static void JsonAddPacketvars(const Packet *p, json_t *js_vars) { if (p == NULL || p->pktvar == NULL) { return; } json_t *js_pktvars = NULL; PktVar *pv = p->pktvar; while (pv != NULL) { if (pv->key || pv->id > 0) { if (js_pktvars == NULL) { js_pktvars = json_array(); if (js_pktvars == NULL) break; } json_t *js_pair = json_object(); if (js_pair == NULL) { break; } if (pv->key != NULL) { uint32_t offset = 0; uint8_t keybuf[pv->key_len + 1]; PrintStringsToBuffer(keybuf, &offset, sizeof(keybuf), pv->key, pv->key_len); uint32_t len = pv->value_len; uint8_t printable_buf[len + 1]; offset = 0; PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), pv->value, pv->value_len); json_object_set_new(js_pair, (char *)keybuf, json_string((char *)printable_buf)); } else { const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR); uint32_t len = pv->value_len; uint8_t printable_buf[len + 1]; uint32_t offset = 0; PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), pv->value, pv->value_len); json_object_set_new(js_pair, varname, json_string((char *)printable_buf)); } json_array_append_new(js_pktvars, js_pair); } pv = pv->next; } if (js_pktvars) { json_object_set_new(js_vars, "pktvars", js_pktvars); } }
/* Callback function to pack payload contents from a stream into a buffer * so we can report them in JSON output. */ static int AlertJsonPrintStreamSegmentCallback(const Packet *p, void *data, uint8_t *buf, uint32_t buflen) { MemBuffer *payload = (MemBuffer *)data; PrintStringsToBuffer(payload->buffer, &payload->offset, payload->size, buf, buflen); return 1; }
static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) { MemBuffer *payload = aft->payload_buffer; AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx; json_t *hjs = NULL; int i; if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG)) return TM_ECODE_OK; json_t *js = CreateJSONHeader((Packet *)p, 0, "alert"); if (unlikely(js == NULL)) return TM_ECODE_OK; for (i = 0; i < p->alerts.cnt; i++) { const PacketAlert *pa = &p->alerts.alerts[i]; if (unlikely(pa->s == NULL)) { continue; } MemBufferReset(aft->json_buffer); /* alert */ AlertJsonHeader(p, pa, js); if (json_output_ctx->flags & LOG_JSON_HTTP) { if (p->flow != NULL) { uint16_t proto = FlowGetAppProtocol(p->flow); /* http alert */ if (proto == ALPROTO_HTTP) { hjs = JsonHttpAddMetadata(p->flow, pa->tx_id); if (hjs) json_object_set_new(js, "http", hjs); } } } if (json_output_ctx->flags & LOG_JSON_TLS) { if (p->flow != NULL) { uint16_t proto = FlowGetAppProtocol(p->flow); /* http alert */ if (proto == ALPROTO_TLS) AlertJsonTls(p->flow, js); } } if (json_output_ctx->flags & LOG_JSON_SSH) { if (p->flow != NULL) { uint16_t proto = FlowGetAppProtocol(p->flow); /* http alert */ if (proto == ALPROTO_SSH) AlertJsonSsh(p->flow, js); } } if (json_output_ctx->flags & LOG_JSON_SMTP) { if (p->flow != NULL) { uint16_t proto = FlowGetAppProtocol(p->flow); /* http alert */ if (proto == ALPROTO_SMTP) { hjs = JsonSMTPAddMetadata(p->flow, pa->tx_id); if (hjs) json_object_set_new(js, "smtp", hjs); hjs = JsonEmailAddMetadata(p->flow, pa->tx_id); if (hjs) json_object_set_new(js, "email", hjs); } } } /* payload */ if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) { int stream = (p->proto == IPPROTO_TCP) ? (pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_STREAM_MATCH) ? 1 : 0) : 0; /* Is this a stream? If so, pack part of it into the payload field */ if (stream) { uint8_t flag; MemBufferReset(payload); if (p->flowflags & FLOW_PKT_TOSERVER) { flag = FLOW_PKT_TOCLIENT; } else { flag = FLOW_PKT_TOSERVER; } StreamSegmentForEach((const Packet *)p, flag, AlertJsonDumpStreamSegmentCallback, (void *)payload); if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { unsigned long len = json_output_ctx->payload_buffer_size * 2; uint8_t encoded[len]; Base64Encode(payload->buffer, payload->offset, encoded, &len); json_object_set_new(js, "payload", json_string((char *)encoded)); } if (json_output_ctx->flags & LOG_JSON_PAYLOAD) { uint8_t printable_buf[payload->offset + 1]; uint32_t offset = 0; PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), payload->buffer, payload->offset); json_object_set_new(js, "payload_printable", json_string((char *)printable_buf)); } } else { /* This is a single packet and not a stream */ if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { unsigned long len = p->payload_len * 2 + 1; uint8_t encoded[len]; Base64Encode(p->payload, p->payload_len, encoded, &len); json_object_set_new(js, "payload", json_string((char *)encoded)); } if (json_output_ctx->flags & LOG_JSON_PAYLOAD) { uint8_t printable_buf[p->payload_len + 1]; uint32_t offset = 0; PrintStringsToBuffer(printable_buf, &offset, p->payload_len + 1, p->payload, p->payload_len); json_object_set_new(js, "payload_printable", json_string((char *)printable_buf)); } } json_object_set_new(js, "stream", json_integer(stream)); } /* base64-encoded full packet */ if (json_output_ctx->flags & LOG_JSON_PACKET) { AlertJsonPacket(p, js); } HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg; /* xff header */ if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) { int have_xff_ip = 0; char buffer[XFF_MAXLEN]; if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) { if (pa->flags & PACKET_ALERT_FLAG_TX) { have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN); } else { have_xff_ip = HttpXFFGetIP(p, xff_cfg, buffer, XFF_MAXLEN); } } if (have_xff_ip) { if (xff_cfg->flags & XFF_EXTRADATA) { json_object_set_new(js, "xff", json_string(buffer)); } else if (xff_cfg->flags & XFF_OVERWRITE) { if (p->flowflags & FLOW_PKT_TOCLIENT) { json_object_set(js, "dest_ip", json_string(buffer)); } else { json_object_set(js, "src_ip", json_string(buffer)); } } } } OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer); json_object_del(js, "alert"); } json_object_clear(js); json_decref(js); if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags & LOG_JSON_TAGGED_PACKETS)) { MemBufferReset(aft->json_buffer); json_t *packetjs = CreateJSONHeader((Packet *)p, 0, "packet"); if (unlikely(packetjs != NULL)) { AlertJsonPacket(p, packetjs); OutputJSONBuffer(packetjs, aft->file_ctx, &aft->json_buffer); json_decref(packetjs); } } return TM_ECODE_OK; }
/** Handle the case where no JSON support is compiled in. * */ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) { MemBuffer *payload = aft->payload_buffer; int i; if (p->alerts.cnt == 0) return TM_ECODE_OK; MemBufferReset(aft->json_buffer); json_t *js = CreateJSONHeader((Packet *)p, 0, "alert"); if (unlikely(js == NULL)) return TM_ECODE_OK; for (i = 0; i < p->alerts.cnt; i++) { const PacketAlert *pa = &p->alerts.alerts[i]; if (unlikely(pa->s == NULL)) { continue; } char *action = "allowed"; if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) { action = "blocked"; } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) { action = "blocked"; } json_t *ajs = json_object(); if (ajs == NULL) { json_decref(js); return TM_ECODE_OK; } json_object_set_new(ajs, "action", json_string(action)); json_object_set_new(ajs, "gid", json_integer(pa->s->gid)); json_object_set_new(ajs, "signature_id", json_integer(pa->s->id)); json_object_set_new(ajs, "rev", json_integer(pa->s->rev)); json_object_set_new(ajs, "signature", json_string((pa->s->msg) ? pa->s->msg : "")); json_object_set_new(ajs, "category", json_string((pa->s->class_msg) ? pa->s->class_msg : "")); json_object_set_new(ajs, "severity", json_integer(pa->s->prio)); /* alert */ json_object_set_new(js, "alert", ajs); /* payload */ if (aft->file_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) { int stream = (p->proto == IPPROTO_TCP) ? (pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_STREAM_MATCH) ? 1 : 0) : 0; /* Is this a stream? If so, pack part of it into the payload field */ if (stream) { uint8_t flag; MemBufferReset(payload); if (p->flowflags & FLOW_PKT_TOSERVER) { flag = FLOW_PKT_TOCLIENT; } else { flag = FLOW_PKT_TOSERVER; } StreamSegmentForEach((const Packet *)p, flag, AlertJsonPrintStreamSegmentCallback, (void *)payload); if (aft->file_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { unsigned long len = JSON_STREAM_BUFFER_SIZE * 2; unsigned char encoded[len]; Base64Encode((unsigned char *)payload, payload->offset, encoded, &len); json_object_set_new(js, "payload", json_string((char *)encoded)); } if (aft->file_ctx->flags & LOG_JSON_PAYLOAD) { json_object_set_new(js, "payload_printable", json_string((char *)payload->buffer)); } } else { /* This is a single packet and not a stream */ unsigned char packet_buf[p->payload_len + 1]; uint32_t offset = 0; PrintStringsToBuffer(packet_buf, &offset, p->payload_len + 1, p->payload, p->payload_len); if (aft->file_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { unsigned long len = sizeof(packet_buf) * 2; unsigned char encoded[len]; Base64Encode(packet_buf, offset, encoded, &len); json_object_set_new(js, "payload", json_string((char *)encoded)); } if (aft->file_ctx->flags & LOG_JSON_PAYLOAD) { json_object_set_new(js, "payload_printable", json_string((char *)packet_buf)); } } json_object_set_new(js, "stream", json_integer(stream)); } /* base64-encoded full packet */ if (aft->file_ctx->flags & LOG_JSON_PACKET) { unsigned long len = GET_PKT_LEN(p) * 2; unsigned char encoded_packet[len]; Base64Encode((unsigned char*) GET_PKT_DATA(p), GET_PKT_LEN(p), encoded_packet, &len); json_object_set_new(js, "packet", json_string((char *)encoded_packet)); } OutputJSONBuffer(js, aft->file_ctx, aft->json_buffer); json_object_del(js, "alert"); } json_object_clear(js); json_decref(js); return TM_ECODE_OK; }
/** * \brief Add flow variables to a json object. * * Adds "flowvars" (map), "flowints" (map) and "flowbits" (array) to * the json object provided as js_root. */ static void JsonAddFlowVars(const Flow *f, json_t *js_root, json_t **js_traffic) { if (f == NULL || f->flowvar == NULL) { return; } json_t *js_flowvars = NULL; json_t *js_traffic_id = NULL; json_t *js_traffic_label = NULL; json_t *js_flowints = NULL; json_t *js_flowbits = NULL; GenericVar *gv = f->flowvar; while (gv != NULL) { if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) { FlowVar *fv = (FlowVar *)gv; if (fv->datatype == FLOWVAR_TYPE_STR && fv->key == NULL) { const char *varname = VarNameStoreLookupById(fv->idx, VAR_TYPE_FLOW_VAR); if (varname) { if (js_flowvars == NULL) { js_flowvars = json_array(); if (js_flowvars == NULL) break; } uint32_t len = fv->data.fv_str.value_len; uint8_t printable_buf[len + 1]; uint32_t offset = 0; PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), fv->data.fv_str.value, fv->data.fv_str.value_len); json_t *js_flowvar = json_object(); if (unlikely(js_flowvar == NULL)) { break; } json_object_set_new(js_flowvar, varname, json_string((char *)printable_buf)); json_array_append_new(js_flowvars, js_flowvar); } } else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) { if (js_flowvars == NULL) { js_flowvars = json_array(); if (js_flowvars == NULL) break; } uint8_t keybuf[fv->keylen + 1]; uint32_t offset = 0; PrintStringsToBuffer(keybuf, &offset, sizeof(keybuf), fv->key, fv->keylen); uint32_t len = fv->data.fv_str.value_len; uint8_t printable_buf[len + 1]; offset = 0; PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), fv->data.fv_str.value, fv->data.fv_str.value_len); json_t *js_flowvar = json_object(); if (unlikely(js_flowvar == NULL)) { break; } json_object_set_new(js_flowvar, (const char *)keybuf, json_string((char *)printable_buf)); json_array_append_new(js_flowvars, js_flowvar); } else if (fv->datatype == FLOWVAR_TYPE_INT) { const char *varname = VarNameStoreLookupById(fv->idx, VAR_TYPE_FLOW_INT); if (varname) { if (js_flowints == NULL) { js_flowints = json_object(); if (js_flowints == NULL) break; } json_object_set_new(js_flowints, varname, json_integer(fv->data.fv_int.value)); } } } else if (gv->type == DETECT_FLOWBITS) { FlowBit *fb = (FlowBit *)gv; const char *varname = VarNameStoreLookupById(fb->idx, VAR_TYPE_FLOW_BIT); if (varname) { if (SCStringHasPrefix(varname, TRAFFIC_ID_PREFIX)) { if (js_traffic_id == NULL) { js_traffic_id = json_array(); if (unlikely(js_traffic_id == NULL)) { break; } } json_array_append_new(js_traffic_id, json_string(&varname[traffic_id_prefix_len])); } else if (SCStringHasPrefix(varname, TRAFFIC_LABEL_PREFIX)) { if (js_traffic_label == NULL) { js_traffic_label = json_array(); if (unlikely(js_traffic_label == NULL)) { break; } } json_array_append_new(js_traffic_label, json_string(&varname[traffic_label_prefix_len])); } else { if (js_flowbits == NULL) { js_flowbits = json_array(); if (unlikely(js_flowbits == NULL)) break; } json_array_append_new(js_flowbits, json_string(varname)); } } } gv = gv->next; } if (js_flowbits) { json_object_set_new(js_root, "flowbits", js_flowbits); } if (js_flowints) { json_object_set_new(js_root, "flowints", js_flowints); } if (js_flowvars) { json_object_set_new(js_root, "flowvars", js_flowvars); } if (js_traffic_id != NULL || js_traffic_label != NULL) { *js_traffic = json_object(); if (likely(*js_traffic != NULL)) { if (js_traffic_id != NULL) { json_object_set_new(*js_traffic, "id", js_traffic_id); } if (js_traffic_label != NULL) { json_object_set_new(*js_traffic, "label", js_traffic_label); } } } }