suricata
output-json.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  */
23 
24 #ifndef SURICATA_OUTPUT_JSON_H
25 #define SURICATA_OUTPUT_JSON_H
26 
27 #include "suricata-common.h"
28 #include "util-buffer.h"
29 #include "util-logopenfile.h"
30 #include "output.h"
31 
32 #include "app-layer-htp-xff.h"
33 
34 void OutputJsonRegister(void);
35 
36 enum OutputJsonLogDirection {
37  LOG_DIR_PACKET = 0,
38  LOG_DIR_FLOW,
39  LOG_DIR_FLOW_TOCLIENT,
40  LOG_DIR_FLOW_TOSERVER,
41 };
42 
43 #define JSON_ADDR_LEN 46
44 #define JSON_PROTO_LEN 16
45 
46 /* A struct to contain address info for rendering to JSON. */
47 typedef struct JsonAddrInfo_ {
48  char src_ip[JSON_ADDR_LEN];
49  char dst_ip[JSON_ADDR_LEN];
50  Port sp;
51  Port dp;
52  char proto[JSON_PROTO_LEN];
53  // Ports are logged only when provided by the transport protocol.
54  bool log_port;
55 } JsonAddrInfo;
56 
57 extern const JsonAddrInfo json_addr_info_zero;
58 
59 void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir,
60  JsonAddrInfo *addr);
61 
62 /* Suggested output buffer size */
63 #define JSON_OUTPUT_BUFFER_SIZE 65535
64 
65 /* helper struct for OutputJSONMemBufferCallback */
66 typedef struct OutputJSONMemBufferWrapper_ {
67  MemBuffer **buffer; /**< buffer to use & expand as needed */
68  uint32_t expand_by; /**< expand by this size */
69 } OutputJSONMemBufferWrapper;
70 
71 typedef struct OutputJsonCommonSettings_ {
72  bool include_metadata;
73  bool include_community_id;
74  bool include_ethernet;
75  uint16_t community_id_seed;
76 } OutputJsonCommonSettings;
77 
78 /*
79  * Global configuration context data
80  */
81 typedef struct OutputJsonCtx_ {
82  LogFileCtx *file_ctx;
83  enum LogFileType json_out;
84  OutputJsonCommonSettings cfg;
85  HttpXFFCfg *xff_cfg;
86  SCEveFileType *filetype;
87 } OutputJsonCtx;
88 
89 typedef struct OutputJsonThreadCtx_ {
90  OutputJsonCtx *ctx;
91  LogFileCtx *file_ctx;
92  MemBuffer *buffer;
93 } OutputJsonThreadCtx;
94 
95 json_t *SCJsonString(const char *val);
96 
97 void CreateEveFlowId(JsonBuilder *js, const Flow *f);
98 void EveFileInfo(JsonBuilder *js, const File *file, const uint64_t tx_id, const uint16_t flags);
99 void EveTcpFlags(uint8_t flags, JsonBuilder *js);
100 void EvePacket(const Packet *p, JsonBuilder *js, uint32_t max_length);
101 JsonBuilder *CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir,
102  const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx);
103 JsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir,
104  const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx);
105 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer);
106 int OutputJsonBuilderBuffer(
107  ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *js, OutputJsonThreadCtx *ctx);
108 OutputInitResult OutputJsonInitCtx(ConfNode *);
109 
110 OutputInitResult OutputJsonLogInitSub(ConfNode *conf, OutputCtx *parent_ctx);
111 TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data);
112 TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data);
113 
114 void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f,
115  JsonBuilder *js, enum OutputJsonLogDirection dir);
116 void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js);
117 
118 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);
119 
120 OutputJsonThreadCtx *CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx);
121 void FreeEveThreadCtx(OutputJsonThreadCtx *ctx);
122 void JSONFormatAndAddMACAddr(JsonBuilder *js, const char *key, const uint8_t *val, bool is_array);
123 
124 #endif /* SURICATA_OUTPUT_JSON_H */
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:85
OutputJsonCommonSettings
struct OutputJsonCommonSettings_ OutputJsonCommonSettings
OutputJsonThreadCtx_::ctx
OutputJsonCtx * ctx
Definition: output-json.h:90
SCJsonString
json_t * SCJsonString(const char *val)
Definition: output-json.c:96
CreateEveHeaderWithTxId
JsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
Definition: output-json.c:902
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:84
OutputJsonCtx
struct OutputJsonCtx_ OutputJsonCtx
OutputJsonLogInitSub
OutputInitResult OutputJsonLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
Definition: output-json-common.c:73
JSONFormatAndAddMACAddr
void JSONFormatAndAddMACAddr(JsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
Definition: output-json.c:701
OutputJsonCtx_
Definition: output-json.h:81
Flow_
Flow data structure.
Definition: flow.h:356
OutputJsonCommonSettings_
Definition: output-json.h:71
ctx
struct Thresholds ctx
LogFileCtx_
Definition: util-logopenfile.h:72
OutputJsonCtx_::json_out
enum LogFileType json_out
Definition: output-json.h:83
OutputJsonCommonSettings_::include_community_id
bool include_community_id
Definition: output-json.h:73
OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition: output-json.h:67
EveFileInfo
void EveFileInfo(JsonBuilder *js, const File *file, const uint64_t tx_id, const uint16_t flags)
Definition: output-json.c:124
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
JsonLogThreadDeinit
TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data)
Definition: output-json-common.c:123
OutputCtx_
Definition: tm-modules.h:84
OutputJsonThreadCtx
struct OutputJsonThreadCtx_ OutputJsonThreadCtx
app-layer-htp-xff.h
OutputJsonThreadCtx_
Definition: output-json.h:89
CreateEveFlowId
void CreateEveFlowId(JsonBuilder *js, const Flow *f)
Definition: output-json.c:689
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:51
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
EvePacket
void EvePacket(const Packet *p, JsonBuilder *js, uint32_t max_length)
Jsonify a packet.
Definition: output-json.c:422
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:806
JsonAddrInfo_::log_port
bool log_port
Definition: output-json.h:54
JsonAddrInfo_
Definition: output-json.h:47
Packet_
Definition: decode.h:473
OutputJSONMemBufferWrapper_
Definition: output-json.h:66
Port
uint16_t Port
Definition: decode.h:214
TmEcode
TmEcode
Definition: tm-threads-common.h:79
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:958
OutputJsonThreadCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:91
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
LOG_DIR_FLOW_TOCLIENT
@ LOG_DIR_FLOW_TOCLIENT
Definition: output-json.h:39
EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js)
Definition: output-json.c:375
OutputJsonCommonSettings_::include_ethernet
bool include_ethernet
Definition: output-json.h:74
MemBuffer_
Definition: util-buffer.h:27
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:72
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:52
File_
Definition: util-file.h:79
OutputInitResult_
Definition: output.h:46
OutputJsonThreadCtx_::buffer
MemBuffer * buffer
Definition: output-json.h:92
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:37
flags
uint8_t flags
Definition: decode-gre.h:0
OutputJSONMemBufferWrapper_::expand_by
uint32_t expand_by
Definition: output-json.h:68
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:50
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:43
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, JsonBuilder *js, enum OutputJsonLogDirection dir)
Definition: output-json.c:398
OutputJsonLogDirection
OutputJsonLogDirection
Definition: output-json.h:36
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
EveTcpFlags
void EveTcpFlags(uint8_t flags, JsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
Definition: output-json.c:439
OutputJsonRegister
void OutputJsonRegister(void)
Definition: output-json.c:83
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-json.h:38
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:48
str
#define str(s)
Definition: suricata-common.h:291
LOG_DIR_FLOW_TOSERVER
@ LOG_DIR_FLOW_TOSERVER
Definition: output-json.h:40
ConfNode_
Definition: conf.h:32
util-logopenfile.h
JsonAddrInfo
struct JsonAddrInfo_ JsonAddrInfo
util-buffer.h
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:49
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:82
LogFileType
LogFileType
Definition: util-logopenfile.h:38
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:929
OutputJsonCommonSettings_::community_id_seed
uint16_t community_id_seed
Definition: output-json.h:75
OutputJSONMemBufferWrapper
struct OutputJSONMemBufferWrapper_ OutputJSONMemBufferWrapper
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:459
OutputJsonInitCtx
OutputInitResult OutputJsonInitCtx(ConfNode *)
Create a new LogFileCtx for "fast" output style.
Definition: output-json.c:1073
JSON_PROTO_LEN
#define JSON_PROTO_LEN
Definition: output-json.h:44
OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition: output-json.c:915
output.h
SCEveFileType_
Structure used to define an EVE output file type plugin.
Definition: output-eve.h:74
JsonLogThreadInit
TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data)
Definition: output-json-common.c:90
OutputJsonCtx_::filetype
SCEveFileType * filetype
Definition: output-json.h:86
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29