonCommonSettings_ OutputJsonCommonSettings
OutputJsonThreadCtx_::ctx
OutputJsonCtx * ctx
Definition: output-json.h:90
SCJsonString
json_t * SCJsonString(const char *val)
Definition: output-json.c:103
CreateEveHeaderWithTxId
JsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
Definition: output-json.c:879
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:84
OutputJsonCtx
struct OutputJsonCtx_ OutputJsonCtx
OutputJsonLogInitSub
OutputInitResult OutputJsonLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
Definition: output-json-common.c:73
EvePacket
void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length)
Jsonify a packet.
Definition: output-json.c:436
OutputJsonCtx_
Definition: output-json.h:81
Flow_
Flow data structure.
Definition: flow.h:343
OutputJsonCommonSettings_
Definition: output-json.h:71
LogFileCtx_
Definition: util-logopenfile.h:72
OutputJsonCtx_::json_out
enum LogFileType json_out
Definition: output-json.h:83
rust.h
OutputJsonCommonSettings_::include_community_id
bool include_community_id
Definition: output-json.h:73
OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition: output-json.h:67
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:89
JsonLogThreadDeinit
TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data)
Definition: output-json-common.c:123
OutputCtx_
Definition: tm-modules.h:84
OutputJsonThreadCtx
struct OutputJsonThreadCtx_ OutputJsonThreadCtx
app-layer-htp-xff.h
OutputJsonThreadCtx_
Definition: output-json.h:89
CreateEveFlowId
void CreateEveFlowId(JsonBuilder *js, const Flow *f)
Definition: output-json.c:714
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:53
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:796
JsonAddrInfo_
Definition: output-json.h:49
Packet_
Definition: decode.h:429
OutputJSONMemBufferWrapper_
Definition: output-json.h:66
Port
uint16_t Port
Definition: decode.h:230
TmEcode
TmEcode
Definition: tm-threads-common.h:83
EveFileInfo
void EveFileInfo(JsonBuilder *js, const File *file, const uint64_t tx_id, const bool stored)
Definition: output-json.c:131
OutputJsonThreadCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:91
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
LOG_DIR_FLOW_TOCLIENT
@ LOG_DIR_FLOW_TOCLIENT
Definition: output-json.h:41
EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js)
Definition: output-json.c:389
OutputJsonCommonSettings_::include_ethernet
bool include_ethernet
Definition: output-json.h:74
MemBuffer_
Definition: util-buffer.h:27
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:934
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:72
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:54
File_
Definition: util-file.h:79
OutputInitResult_
Definition: output.h:46
OutputJsonThreadCtx_::buffer
MemBuffer * buffer
Definition: output-json.h:92
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:52
OutputJSONMemBufferWrapper_::expand_by
size_t expand_by
Definition: output-json.h:68
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:45
OutputJsonLogDirection
OutputJsonLogDirection
Definition: output-json.h:38
EveTcpFlags
void EveTcpFlags(uint8_t flags, JsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
Definition: output-json.c:453
OutputJsonRegister
void OutputJsonRegister(void)
Definition: output-json.c:91
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-json.h:40
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:50
str
#define str(s)
Definition: suricata-common.h:286
LOG_DIR_FLOW_TOSERVER
@ LOG_DIR_FLOW_TOSERVER
Definition: output-json.h:42
ConfNode_
Definition: conf.h:32
util-logopenfile.h
JsonAddrInfo
struct JsonAddrInfo_ JsonAddrInfo
util-buffer.h
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:51
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:82
OutputJsonCtx_::plugin
SCEveFileType * plugin
Definition: output-json.h:86
LogFileType
LogFileType
Definition: util-logopenfile.h:38
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:905
OutputJsonCommonSettings_::community_id_seed
uint16_t community_id_seed
Definition: output-json.h:75
OutputJSONMemBufferWrapper
struct OutputJSONMemBufferWrapper_ OutputJSONMemBufferWrapper
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:473
OutputJsonInitCtx
OutputInitResult OutputJsonInitCtx(ConfNode *)
Create a new LogFileCtx for "fast" output style.
Definition: output-json.c:1040
JSON_PROTO_LEN
#define JSON_PROTO_LEN
Definition: output-json.h:46
OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition: output-json.c:892
output.h
SCEveFileType_
Definition: suricata-plugin.h:47
JsonLogThreadInit
TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data)
Definition: output-json-common.c:90
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29