static TmEcode JsonAlertLogThreadInit(ThreadVars *t, void *initdata, void **data)
{
JsonAlertLogThread *aft = SCMalloc(sizeof(JsonAlertLogThread));
if (unlikely(aft == NULL))
return TM_ECODE_FAILED;
memset(aft, 0, sizeof(JsonAlertLogThread));
if(initdata == NULL)
{
SCLogDebug("Error getting context for EveLogAlert. \"initdata\" argument NULL");
SCFree(aft);
return TM_ECODE_FAILED;
}
aft->json_buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
if (aft->json_buffer == NULL) {
SCFree(aft);
return TM_ECODE_FAILED;
}
/** Use the Output Context (file pointer and mutex) */
AlertJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
aft->file_ctx = json_output_ctx->file_ctx;
aft->json_output_ctx = json_output_ctx;
aft->payload_buffer = MemBufferCreateNew(json_output_ctx->payload_buffer_size);
if (aft->payload_buffer == NULL) {
SCFree(aft);
return TM_ECODE_FAILED;
}
*data = (void *)aft;
return TM_ECODE_OK;
}
static TmEcode JsonTlsLogThreadInit(ThreadVars *t, void *initdata, void **data)
{
JsonTlsLogThread *aft = SCMalloc(sizeof(JsonTlsLogThread));
if (unlikely(aft == NULL))
return TM_ECODE_FAILED;
memset(aft, 0, sizeof(JsonTlsLogThread));
if(initdata == NULL)
{
SCLogDebug("Error getting context for HTTPLog. \"initdata\" argument NULL");
SCFree(aft);
return TM_ECODE_FAILED;
}
/* Use the Ouptut Context (file pointer and mutex) */
aft->tlslog_ctx = ((OutputCtx *)initdata)->data;
aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
if (aft->buffer == NULL) {
SCFree(aft);
return TM_ECODE_FAILED;
}
*data = (void *)aft;
return TM_ECODE_OK;
}
static TmEcode AlertDebugLogThreadInit(ThreadVars *t, const void *initdata, void **data)
{
AlertDebugLogThread *aft = SCMalloc(sizeof(AlertDebugLogThread));
if (unlikely(aft == NULL))
return TM_ECODE_FAILED;
memset(aft, 0, sizeof(AlertDebugLogThread));
if(initdata == NULL)
{
SCLogDebug("Error getting context for AlertDebugLog. \"initdata\" argument NULL");
SCFree(aft);
return TM_ECODE_FAILED;
}
/** Use the Ouptut Context (file pointer and mutex) */
aft->file_ctx = ((OutputCtx *)initdata)->data;
/* 1 mb seems sufficient enough */
aft->buffer = MemBufferCreateNew(1 * 1024 * 1024);
if (aft->buffer == NULL) {
SCFree(aft);
return TM_ECODE_FAILED;
}
*data = (void *)aft;
return TM_ECODE_OK;
}
static TmEcode MSSqlJsonLogThreadInit(ThreadVars *t, void *initdata, void **data) {
if (!initdata) {
SCLogDebug("Error getting context for mssql log. \"initdata\" argument NULL");
return TM_ECODE_FAILED;
}
LogMSSqlLogThread *aft = SCCalloc(sizeof(*aft), 1);
if (unlikely(aft == NULL))
return TM_ECODE_FAILED;
aft->buffer = MemBufferCreateNew(output_buffer_size);
if (!aft->buffer) {
SCFree(aft);
return TM_ECODE_FAILED;
}
aft->mssqllog_ctx = ((OutputCtx *)initdata)->data;
*data = aft;
return TM_ECODE_OK;
}
static TmEcode ThreadInit(ThreadVars *t, void *init_data, void **data) {
DBJsonLogThread *jlt = SCCalloc(sizeof(*jlt), 1);
if (unlikely(jlt == NULL))
return TM_ECODE_FAILED;
if (!init_data) {
SCLogDebug("Error getting context for DNSLog. \"initdata\" argument NULL");
SCFree(jlt);
return TM_ECODE_FAILED;
}
jlt->buf = MemBufferCreateNew(DB_JSON_SIZE);
if (!jlt->buf) {
SCFree(jlt);
return TM_ECODE_FAILED;
}
jlt->ctx = ((OutputCtx *)init_data)->data;
*data = (void *)jlt;
return TM_ECODE_OK;
}
static TmEcode JsonIKEv2LogThreadInit(ThreadVars *t, const void *initdata, void **data)
{
LogIKEv2LogThread *thread = SCCalloc(1, sizeof(*thread));
if (unlikely(thread == NULL)) {
return TM_ECODE_FAILED;
}
if (initdata == NULL) {
SCLogDebug("Error getting context for EveLogIKEv2. \"initdata\" is NULL.");
SCFree(thread);
return TM_ECODE_FAILED;
}
thread->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
if (unlikely(thread->buffer == NULL)) {
SCFree(thread);
return TM_ECODE_FAILED;
}
thread->ikev2log_ctx = ((OutputCtx *)initdata)->data;
*data = (void *)thread;
return TM_ECODE_OK;
}
void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const Packet *p)
{
json_t *js = CreateJSONHeader(p, 0, "inspectedrules");
if (js == NULL)
return;
json_t *ir = json_object();
if (ir == NULL)
return;
json_object_set_new(ir, "rule_group_id", json_integer(det_ctx->sgh->id));
json_object_set_new(ir, "rule_cnt", json_integer(det_ctx->match_array_cnt));
json_t *js_array = json_array();
uint32_t x;
for (x = 0; x < det_ctx->match_array_cnt; x++)
{
const Signature *s = det_ctx->match_array[x];
if (s == NULL)
continue;
json_t *js_sig = json_object();
if (unlikely(js == NULL))
continue;
json_object_set_new(js_sig, "sig_id", json_integer(s->id));
json_object_set_new(js_sig, "mpm", (s->mpm_sm != NULL) ? json_true() : json_false());
if (s->mpm_sm != NULL) {
char orig[256] = "";
char chop[256] = "";
DumpFp(s->mpm_sm, orig, sizeof(orig), chop, sizeof(chop));
json_object_set_new(js_sig, "mpm_buffer", json_string(DetectListToHumanString(SigMatchListSMBelongsTo(s, s->mpm_sm))));
json_object_set_new(js_sig, "mpm_pattern", json_string(orig));
if (strlen(chop) > 0) {
json_object_set_new(js_sig, "mpm_pattern_chop", json_string(chop));
}
}
json_array_append_new(js_array, js_sig);
}
json_object_set_new(ir, "rules", js_array);
json_object_set_new(js, "inspectedrules", ir);
const char *filename = "packet_inspected_rules.json";
const char *log_dir = ConfigGetLogDirectory();
char log_path[PATH_MAX] = "";
snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);
MemBuffer *mbuf = NULL;
mbuf = MemBufferCreateNew(4096);
BUG_ON(mbuf == NULL);
OutputJSONMemBufferWrapper wrapper = {
.buffer = &mbuf,
.expand_by = 4096,
};
int r = json_dump_callback(js, OutputJSONMemBufferCallback, &wrapper,
JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII|
JSON_ESCAPE_SLASH);
if (r != 0) {
SCLogWarning(SC_ERR_SOCKET, "unable to serialize JSON object");
} else {
MemBufferWriteString(mbuf, "\n");
SCMutexLock(&g_rule_dump_write_m);
FILE *fp = fopen(log_path, "a");
if (fp != NULL) {
MemBufferPrintToFPAsString(mbuf, fp);
fclose(fp);
SCMutexUnlock(&g_rule_dump_write_m);
}
}
MemBufferFree(mbuf);
json_object_clear(js);
json_decref(js);
}
