suricata
output-json.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  */
23 
24 #ifndef SURICATA_OUTPUT_JSON_H
25 #define SURICATA_OUTPUT_JSON_H
26 
27 #include "suricata-common.h"
28 #include "util-buffer.h"
29 #include "util-logopenfile.h"
30 #include "output.h"
31 #include "output-eve-bindgen.h"
32 
33 #include "app-layer-htp-xff.h"
34 
35 void OutputJsonRegister(void);
36 
37 #define JSON_ADDR_LEN 46
38 #define JSON_PROTO_LEN 16
39 
40 /* A struct to contain address info for rendering to JSON. */
41 typedef struct JsonAddrInfo_ {
42  char src_ip[JSON_ADDR_LEN];
43  char dst_ip[JSON_ADDR_LEN];
44  Port sp;
45  Port dp;
46  char proto[JSON_PROTO_LEN];
47  // Ports are logged only when provided by the transport protocol.
48  bool log_port;
49 } JsonAddrInfo;
50 
51 extern const JsonAddrInfo json_addr_info_zero;
52 
53 void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr);
54 
55 /* Suggested output buffer size */
56 #define JSON_OUTPUT_BUFFER_SIZE 65535
57 
58 /* helper struct for OutputJSONMemBufferCallback */
59 typedef struct OutputJSONMemBufferWrapper_ {
60  MemBuffer **buffer; /**< buffer to use & expand as needed */
61  uint32_t expand_by; /**< expand by this size */
62 } OutputJSONMemBufferWrapper;
63 
64 typedef struct OutputJsonCommonSettings_ {
65  bool include_metadata;
66  bool include_community_id;
67  bool include_ethernet;
68  bool include_suricata_version;
69  uint16_t community_id_seed;
70 } OutputJsonCommonSettings;
71 
72 /*
73  * Global configuration context data
74  */
75 typedef struct OutputJsonCtx_ {
76  LogFileCtx *file_ctx;
77  enum LogFileType json_out;
78  OutputJsonCommonSettings cfg;
79  HttpXFFCfg *xff_cfg;
80  SCEveFileType *filetype;
81 } OutputJsonCtx;
82 
83 typedef struct OutputJsonThreadCtx_ {
84  OutputJsonCtx *ctx;
85  LogFileCtx *file_ctx;
86  MemBuffer *buffer;
87  bool too_large_warning;
88 } OutputJsonThreadCtx;
89 
90 json_t *SCJsonString(const char *val);
91 
92 void CreateEveFlowId(SCJsonBuilder *js, const Flow *f);
93 void EveFileInfo(SCJsonBuilder *js, const File *file, const uint64_t tx_id, const uint16_t flags);
94 void EveTcpFlags(uint8_t flags, SCJsonBuilder *js);
95 void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length);
96 SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir,
97  const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx);
98 SCJsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir,
99  const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx);
100 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer);
101 void OutputJsonBuilderBuffer(
102  ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx);
103 OutputInitResult OutputJsonInitCtx(SCConfNode *);
104 
105 OutputInitResult OutputJsonLogInitSub(SCConfNode *conf, OutputCtx *parent_ctx);
106 TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data);
107 TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data);
108 
109 void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f,
110  SCJsonBuilder *js, enum SCOutputJsonLogDirection dir);
111 int OutputJsonLogFlush(ThreadVars *tv, void *thread_data, const Packet *p);
112 void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js);
113 
114 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);
115 
116 OutputJsonThreadCtx *CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx);
117 void FreeEveThreadCtx(OutputJsonThreadCtx *ctx);
118 void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array);
119 void OutputJsonFlush(OutputJsonThreadCtx *ctx);
120 
121 #endif /* SURICATA_OUTPUT_JSON_H */
OutputJsonThreadCtx_::too_large_warning
bool too_large_warning
Definition: output-json.h:87
SCOutputJsonLogDirection
SCOutputJsonLogDirection
Definition: output-eve-bindgen.h:31
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:79
OutputJsonCommonSettings
struct OutputJsonCommonSettings_ OutputJsonCommonSettings
OutputJsonThreadCtx_::ctx
OutputJsonCtx * ctx
Definition: output-json.h:84
SCJsonString
json_t * SCJsonString(const char *val)
Definition: output-json.c:96
EveFileInfo
void EveFileInfo(SCJsonBuilder *js, const File *file, const uint64_t tx_id, const uint16_t flags)
Definition: output-json.c:124
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:78
OutputJsonCtx
struct OutputJsonCtx_ OutputJsonCtx
CreateEveFlowId
void CreateEveFlowId(SCJsonBuilder *js, const Flow *f)
Definition: output-json.c:716
OutputJsonCtx_
Definition: output-json.h:75
Flow_
Flow data structure.
Definition: flow.h:356
OutputJsonCommonSettings_
Definition: output-json.h:64
ctx
struct Thresholds ctx
LogFileCtx_
Definition: util-logopenfile.h:72
OutputJsonCtx_::json_out
enum LogFileType json_out
Definition: output-json.h:77
OutputJsonCommonSettings_::include_community_id
bool include_community_id
Definition: output-json.h:66
OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition: output-json.h:60
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
CreateEveHeaderWithTxId
SCJsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
Definition: output-json.c:953
OutputJsonCommonSettings_::include_suricata_version
bool include_suricata_version
Definition: output-json.h:68
JsonLogThreadDeinit
TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data)
Definition: output-json-common.c:132
OutputCtx_
Definition: tm-modules.h:88
OutputJsonThreadCtx
struct OutputJsonThreadCtx_ OutputJsonThreadCtx
app-layer-htp-xff.h
OutputJsonThreadCtx_
Definition: output-json.h:83
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:45
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:486
JSONFormatAndAddMACAddr
void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
Definition: output-json.c:728
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
EvePacket
void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
Jsonify a packet.
Definition: output-json.c:441
JsonAddrInfo_::log_port
bool log_port
Definition: output-json.h:48
JsonAddrInfo_
Definition: output-json.h:41
Packet_
Definition: decode.h:501
OutputJSONMemBufferWrapper_
Definition: output-json.h:59
output-eve-bindgen.h
Port
uint16_t Port
Definition: decode.h:218
TmEcode
TmEcode
Definition: tm-threads-common.h:80
OutputJsonThreadCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:85
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
OutputJsonCommonSettings_::include_ethernet
bool include_ethernet
Definition: output-json.h:67
MemBuffer_
Definition: util-buffer.h:27
OutputJsonLogFlush
int OutputJsonLogFlush(ThreadVars *tv, void *thread_data, const Packet *p)
Definition: output-json-common.c:73
EveTcpFlags
void EveTcpFlags(uint8_t flags, SCJsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
Definition: output-json.c:466
OutputJsonFlush
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
Definition: output-json.c:1009
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:65
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:46
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
Definition: output-json.c:414
File_
Definition: util-file.h:79
EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
Definition: output-json.c:391
OutputInitResult_
Definition: output.h:46
OutputJsonThreadCtx_::buffer
MemBuffer * buffer
Definition: output-json.h:86
flags
uint8_t flags
Definition: decode-gre.h:0
OutputJSONMemBufferWrapper_::expand_by
uint32_t expand_by
Definition: output-json.h:61
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:44
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:37
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
OutputJsonRegister
void OutputJsonRegister(void)
Definition: output-json.c:83
CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:850
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:42
str
#define str(s)
Definition: suricata-common.h:308
util-logopenfile.h
JsonAddrInfo
struct JsonAddrInfo_ JsonAddrInfo
util-buffer.h
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:43
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:76
OutputJsonLogInitSub
OutputInitResult OutputJsonLogInitSub(SCConfNode *conf, OutputCtx *parent_ctx)
Definition: output-json-common.c:82
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:1015
LogFileType
LogFileType
Definition: util-logopenfile.h:38
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:980
OutputJsonCommonSettings_::community_id_seed
uint16_t community_id_seed
Definition: output-json.h:69
OutputJSONMemBufferWrapper
struct OutputJSONMemBufferWrapper_ OutputJSONMemBufferWrapper
JSON_PROTO_LEN
#define JSON_PROTO_LEN
Definition: output-json.h:38
SCConfNode_
Definition: conf.h:37
OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition: output-json.c:966
output.h
SCEveFileType_
Structure used to define an EVE output file type plugin.
Definition: output-eve.h:74
JsonLogThreadInit
TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data)
Definition: output-json-common.c:99
OutputJsonInitCtx
OutputInitResult OutputJsonInitCtx(SCConfNode *)
Create a new LogFileCtx for "fast" output style.
Definition: output-json.c:1141
OutputJsonCtx_::filetype
SCEveFileType * filetype
Definition: output-json.h:80
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29