static int JsonNetFlowLogger(ThreadVars *tv, void *thread_data, Flow *f) { SCEnter(); JsonNetFlowLogThread *jhl = (JsonNetFlowLogThread *)thread_data; LogJsonFileCtx *netflow_ctx = jhl->flowlog_ctx; /* reset */ MemBufferReset(jhl->buffer); json_t *js = CreateJSONHeaderFromFlow(f, "netflow", 0); if (unlikely(js == NULL)) return TM_ECODE_OK; JsonNetFlowLogJSONToServer(jhl, js, f); JsonAddCommonOptions(&netflow_ctx->cfg, NULL, f, js); OutputJSONBuffer(js, jhl->flowlog_ctx->file_ctx, &jhl->buffer); json_object_del(js, "netflow"); json_object_clear(js); json_decref(js); /* only log a response record if we actually have seen response packets */ if (f->tosrcpktcnt) { /* reset */ MemBufferReset(jhl->buffer); js = CreateJSONHeaderFromFlow(f, "netflow", 1); if (unlikely(js == NULL)) return TM_ECODE_OK; JsonNetFlowLogJSONToClient(jhl, js, f); JsonAddCommonOptions(&netflow_ctx->cfg, NULL, f, js); OutputJSONBuffer(js, jhl->flowlog_ctx->file_ctx, &jhl->buffer); json_object_del(js, "netflow"); json_object_clear(js); json_decref(js); } SCReturnInt(TM_ECODE_OK); }
static int JsonNetFlowLogger(ThreadVars *tv, void *thread_data, Flow *f) { SCEnter(); JsonNetFlowLogThread *jhl = (JsonNetFlowLogThread *)thread_data; /* reset */ MemBufferReset(jhl->buffer); json_t *js = CreateJSONHeaderFromFlow(f, "netflow", 0); //TODO const if (unlikely(js == NULL)) return TM_ECODE_OK; JsonNetFlowLogJSONToServer(jhl, js, f); OutputJSONBuffer(js, jhl->flowlog_ctx->file_ctx, &jhl->buffer); json_object_del(js, "netflow"); json_object_clear(js); json_decref(js); /* reset */ MemBufferReset(jhl->buffer); js = CreateJSONHeaderFromFlow(f, "netflow", 1); //TODO const if (unlikely(js == NULL)) return TM_ECODE_OK; JsonNetFlowLogJSONToClient(jhl, js, f); OutputJSONBuffer(js, jhl->flowlog_ctx->file_ctx, &jhl->buffer); json_object_del(js, "netflow"); json_object_clear(js); json_decref(js); SCReturnInt(TM_ECODE_OK); }
static int JsonStatsLogger(ThreadVars *tv, void *thread_data, const StatsTable *st) { SCEnter(); JsonStatsLogThread *aft = (JsonStatsLogThread *)thread_data; struct timeval tval; gettimeofday(&tval, NULL); json_t *js = json_object(); if (unlikely(js == NULL)) return 0; char timebuf[64]; CreateIsoTimeString(&tval, timebuf, sizeof(timebuf)); json_object_set_new(js, "timestamp", json_string(timebuf)); json_object_set_new(js, "event_type", json_string("stats")); json_t *js_stats = StatsToJSON(st, aft->statslog_ctx->flags); if (js_stats == NULL) { json_decref(js); return 0; } json_object_set_new(js, "stats", js_stats); OutputJSONBuffer(js, aft->statslog_ctx->file_ctx, &aft->buffer); MemBufferReset(aft->buffer); json_object_clear(js_stats); json_object_del(js, "stats"); json_object_clear(js); json_decref(js); SCReturnInt(0); }
static int JsonIKEv2Logger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) { IKEV2Transaction *ikev2tx = tx; LogIKEv2LogThread *thread = thread_data; json_t *js, *ikev2js; js = CreateJSONHeader((Packet *)p, LOG_DIR_PACKET, "ikev2"); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } JsonAddCommonOptions(&thread->ikev2log_ctx->cfg, p, f, js); ikev2js = rs_ikev2_log_json_response(state, ikev2tx); if (unlikely(ikev2js == NULL)) { goto error; } json_object_set_new(js, "ikev2", ikev2js); MemBufferReset(thread->buffer); OutputJSONBuffer(js, thread->ikev2log_ctx->file_ctx, &thread->buffer); json_decref(js); return TM_ECODE_OK; error: json_decref(js); return TM_ECODE_FAILED; }
static int Logger(ThreadVars *t, void *thread_data, const Packet *p, Flow *f, void *alstate, void *txptr, uint64_t tx_id) { SCEnter(); char *name = NULL; DBJsonLogThread *jlt = (DBJsonLogThread *)thread_data; switch (f->alproto) { case ALPROTO_MYSQL: name = "mysql"; case ALPROTO_TNS11G: name = "oracle-tns"; case ALPROTO_TDS: name = "mssql-tds"; case ALPROTO_DRDA: name = "db2-drda"; default: SCReturnInt(-1); } json_t *js = CreateJSONHeader((Packet *)p, 1, name); MemBufferReset(jlt->buf); /* TODO */ DBLogAlState(alstate, f->alproto, p, js, name); OutputJSONBuffer(js, jlt->ctx->ctx, jlt->buf); json_object_del(js, name); json_object_clear(js); json_decref(js); SCReturnInt(TM_ECODE_OK); }
static int JsonHttpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *alstate, void *txptr, uint64_t tx_id) { SCEnter(); htp_tx_t *tx = txptr; JsonHttpLogThread *jhl = (JsonHttpLogThread *)thread_data; MemBuffer *buffer = (MemBuffer *)jhl->buffer; json_t *js = CreateJSONHeader((Packet *)p, 1, "http"); //TODO const if (unlikely(js == NULL)) return TM_ECODE_OK; SCLogDebug("got a HTTP request and now logging !!"); /* reset */ MemBufferReset(buffer); JsonHttpLogJSON(jhl, js, tx); OutputJSONBuffer(js, jhl->httplog_ctx->file_ctx, buffer); json_object_del(js, "http"); json_object_clear(js); json_decref(js); SCReturnInt(TM_ECODE_OK); }
static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p) { JsonTlsLogThread *aft = (JsonTlsLogThread *)thread_data; MemBuffer *buffer = (MemBuffer *)aft->buffer; OutputTlsCtx *tls_ctx = aft->tlslog_ctx; if (unlikely(p->flow == NULL)) { return 0; } /* check if we have TLS state or not */ FLOWLOCK_WRLOCK(p->flow); uint16_t proto = FlowGetAppProtocol(p->flow); if (proto != ALPROTO_TLS) goto end; SSLState *ssl_state = (SSLState *)FlowGetAppState(p->flow); if (unlikely(ssl_state == NULL)) { goto end; } if (ssl_state->server_connp.cert0_issuerdn == NULL || ssl_state->server_connp.cert0_subject == NULL) goto end; json_t *js = CreateJSONHeader((Packet *)p, 0, "tls");//TODO if (unlikely(js == NULL)) goto end; json_t *tjs = json_object(); if (tjs == NULL) { free(js); goto end; } /* reset */ MemBufferReset(buffer); /* tls.subject */ json_object_set_new(tjs, "subject", json_string(ssl_state->server_connp.cert0_subject)); /* tls.issuerdn */ json_object_set_new(tjs, "issuerdn", json_string(ssl_state->server_connp.cert0_issuerdn)); if (tls_ctx->flags & LOG_TLS_EXTENDED) { LogTlsLogExtendedJSON(tjs, ssl_state); } json_object_set_new(js, "tls", tjs); OutputJSONBuffer(js, tls_ctx->file_ctx, buffer); json_object_clear(js); json_decref(js); /* we only log the state once */ ssl_state->flags |= SSL_AL_FLAG_STATE_LOGGED; end: FLOWLOCK_UNLOCK(p->flow); return 0; }
/** Handle the case where no JSON support is compiled in. * */ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) { MemBuffer *buffer = (MemBuffer *)aft->buffer; int i; if (p->alerts.cnt == 0) return TM_ECODE_OK; json_t *js = CreateJSONHeader((Packet *)p, 0, "alert"); if (unlikely(js == NULL)) return TM_ECODE_OK; for (i = 0; i < p->alerts.cnt; i++) { const PacketAlert *pa = &p->alerts.alerts[i]; if (unlikely(pa->s == NULL)) { continue; } char *action = "allowed"; if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) { action = "blocked"; } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) { action = "blocked"; } json_t *ajs = json_object(); if (ajs == NULL) { json_decref(js); return TM_ECODE_OK; } MemBufferReset(buffer); json_object_set_new(ajs, "action", json_string(action)); json_object_set_new(ajs, "gid", json_integer(pa->s->gid)); json_object_set_new(ajs, "signature_id", json_integer(pa->s->id)); json_object_set_new(ajs, "rev", json_integer(pa->s->rev)); json_object_set_new(ajs, "signature", json_string((pa->s->msg) ? pa->s->msg : "")); json_object_set_new(ajs, "category", json_string((pa->s->class_msg) ? pa->s->class_msg : "")); json_object_set_new(ajs, "severity", json_integer(pa->s->prio)); /* alert */ json_object_set_new(js, "alert", ajs); OutputJSONBuffer(js, aft->file_ctx, aft->buffer); json_object_del(js, "alert"); } json_object_clear(js); json_decref(js); return TM_ECODE_OK; }
static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *txptr, uint64_t tx_id) { JsonTlsLogThread *aft = (JsonTlsLogThread *)thread_data; OutputTlsCtx *tls_ctx = aft->tlslog_ctx; SSLState *ssl_state = (SSLState *)state; if (unlikely(ssl_state == NULL)) { return 0; } if (ssl_state->server_connp.cert0_issuerdn == NULL || ssl_state->server_connp.cert0_subject == NULL) return 0; json_t *js = CreateJSONHeader((Packet *)p, 0, "tls"); if (unlikely(js == NULL)) return 0; json_t *tjs = json_object(); if (tjs == NULL) { free(js); return 0; } /* reset */ MemBufferReset(aft->buffer); JsonTlsLogJSONBasic(tjs, ssl_state); if (tls_ctx->flags & LOG_TLS_EXTENDED) { JsonTlsLogJSONExtended(tjs, ssl_state); } json_object_set_new(js, "tls", tjs); OutputJSONBuffer(js, tls_ctx->file_ctx, &aft->buffer); json_object_clear(js); json_decref(js); return 0; }
static int JsonNFSLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) { NFSTransaction *nfstx = tx; LogNFSLogThread *thread = thread_data; json_t *js, *nfsjs; if (rs_nfs_tx_logging_is_filtered(nfstx)) return TM_ECODE_OK; js = CreateJSONHeader((Packet *)p, 0, "nfs"); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } json_t *rpcjs = rs_rpc_log_json_response(tx); if (unlikely(rpcjs == NULL)) { goto error; } json_object_set_new(js, "rpc", rpcjs); nfsjs = rs_nfs_log_json_response(state, tx); if (unlikely(nfsjs == NULL)) { goto error; } json_object_set_new(js, "nfs", nfsjs); MemBufferReset(thread->buffer); OutputJSONBuffer(js, thread->nfslog_ctx->file_ctx, &thread->buffer); json_decref(js); return TM_ECODE_OK; error: json_decref(js); return TM_ECODE_FAILED; }
static int JsonMSSqlLogger(ThreadVars *t, void *thread_data, const Packet *p, Flow *f, void *alstate, void *txptr, uint64_t tx_id) { SCEnter(); LogMSSqlLogThread *td = thread_data; TDSState *s = alstate; TDSTransaction *tx = txptr; json_t *js = CreateJSONHeader((Packet *)p, 1, "mssql"); if (unlikely(!js)) return TM_ECODE_FAILED; json_t *djs = json_object(); if (unlikely(!djs)) return TM_ECODE_FAILED; json_object_set_new(js, "mssql", djs); MemBuffer *buffer = td->buffer; MemBufferReset(buffer); json_object_set_new(djs, "user", json_string((char *)s->cli.user_name)); json_object_set_new(djs, "db_name", s->cli.db_name ? json_string((char *)s->cli.db_name) : json_null()); const char *action = NULL; switch (tx->action) { case ACTION_ALERT: action = "ALERT"; break; case ACTION_DROP: action = "DROP"; break; case ACTION_REJECT: action = "REJECT"; break; case ACTION_PASS: action = "PASS"; break; default: action = "UNKNOWN"; break; } json_object_set_new(djs, "action", json_string(action)); json_t *meta_info = json_object(); if (unlikely(!meta_info)) return TM_ECODE_FAILED; json_object_set_new(djs, "meta_info", meta_info); json_object_set_new(meta_info, "sql", tx->sql ? json_string((char *)tx->sql) : json_null()); switch (tx->tx_type) { case tds_tx_type_login: json_object_set_new(meta_info, "cmd", json_string("login")); break; case tds_tx_type_query: json_object_set_new(meta_info, "cmd", json_string("query")); break; default: json_object_set_new(meta_info, "cmd", json_string("unkonw")); break; } OutputJSONBuffer(js, td->mssqllog_ctx->file_ctx, buffer); json_object_del(djs, "meta_info"); json_object_del(djs, "mssql"); json_decref(js); SCReturnInt(TM_ECODE_OK); }
/** Handle the case where no JSON support is compiled in. * */ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) { MemBuffer *payload = aft->payload_buffer; int i; if (p->alerts.cnt == 0) return TM_ECODE_OK; MemBufferReset(aft->json_buffer); json_t *js = CreateJSONHeader((Packet *)p, 0, "alert"); if (unlikely(js == NULL)) return TM_ECODE_OK; for (i = 0; i < p->alerts.cnt; i++) { const PacketAlert *pa = &p->alerts.alerts[i]; if (unlikely(pa->s == NULL)) { continue; } char *action = "allowed"; if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) { action = "blocked"; } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) { action = "blocked"; } json_t *ajs = json_object(); if (ajs == NULL) { json_decref(js); return TM_ECODE_OK; } json_object_set_new(ajs, "action", json_string(action)); json_object_set_new(ajs, "gid", json_integer(pa->s->gid)); json_object_set_new(ajs, "signature_id", json_integer(pa->s->id)); json_object_set_new(ajs, "rev", json_integer(pa->s->rev)); json_object_set_new(ajs, "signature", json_string((pa->s->msg) ? pa->s->msg : "")); json_object_set_new(ajs, "category", json_string((pa->s->class_msg) ? pa->s->class_msg : "")); json_object_set_new(ajs, "severity", json_integer(pa->s->prio)); /* alert */ json_object_set_new(js, "alert", ajs); /* payload */ if (aft->file_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) { int stream = (p->proto == IPPROTO_TCP) ? (pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_STREAM_MATCH) ? 1 : 0) : 0; /* Is this a stream? If so, pack part of it into the payload field */ if (stream) { uint8_t flag; MemBufferReset(payload); if (p->flowflags & FLOW_PKT_TOSERVER) { flag = FLOW_PKT_TOCLIENT; } else { flag = FLOW_PKT_TOSERVER; } StreamSegmentForEach((const Packet *)p, flag, AlertJsonPrintStreamSegmentCallback, (void *)payload); if (aft->file_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { unsigned long len = JSON_STREAM_BUFFER_SIZE * 2; unsigned char encoded[len]; Base64Encode((unsigned char *)payload, payload->offset, encoded, &len); json_object_set_new(js, "payload", json_string((char *)encoded)); } if (aft->file_ctx->flags & LOG_JSON_PAYLOAD) { json_object_set_new(js, "payload_printable", json_string((char *)payload->buffer)); } } else { /* This is a single packet and not a stream */ unsigned char packet_buf[p->payload_len + 1]; uint32_t offset = 0; PrintStringsToBuffer(packet_buf, &offset, p->payload_len + 1, p->payload, p->payload_len); if (aft->file_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { unsigned long len = sizeof(packet_buf) * 2; unsigned char encoded[len]; Base64Encode(packet_buf, offset, encoded, &len); json_object_set_new(js, "payload", json_string((char *)encoded)); } if (aft->file_ctx->flags & LOG_JSON_PAYLOAD) { json_object_set_new(js, "payload_printable", json_string((char *)packet_buf)); } } json_object_set_new(js, "stream", json_integer(stream)); } /* base64-encoded full packet */ if (aft->file_ctx->flags & LOG_JSON_PACKET) { unsigned long len = GET_PKT_LEN(p) * 2; unsigned char encoded_packet[len]; Base64Encode((unsigned char*) GET_PKT_DATA(p), GET_PKT_LEN(p), encoded_packet, &len); json_object_set_new(js, "packet", json_string((char *)encoded_packet)); } OutputJSONBuffer(js, aft->file_ctx, aft->json_buffer); json_object_del(js, "alert"); } json_object_clear(js); json_decref(js); return TM_ECODE_OK; }
static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) { MemBuffer *payload = aft->payload_buffer; AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx; json_t *hjs = NULL; int i; if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG)) return TM_ECODE_OK; json_t *js = CreateJSONHeader((Packet *)p, 0, "alert"); if (unlikely(js == NULL)) return TM_ECODE_OK; for (i = 0; i < p->alerts.cnt; i++) { const PacketAlert *pa = &p->alerts.alerts[i]; if (unlikely(pa->s == NULL)) { continue; } MemBufferReset(aft->json_buffer); /* alert */ AlertJsonHeader(p, pa, js); if (json_output_ctx->flags & LOG_JSON_HTTP) { if (p->flow != NULL) { uint16_t proto = FlowGetAppProtocol(p->flow); /* http alert */ if (proto == ALPROTO_HTTP) { hjs = JsonHttpAddMetadata(p->flow, pa->tx_id); if (hjs) json_object_set_new(js, "http", hjs); } } } if (json_output_ctx->flags & LOG_JSON_TLS) { if (p->flow != NULL) { uint16_t proto = FlowGetAppProtocol(p->flow); /* http alert */ if (proto == ALPROTO_TLS) AlertJsonTls(p->flow, js); } } if (json_output_ctx->flags & LOG_JSON_SSH) { if (p->flow != NULL) { uint16_t proto = FlowGetAppProtocol(p->flow); /* http alert */ if (proto == ALPROTO_SSH) AlertJsonSsh(p->flow, js); } } if (json_output_ctx->flags & LOG_JSON_SMTP) { if (p->flow != NULL) { uint16_t proto = FlowGetAppProtocol(p->flow); /* http alert */ if (proto == ALPROTO_SMTP) { hjs = JsonSMTPAddMetadata(p->flow, pa->tx_id); if (hjs) json_object_set_new(js, "smtp", hjs); hjs = JsonEmailAddMetadata(p->flow, pa->tx_id); if (hjs) json_object_set_new(js, "email", hjs); } } } /* payload */ if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) { int stream = (p->proto == IPPROTO_TCP) ? (pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_STREAM_MATCH) ? 1 : 0) : 0; /* Is this a stream? If so, pack part of it into the payload field */ if (stream) { uint8_t flag; MemBufferReset(payload); if (p->flowflags & FLOW_PKT_TOSERVER) { flag = FLOW_PKT_TOCLIENT; } else { flag = FLOW_PKT_TOSERVER; } StreamSegmentForEach((const Packet *)p, flag, AlertJsonDumpStreamSegmentCallback, (void *)payload); if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { unsigned long len = json_output_ctx->payload_buffer_size * 2; uint8_t encoded[len]; Base64Encode(payload->buffer, payload->offset, encoded, &len); json_object_set_new(js, "payload", json_string((char *)encoded)); } if (json_output_ctx->flags & LOG_JSON_PAYLOAD) { uint8_t printable_buf[payload->offset + 1]; uint32_t offset = 0; PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), payload->buffer, payload->offset); json_object_set_new(js, "payload_printable", json_string((char *)printable_buf)); } } else { /* This is a single packet and not a stream */ if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { unsigned long len = p->payload_len * 2 + 1; uint8_t encoded[len]; Base64Encode(p->payload, p->payload_len, encoded, &len); json_object_set_new(js, "payload", json_string((char *)encoded)); } if (json_output_ctx->flags & LOG_JSON_PAYLOAD) { uint8_t printable_buf[p->payload_len + 1]; uint32_t offset = 0; PrintStringsToBuffer(printable_buf, &offset, p->payload_len + 1, p->payload, p->payload_len); json_object_set_new(js, "payload_printable", json_string((char *)printable_buf)); } } json_object_set_new(js, "stream", json_integer(stream)); } /* base64-encoded full packet */ if (json_output_ctx->flags & LOG_JSON_PACKET) { AlertJsonPacket(p, js); } HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg; /* xff header */ if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) { int have_xff_ip = 0; char buffer[XFF_MAXLEN]; if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) { if (pa->flags & PACKET_ALERT_FLAG_TX) { have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN); } else { have_xff_ip = HttpXFFGetIP(p, xff_cfg, buffer, XFF_MAXLEN); } } if (have_xff_ip) { if (xff_cfg->flags & XFF_EXTRADATA) { json_object_set_new(js, "xff", json_string(buffer)); } else if (xff_cfg->flags & XFF_OVERWRITE) { if (p->flowflags & FLOW_PKT_TOCLIENT) { json_object_set(js, "dest_ip", json_string(buffer)); } else { json_object_set(js, "src_ip", json_string(buffer)); } } } } OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer); json_object_del(js, "alert"); } json_object_clear(js); json_decref(js); if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags & LOG_JSON_TAGGED_PACKETS)) { MemBufferReset(aft->json_buffer); json_t *packetjs = CreateJSONHeader((Packet *)p, 0, "packet"); if (unlikely(packetjs != NULL)) { AlertJsonPacket(p, packetjs); OutputJSONBuffer(packetjs, aft->file_ctx, &aft->json_buffer); json_decref(packetjs); } } return TM_ECODE_OK; }
static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) { int i; char timebuf[64]; json_t *js; if (p->alerts.cnt == 0) return TM_ECODE_OK; CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf)); for (i = 0; i < p->alerts.cnt; i++) { MemBufferReset(aft->json_buffer); const PacketAlert *pa = &p->alerts.alerts[i]; if (unlikely(pa->s == NULL)) { continue; } char *action = "allowed"; if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) { action = "blocked"; } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) { action = "blocked"; } char buf[(32 * 3) + 1]; PrintRawLineHexBuf(buf, sizeof(buf), GET_PKT_DATA(p), GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32); js = json_object(); if (js == NULL) return TM_ECODE_OK; json_t *ajs = json_object(); if (ajs == NULL) { json_decref(js); return TM_ECODE_OK; } /* time & tx */ json_object_set_new(js, "timestamp", json_string(timebuf)); /* tuple */ //json_object_set_new(js, "srcip", json_string(srcip)); //json_object_set_new(js, "sp", json_integer(p->sp)); //json_object_set_new(js, "dstip", json_string(dstip)); //json_object_set_new(js, "dp", json_integer(p->dp)); //json_object_set_new(js, "proto", json_integer(proto)); json_object_set_new(ajs, "action", json_string(action)); json_object_set_new(ajs, "gid", json_integer(pa->s->gid)); json_object_set_new(ajs, "signature_id", json_integer(pa->s->id)); json_object_set_new(ajs, "rev", json_integer(pa->s->rev)); json_object_set_new(ajs, "signature", json_string((pa->s->msg) ? pa->s->msg : "")); json_object_set_new(ajs, "category", json_string((pa->s->class_msg) ? pa->s->class_msg : "")); json_object_set_new(ajs, "severity", json_integer(pa->s->prio)); if (p->tenant_id > 0) json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id)); /* alert */ json_object_set_new(js, "alert", ajs); OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer); json_object_clear(js); json_decref(js); } return TM_ECODE_OK; }
/** * \internal * \brief Write meta data on a single line json record */ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const File *ff) { MemBuffer *buffer = (MemBuffer *)aft->buffer; json_t *js = CreateJSONHeader((Packet *)p, 0, "file"); //TODO const if (unlikely(js == NULL)) return; /* reset */ MemBufferReset(buffer); json_t *hjs = json_object(); if (unlikely(hjs == NULL)) { json_decref(js); return; } json_object_set_new(hjs, "url", LogFileMetaGetUri(p, ff)); json_object_set_new(hjs, "hostname", LogFileMetaGetHost(p, ff)); json_object_set_new(hjs, "http_refer", LogFileMetaGetReferer(p, ff)); json_object_set_new(hjs, "http_user_agent", LogFileMetaGetUserAgent(p, ff)); json_object_set_new(js, "http", hjs); json_t *fjs = json_object(); if (unlikely(fjs == NULL)) { json_decref(hjs); json_decref(js); return; } char *s = BytesToString(ff->name, ff->name_len); json_object_set_new(fjs, "filename", json_string(s)); if (s != NULL) SCFree(s); if (ff->magic) json_object_set_new(fjs, "magic", json_string((char *)ff->magic)); else json_object_set_new(fjs, "magic", json_string("unknown")); switch (ff->state) { case FILE_STATE_CLOSED: json_object_set_new(fjs, "state", json_string("CLOSED")); #ifdef HAVE_NSS if (ff->flags & FILE_MD5) { size_t x; int i; char *s = SCMalloc(256); if (likely(s != NULL)) { for (i = 0, x = 0; x < sizeof(ff->md5); x++) { i += snprintf(&s[i], 255-i, "%02x", ff->md5[x]); } json_object_set_new(fjs, "md5", json_string(s)); SCFree(s); } } #endif break; case FILE_STATE_TRUNCATED: json_object_set_new(fjs, "state", json_string("TRUNCATED")); break; case FILE_STATE_ERROR: json_object_set_new(fjs, "state", json_string("ERROR")); break; default: json_object_set_new(fjs, "state", json_string("UNKNOWN")); break; } json_object_set_new(fjs, "stored", (ff->flags & FILE_STORED) ? json_true() : json_false()); json_object_set_new(fjs, "size", json_integer(ff->size)); json_object_set_new(js, "file", fjs); OutputJSONBuffer(js, aft->filelog_ctx->file_ctx, buffer); json_object_del(js, "file"); json_object_del(js, "http"); json_object_clear(js); json_decref(js); }
/** * \brief Log the dropped packets in netfilter format when engine is running * in inline mode * * \param tv Pointer the current thread variables * \param p Pointer the packet which is being logged * * \return return TM_EODE_OK on success */ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p) { JsonDropOutputCtx *drop_ctx = aft->drop_ctx; json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "drop"); if (unlikely(js == NULL)) return TM_ECODE_OK; JsonAddCommonOptions(&drop_ctx->cfg, p, p->flow, js); json_t *djs = json_object(); if (unlikely(djs == NULL)) { json_decref(js); return TM_ECODE_OK; } /* reset */ MemBufferReset(aft->buffer); uint16_t proto = 0; if (PKT_IS_IPV4(p)) { json_object_set_new(djs, "len", json_integer(IPV4_GET_IPLEN(p))); json_object_set_new(djs, "tos", json_integer(IPV4_GET_IPTOS(p))); json_object_set_new(djs, "ttl", json_integer(IPV4_GET_IPTTL(p))); json_object_set_new(djs, "ipid", json_integer(IPV4_GET_IPID(p))); proto = IPV4_GET_IPPROTO(p); } else if (PKT_IS_IPV6(p)) { json_object_set_new(djs, "len", json_integer(IPV6_GET_PLEN(p))); json_object_set_new(djs, "tc", json_integer(IPV6_GET_CLASS(p))); json_object_set_new(djs, "hoplimit", json_integer(IPV6_GET_HLIM(p))); json_object_set_new(djs, "flowlbl", json_integer(IPV6_GET_FLOW(p))); proto = IPV6_GET_L4PROTO(p); } switch (proto) { case IPPROTO_TCP: if (PKT_IS_TCP(p)) { json_object_set_new(djs, "tcpseq", json_integer(TCP_GET_SEQ(p))); json_object_set_new(djs, "tcpack", json_integer(TCP_GET_ACK(p))); json_object_set_new(djs, "tcpwin", json_integer(TCP_GET_WINDOW(p))); json_object_set_new(djs, "syn", TCP_ISSET_FLAG_SYN(p) ? json_true() : json_false()); json_object_set_new(djs, "ack", TCP_ISSET_FLAG_ACK(p) ? json_true() : json_false()); json_object_set_new(djs, "psh", TCP_ISSET_FLAG_PUSH(p) ? json_true() : json_false()); json_object_set_new(djs, "rst", TCP_ISSET_FLAG_RST(p) ? json_true() : json_false()); json_object_set_new(djs, "urg", TCP_ISSET_FLAG_URG(p) ? json_true() : json_false()); json_object_set_new(djs, "fin", TCP_ISSET_FLAG_FIN(p) ? json_true() : json_false()); json_object_set_new(djs, "tcpres", json_integer(TCP_GET_RAW_X2(p->tcph))); json_object_set_new(djs, "tcpurgp", json_integer(TCP_GET_URG_POINTER(p))); } break; case IPPROTO_UDP: if (PKT_IS_UDP(p)) { json_object_set_new(djs, "udplen", json_integer(UDP_GET_LEN(p))); } break; case IPPROTO_ICMP: if (PKT_IS_ICMPV4(p)) { json_object_set_new(djs, "icmp_id", json_integer(ICMPV4_GET_ID(p))); json_object_set_new(djs, "icmp_seq", json_integer(ICMPV4_GET_SEQ(p))); } else if(PKT_IS_ICMPV6(p)) { json_object_set_new(djs, "icmp_id", json_integer(ICMPV6_GET_ID(p))); json_object_set_new(djs, "icmp_seq", json_integer(ICMPV6_GET_SEQ(p))); } break; } json_object_set_new(js, "drop", djs); if (aft->drop_ctx->flags & LOG_DROP_ALERTS) { int logged = 0; int i; for (i = 0; i < p->alerts.cnt; i++) { const PacketAlert *pa = &p->alerts.alerts[i]; if (unlikely(pa->s == NULL)) { continue; } if ((pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) || ((pa->action & ACTION_DROP) && EngineModeIsIPS())) { AlertJsonHeader(NULL, p, pa, js, 0); logged = 1; } } if (logged == 0) { if (p->alerts.drop.action != 0) { const PacketAlert *pa = &p->alerts.drop; AlertJsonHeader(NULL, p, pa, js, 0); } } } OutputJSONBuffer(js, aft->drop_ctx->file_ctx, &aft->buffer); json_object_del(js, "drop"); json_object_clear(js); json_decref(js); return TM_ECODE_OK; }
/** * \internal * \brief Write meta data on a single line json record */ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const File *ff) { json_t *js = CreateJSONHeader((Packet *)p, 0, "fileinfo"); //TODO const json_t *hjs = NULL; if (unlikely(js == NULL)) return; /* reset */ MemBufferReset(aft->buffer); switch (p->flow->alproto) { case ALPROTO_HTTP: hjs = JsonHttpAddMetadata(p->flow, ff->txid); if (hjs) json_object_set_new(js, "http", hjs); break; case ALPROTO_SMTP: hjs = JsonSMTPAddMetadata(p->flow, ff->txid); if (hjs) json_object_set_new(js, "smtp", hjs); hjs = JsonEmailAddMetadata(p->flow, ff->txid); if (hjs) json_object_set_new(js, "email", hjs); break; } json_object_set_new(js, "app_proto", json_string(AppProtoToString(p->flow->alproto))); json_t *fjs = json_object(); if (unlikely(fjs == NULL)) { json_decref(js); return; } char *s = BytesToString(ff->name, ff->name_len); json_object_set_new(fjs, "filename", json_string(s)); if (s != NULL) SCFree(s); if (ff->magic) json_object_set_new(fjs, "magic", json_string((char *)ff->magic)); switch (ff->state) { case FILE_STATE_CLOSED: json_object_set_new(fjs, "state", json_string("CLOSED")); #ifdef HAVE_NSS if (ff->flags & FILE_MD5) { size_t x; int i; char s[256]; for (i = 0, x = 0; x < sizeof(ff->md5); x++) { i += snprintf(&s[i], 255-i, "%02x", ff->md5[x]); } json_object_set_new(fjs, "md5", json_string(s)); } #endif break; case FILE_STATE_TRUNCATED: json_object_set_new(fjs, "state", json_string("TRUNCATED")); break; case FILE_STATE_ERROR: json_object_set_new(fjs, "state", json_string("ERROR")); break; default: json_object_set_new(fjs, "state", json_string("UNKNOWN")); break; } json_object_set_new(fjs, "stored", (ff->flags & FILE_STORED) ? json_true() : json_false()); if (ff->flags & FILE_STORED) { json_object_set_new(fjs, "file_id", json_integer(ff->file_id)); } json_object_set_new(fjs, "size", json_integer(ff->size)); json_object_set_new(fjs, "tx_id", json_integer(ff->txid)); /* originally just 'file', but due to bug 1127 naming it fileinfo */ json_object_set_new(js, "fileinfo", fjs); OutputJSONBuffer(js, aft->filelog_ctx->file_ctx, &aft->buffer); json_object_del(js, "fileinfo"); switch (p->flow->alproto) { case ALPROTO_HTTP: json_object_del(js, "http"); break; case ALPROTO_SMTP: json_object_del(js, "smtp"); json_object_del(js, "email"); break; } json_object_clear(js); json_decref(js); }
static int JsonSshLogger(ThreadVars *tv, void *thread_data, const Packet *p) { JsonSshLogThread *aft = (JsonSshLogThread *)thread_data; MemBuffer *buffer = (MemBuffer *)aft->buffer; OutputSshCtx *ssh_ctx = aft->sshlog_ctx; if (unlikely(p->flow == NULL)) { return 0; } /* check if we have SSH state or not */ FLOWLOCK_WRLOCK(p->flow); uint16_t proto = FlowGetAppProtocol(p->flow); if (proto != ALPROTO_SSH) goto end; SshState *ssh_state = (SshState *)FlowGetAppState(p->flow); if (unlikely(ssh_state == NULL)) { goto end; } if (ssh_state->cli_hdr.software_version == NULL || ssh_state->srv_hdr.software_version == NULL) goto end; json_t *js = CreateJSONHeader((Packet *)p, 1, "ssh");//TODO if (unlikely(js == NULL)) goto end; json_t *tjs = json_object(); if (tjs == NULL) { free(js); goto end; } /* reset */ MemBufferReset(buffer); json_t *cjs = json_object(); if (cjs != NULL) { json_object_set_new(cjs, "proto_version", json_string((char *)ssh_state->cli_hdr.proto_version)); json_object_set_new(cjs, "software_version", json_string((char *)ssh_state->cli_hdr.software_version)); } json_object_set_new(tjs, "client", cjs); json_t *sjs = json_object(); if (sjs != NULL) { json_object_set_new(sjs, "proto_version", json_string((char *)ssh_state->srv_hdr.proto_version)); json_object_set_new(sjs, "software_version", json_string((char *)ssh_state->srv_hdr.software_version)); } json_object_set_new(tjs, "server", sjs); json_object_set_new(js, "ssh", tjs); OutputJSONBuffer(js, ssh_ctx->file_ctx, buffer); json_object_clear(js); json_decref(js); /* we only log the state once */ ssh_state->cli_hdr.flags |= SSH_FLAG_STATE_LOGGED; end: FLOWLOCK_UNLOCK(p->flow); return 0; }
/** * \brief Log the dropped packets in netfilter format when engine is running * in inline mode * * \param tv Pointer the current thread variables * \param p Pointer the packet which is being logged * * \return return TM_EODE_OK on success */ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p) { uint16_t proto = 0; MemBuffer *buffer = (MemBuffer *)aft->buffer; json_t *js = CreateJSONHeader((Packet *)p, 0, "drop");//TODO const if (unlikely(js == NULL)) return TM_ECODE_OK; json_t *djs = json_object(); if (unlikely(djs == NULL)) { json_decref(js); return TM_ECODE_OK; } /* reset */ MemBufferReset(buffer); if (PKT_IS_IPV4(p)) { json_object_set_new(djs, "len", json_integer(IPV4_GET_IPLEN(p))); json_object_set_new(djs, "tos", json_integer(IPV4_GET_IPTOS(p))); json_object_set_new(djs, "ttl", json_integer(IPV4_GET_IPTTL(p))); json_object_set_new(djs, "ipid", json_integer(IPV4_GET_IPID(p))); proto = IPV4_GET_IPPROTO(p); } else if (PKT_IS_IPV6(p)) { json_object_set_new(djs, "len", json_integer(IPV6_GET_PLEN(p))); json_object_set_new(djs, "tc", json_integer(IPV6_GET_CLASS(p))); json_object_set_new(djs, "hoplimit", json_integer(IPV6_GET_HLIM(p))); json_object_set_new(djs, "flowlbl", json_integer(IPV6_GET_FLOW(p))); proto = IPV6_GET_L4PROTO(p); } switch (proto) { case IPPROTO_TCP: json_object_set_new(djs, "tcpseq", json_integer(TCP_GET_SEQ(p))); json_object_set_new(djs, "tcpack", json_integer(TCP_GET_ACK(p))); json_object_set_new(djs, "tcpwin", json_integer(TCP_GET_WINDOW(p))); json_object_set_new(djs, "syn", TCP_ISSET_FLAG_SYN(p) ? json_true() : json_false()); json_object_set_new(djs, "ack", TCP_ISSET_FLAG_ACK(p) ? json_true() : json_false()); json_object_set_new(djs, "psh", TCP_ISSET_FLAG_PUSH(p) ? json_true() : json_false()); json_object_set_new(djs, "rst", TCP_ISSET_FLAG_RST(p) ? json_true() : json_false()); json_object_set_new(djs, "urg", TCP_ISSET_FLAG_URG(p) ? json_true() : json_false()); json_object_set_new(djs, "fin", TCP_ISSET_FLAG_FIN(p) ? json_true() : json_false()); json_object_set_new(djs, "tcpres", json_integer(TCP_GET_RAW_X2(p->tcph))); json_object_set_new(djs, "tcpurgp", json_integer(TCP_GET_URG_POINTER(p))); break; case IPPROTO_UDP: json_object_set_new(djs, "udplen", json_integer(UDP_GET_LEN(p))); break; case IPPROTO_ICMP: if (PKT_IS_ICMPV4(p)) { json_object_set_new(djs, "icmp_id", json_integer(ICMPV4_GET_ID(p))); json_object_set_new(djs, "icmp_seq", json_integer(ICMPV4_GET_SEQ(p))); } else if(PKT_IS_ICMPV6(p)) { json_object_set_new(djs, "icmp_id", json_integer(ICMPV6_GET_ID(p))); json_object_set_new(djs, "icmp_seq", json_integer(ICMPV6_GET_SEQ(p))); } break; } json_object_set_new(js, "drop", djs); OutputJSONBuffer(js, aft->file_ctx, buffer); json_object_del(js, "drop"); json_object_clear(js); json_decref(js); return TM_ECODE_OK; }