suricata
output-json.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Tom DeCanio <td@npulsetech.com>
22  */
23 
24 #ifndef SURICATA_OUTPUT_JSON_H
25 #define SURICATA_OUTPUT_JSON_H
26 
27 #include "suricata-common.h"
28 #include "util-buffer.h"
29 #include "util-logopenfile.h"
30 #include "output.h"
31 
32 #include "app-layer-htp-xff.h"
33 
34 void OutputJsonRegister(void);
35 
36 enum OutputJsonLogDirection {
37  LOG_DIR_PACKET = 0,
38  LOG_DIR_FLOW,
39  LOG_DIR_FLOW_TOCLIENT,
40  LOG_DIR_FLOW_TOSERVER,
41 };
42 
43 #define JSON_ADDR_LEN 46
44 #define JSON_PROTO_LEN 16
45 
46 /* A struct to contain address info for rendering to JSON. */
47 typedef struct JsonAddrInfo_ {
48  char src_ip[JSON_ADDR_LEN];
49  char dst_ip[JSON_ADDR_LEN];
50  Port sp;
51  Port dp;
52  char proto[JSON_PROTO_LEN];
53  // Ports are logged only when provided by the transport protocol.
54  bool log_port;
55 } JsonAddrInfo;
56 
57 extern const JsonAddrInfo json_addr_info_zero;
58 
59 void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir,
60  JsonAddrInfo *addr);
61 
62 /* Suggested output buffer size */
63 #define JSON_OUTPUT_BUFFER_SIZE 65535
64 
65 /* helper struct for OutputJSONMemBufferCallback */
66 typedef struct OutputJSONMemBufferWrapper_ {
67  MemBuffer **buffer; /**< buffer to use & expand as needed */
68  size_t expand_by; /**< expand by this size */
69 } OutputJSONMemBufferWrapper;
70 
71 typedef struct OutputJsonCommonSettings_ {
72  bool include_metadata;
73  bool include_community_id;
74  bool include_ethernet;
75  uint16_t community_id_seed;
76 } OutputJsonCommonSettings;
77 
78 /*
79  * Global configuration context data
80  */
81 typedef struct OutputJsonCtx_ {
82  LogFileCtx *file_ctx;
83  enum LogFileType json_out;
84  OutputJsonCommonSettings cfg;
85  HttpXFFCfg *xff_cfg;
86  SCEveFileType *filetype;
87 } OutputJsonCtx;
88 
89 typedef struct OutputJsonThreadCtx_ {
90  OutputJsonCtx *ctx;
91  LogFileCtx *file_ctx;
92  MemBuffer *buffer;
93 } OutputJsonThreadCtx;
94 
95 json_t *SCJsonString(const char *val);
96 
97 void CreateEveFlowId(JsonBuilder *js, const Flow *f);
98 void EveFileInfo(JsonBuilder *js, const File *file, const uint64_t tx_id, const uint16_t flags);
99 void EveTcpFlags(uint8_t flags, JsonBuilder *js);
100 void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length);
101 JsonBuilder *CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir,
102  const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx);
103 JsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir,
104  const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx);
105 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer);
106 int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx);
107 OutputInitResult OutputJsonInitCtx(ConfNode *);
108 
109 OutputInitResult OutputJsonLogInitSub(ConfNode *conf, OutputCtx *parent_ctx);
110 TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data);
111 TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data);
112 
113 void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f,
114  JsonBuilder *js, enum OutputJsonLogDirection dir);
115 void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js);
116 
117 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);
118 
119 OutputJsonThreadCtx *CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx);
120 void FreeEveThreadCtx(OutputJsonThreadCtx *ctx);
121 void JSONFormatAndAddMACAddr(JsonBuilder *js, const char *key, const uint8_t *val, bool is_array);
122 
123 #endif /* SURICATA_OUTPUT_JSON_H */
FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition: output-json-common.c:58
OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition: output-json.h:85
OutputJsonCommonSettings
struct OutputJsonCommonSettings_ OutputJsonCommonSettings
OutputJsonThreadCtx_::ctx
OutputJsonCtx * ctx
Definition: output-json.h:90
SCJsonString
json_t * SCJsonString(const char *val)
Definition: output-json.c:96
CreateEveHeaderWithTxId
JsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
Definition: output-json.c:912
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:84
OutputJsonCtx
struct OutputJsonCtx_ OutputJsonCtx
OutputJsonLogInitSub
OutputInitResult OutputJsonLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
Definition: output-json-common.c:73
EvePacket
void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length)
Jsonify a packet.
Definition: output-json.c:432
JSONFormatAndAddMACAddr
void JSONFormatAndAddMACAddr(JsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
Definition: output-json.c:711
OutputJsonCtx_
Definition: output-json.h:81
Flow_
Flow data structure.
Definition: flow.h:360
OutputJsonCommonSettings_
Definition: output-json.h:71
ctx
struct Thresholds ctx
LogFileCtx_
Definition: util-logopenfile.h:72
OutputJsonCtx_::json_out
enum LogFileType json_out
Definition: output-json.h:83
OutputJsonCommonSettings_::include_community_id
bool include_community_id
Definition: output-json.h:73
OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition: output-json.h:67
EveFileInfo
void EveFileInfo(JsonBuilder *js, const File *file, const uint64_t tx_id, const uint16_t flags)
Definition: output-json.c:124
json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition: output-json.c:81
JsonLogThreadDeinit
TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data)
Definition: output-json-common.c:123
OutputCtx_
Definition: tm-modules.h:85
OutputJsonThreadCtx
struct OutputJsonThreadCtx_ OutputJsonThreadCtx
app-layer-htp-xff.h
OutputJsonThreadCtx_
Definition: output-json.h:89
CreateEveFlowId
void CreateEveFlowId(JsonBuilder *js, const Flow *f)
Definition: output-json.c:699
JsonAddrInfo_::dp
Port dp
Definition: output-json.h:51
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:816
JsonAddrInfo_::log_port
bool log_port
Definition: output-json.h:54
JsonAddrInfo_
Definition: output-json.h:47
Packet_
Definition: decode.h:479
OutputJSONMemBufferWrapper_
Definition: output-json.h:66
Port
uint16_t Port
Definition: decode.h:220
TmEcode
TmEcode
Definition: tm-threads-common.h:81
OutputJsonThreadCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:91
HttpXFFCfg_
Definition: app-layer-htp-xff.h:41
LOG_DIR_FLOW_TOCLIENT
@ LOG_DIR_FLOW_TOCLIENT
Definition: output-json.h:39
EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js)
Definition: output-json.c:385
OutputJsonCommonSettings_::include_ethernet
bool include_ethernet
Definition: output-json.h:74
MemBuffer_
Definition: util-buffer.h:27
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:967
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:72
JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition: output-json.h:52
File_
Definition: util-file.h:79
OutputInitResult_
Definition: output.h:46
OutputJsonThreadCtx_::buffer
MemBuffer * buffer
Definition: output-json.h:92
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:37
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
JsonAddrInfo_::sp
Port sp
Definition: output-json.h:50
OutputJSONMemBufferWrapper_::expand_by
size_t expand_by
Definition: output-json.h:68
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition: output-json.h:43
EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, JsonBuilder *js, enum OutputJsonLogDirection dir)
Definition: output-json.c:408
OutputJsonLogDirection
OutputJsonLogDirection
Definition: output-json.h:36
EveTcpFlags
void EveTcpFlags(uint8_t flags, JsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
Definition: output-json.c:449
OutputJsonRegister
void OutputJsonRegister(void)
Definition: output-json.c:83
LOG_DIR_FLOW
@ LOG_DIR_FLOW
Definition: output-json.h:38
JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition: output-json.h:48
str
#define str(s)
Definition: suricata-common.h:291
LOG_DIR_FLOW_TOSERVER
@ LOG_DIR_FLOW_TOSERVER
Definition: output-json.h:40
ConfNode_
Definition: conf.h:32
util-logopenfile.h
JsonAddrInfo
struct JsonAddrInfo_ JsonAddrInfo
util-buffer.h
JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition: output-json.h:49
OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition: output-json.h:82
LogFileType
LogFileType
Definition: util-logopenfile.h:38
OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition: output-json.c:938
OutputJsonCommonSettings_::community_id_seed
uint16_t community_id_seed
Definition: output-json.h:75
OutputJSONMemBufferWrapper
struct OutputJSONMemBufferWrapper_ OutputJSONMemBufferWrapper
JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition: output-json.c:469
OutputJsonInitCtx
OutputInitResult OutputJsonInitCtx(ConfNode *)
Create a new LogFileCtx for "fast" output style.
Definition: output-json.c:1076
JSON_PROTO_LEN
#define JSON_PROTO_LEN
Definition: output-json.h:44
OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition: output-json.c:925
output.h
SCEveFileType_
Structure used to define an EVE output file type plugin.
Definition: output-eve.h:73
JsonLogThreadInit
TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data)
Definition: output-json-common.c:90
OutputJsonCtx_::filetype
SCEveFileType * filetype
Definition: output-json.h:86
CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition: output-json-common.c:29