static TmEcode JsonAlertLogThreadInit(ThreadVars *t, void *initdata, void **data) { JsonAlertLogThread *aft = SCMalloc(sizeof(JsonAlertLogThread)); if (unlikely(aft == NULL)) return TM_ECODE_FAILED; memset(aft, 0, sizeof(JsonAlertLogThread)); if(initdata == NULL) { SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL"); SCFree(aft); return TM_ECODE_FAILED; } aft->json_buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE); if (aft->json_buffer == NULL) { SCFree(aft); return TM_ECODE_FAILED; } /** Use the Output Context (file pointer and mutex) */ AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data; aft->file_ctx = json_output_ctx->file_ctx; aft->json_output_ctx = json_output_ctx; aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size); if (aft->payload_buffer == NULL) { SCFree(aft); return TM_ECODE_FAILED; } *data = (void *)aft; return TM_ECODE_OK; }
static TmEcode JsonTlsLogThreadInit(ThreadVars *t, void *initdata, void **data) { JsonTlsLogThread *aft = SCMalloc(sizeof(JsonTlsLogThread)); if (unlikely(aft == NULL)) return TM_ECODE_FAILED; memset(aft, 0, sizeof(JsonTlsLogThread)); if(initdata == NULL) { SCLogDebug("Error getting context for HTTPLog. \"initdata\" argument NULL"); SCFree(aft); return TM_ECODE_FAILED; } /* Use the Ouptut Context (file pointer and mutex) */ aft->tlslog_ctx = ((OutputCtx *)initdata)->data; aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE); if (aft->buffer == NULL) { SCFree(aft); return TM_ECODE_FAILED; } *data = (void *)aft; return TM_ECODE_OK; }
static TmEcode AlertDebugLogThreadInit(ThreadVars *t, const void *initdata, void **data) { AlertDebugLogThread *aft = SCMalloc(sizeof(AlertDebugLogThread)); if (unlikely(aft == NULL)) return TM_ECODE_FAILED; memset(aft, 0, sizeof(AlertDebugLogThread)); if(initdata == NULL) { SCLogDebug("Error getting context for AlertDebugLog. \"initdata\" argument NULL"); SCFree(aft); return TM_ECODE_FAILED; } /** Use the Ouptut Context (file pointer and mutex) */ aft->file_ctx = ((OutputCtx *)initdata)->data; /* 1 mb seems sufficient enough */ aft->buffer = MemBufferCreateNew(1 * 1024 * 1024); if (aft->buffer == NULL) { SCFree(aft); return TM_ECODE_FAILED; } *data = (void *)aft; return TM_ECODE_OK; }
static TmEcode MSSqlJsonLogThreadInit(ThreadVars *t, void *initdata, void **data) { if (!initdata) { SCLogDebug("Error getting context for mssql log. \"initdata\" argument NULL"); return TM_ECODE_FAILED; } LogMSSqlLogThread *aft = SCCalloc(sizeof(*aft), 1); if (unlikely(aft == NULL)) return TM_ECODE_FAILED; aft->buffer = MemBufferCreateNew(output_buffer_size); if (!aft->buffer) { SCFree(aft); return TM_ECODE_FAILED; } aft->mssqllog_ctx = ((OutputCtx *)initdata)->data; *data = aft; return TM_ECODE_OK; }
static TmEcode ThreadInit(ThreadVars *t, void *init_data, void **data) { DBJsonLogThread *jlt = SCCalloc(sizeof(*jlt), 1); if (unlikely(jlt == NULL)) return TM_ECODE_FAILED; if (!init_data) { SCLogDebug("Error getting context for DNSLog. \"initdata\" argument NULL"); SCFree(jlt); return TM_ECODE_FAILED; } jlt->buf = MemBufferCreateNew(DB_JSON_SIZE); if (!jlt->buf) { SCFree(jlt); return TM_ECODE_FAILED; } jlt->ctx = ((OutputCtx *)init_data)->data; *data = (void *)jlt; return TM_ECODE_OK; }
static TmEcode JsonIKEv2LogThreadInit(ThreadVars *t, const void *initdata, void **data) { LogIKEv2LogThread *thread = SCCalloc(1, sizeof(*thread)); if (unlikely(thread == NULL)) { return TM_ECODE_FAILED; } if (initdata == NULL) { SCLogDebug("Error getting context for EveLogIKEv2. \"initdata\" is NULL."); SCFree(thread); return TM_ECODE_FAILED; } thread->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE); if (unlikely(thread->buffer == NULL)) { SCFree(thread); return TM_ECODE_FAILED; } thread->ikev2log_ctx = ((OutputCtx *)initdata)->data; *data = (void *)thread; return TM_ECODE_OK; }
void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const Packet *p) { json_t *js = CreateJSONHeader(p, 0, "inspectedrules"); if (js == NULL) return; json_t *ir = json_object(); if (ir == NULL) return; json_object_set_new(ir, "rule_group_id", json_integer(det_ctx->sgh->id)); json_object_set_new(ir, "rule_cnt", json_integer(det_ctx->match_array_cnt)); json_t *js_array = json_array(); uint32_t x; for (x = 0; x < det_ctx->match_array_cnt; x++) { const Signature *s = det_ctx->match_array[x]; if (s == NULL) continue; json_t *js_sig = json_object(); if (unlikely(js == NULL)) continue; json_object_set_new(js_sig, "sig_id", json_integer(s->id)); json_object_set_new(js_sig, "mpm", (s->mpm_sm != NULL) ? json_true() : json_false()); if (s->mpm_sm != NULL) { char orig[256] = ""; char chop[256] = ""; DumpFp(s->mpm_sm, orig, sizeof(orig), chop, sizeof(chop)); json_object_set_new(js_sig, "mpm_buffer", json_string(DetectListToHumanString(SigMatchListSMBelongsTo(s, s->mpm_sm)))); json_object_set_new(js_sig, "mpm_pattern", json_string(orig)); if (strlen(chop) > 0) { json_object_set_new(js_sig, "mpm_pattern_chop", json_string(chop)); } } json_array_append_new(js_array, js_sig); } json_object_set_new(ir, "rules", js_array); json_object_set_new(js, "inspectedrules", ir); const char *filename = "packet_inspected_rules.json"; const char *log_dir = ConfigGetLogDirectory(); char log_path[PATH_MAX] = ""; snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename); MemBuffer *mbuf = NULL; mbuf = MemBufferCreateNew(4096); BUG_ON(mbuf == NULL); OutputJSONMemBufferWrapper wrapper = { .buffer = &mbuf, .expand_by = 4096, }; int r = json_dump_callback(js, OutputJSONMemBufferCallback, &wrapper, JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII| JSON_ESCAPE_SLASH); if (r != 0) { SCLogWarning(SC_ERR_SOCKET, "unable to serialize JSON object"); } else { MemBufferWriteString(mbuf, "\n"); SCMutexLock(&g_rule_dump_write_m); FILE *fp = fopen(log_path, "a"); if (fp != NULL) { MemBufferPrintToFPAsString(mbuf, fp); fclose(fp); SCMutexUnlock(&g_rule_dump_write_m); } } MemBufferFree(mbuf); json_object_clear(js); json_decref(js); }