/**
* \brief Function to log the PktVars in to alert-debug.log
*
* \param aft Pointer to AltertDebugLog Thread
* \param p Pointer to the packet
*
*/
static void AlertDebugLogPktVars(AlertDebugLogThread *aft, const Packet *p)
{
const PktVar *pv = p->pktvar;
while (pv != NULL) {
const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR);
MemBufferWriteString(aft->buffer, "PKTVAR: %s\n", varname);
PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
pv->value, pv->value_len);
pv = pv->next;
}
}
static void JsonAddPacketvars(const Packet *p, json_t *js_vars)
{
if (p == NULL || p->pktvar == NULL) {
return;
}
json_t *js_pktvars = NULL;
PktVar *pv = p->pktvar;
while (pv != NULL) {
if (pv->key || pv->id > 0) {
if (js_pktvars == NULL) {
js_pktvars = json_array();
if (js_pktvars == NULL)
break;
}
json_t *js_pair = json_object();
if (js_pair == NULL) {
break;
}
if (pv->key != NULL) {
uint32_t offset = 0;
uint8_t keybuf[pv->key_len + 1];
PrintStringsToBuffer(keybuf, &offset,
sizeof(keybuf),
pv->key, pv->key_len);
uint32_t len = pv->value_len;
uint8_t printable_buf[len + 1];
offset = 0;
PrintStringsToBuffer(printable_buf, &offset,
sizeof(printable_buf),
pv->value, pv->value_len);
json_object_set_new(js_pair, (char *)keybuf,
json_string((char *)printable_buf));
} else {
const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR);
uint32_t len = pv->value_len;
uint8_t printable_buf[len + 1];
uint32_t offset = 0;
PrintStringsToBuffer(printable_buf, &offset,
sizeof(printable_buf),
pv->value, pv->value_len);
json_object_set_new(js_pair, varname,
json_string((char *)printable_buf));
}
json_array_append_new(js_pktvars, js_pair);
}
pv = pv->next;
}
if (js_pktvars) {
json_object_set_new(js_vars, "pktvars", js_pktvars);
}
}
/**
* \brief Function to log the FlowVars in to alert-debug.log
*
* \param aft Pointer to AltertDebugLog Thread
* \param p Pointer to the packet
*
*/
static void AlertDebugLogFlowVars(AlertDebugLogThread *aft, const Packet *p)
{
const GenericVar *gv = p->flow->flowvar;
uint16_t i;
while (gv != NULL) {
if (gv->type == DETECT_FLOWBITS) {
FlowBit *fb = (FlowBit *)gv;
const char *fbname = VarNameStoreLookupById(fb->idx, VAR_TYPE_FLOW_BIT);
if (fbname) {
MemBufferWriteString(aft->buffer, "FLOWBIT: %s\n",
fbname);
}
} else if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) {
FlowVar *fv = (FlowVar *) gv;
if (fv->datatype == FLOWVAR_TYPE_STR) {
const char *fvname = VarNameStoreLookupById(fv->idx,
VAR_TYPE_FLOW_VAR);
MemBufferWriteString(aft->buffer, "FLOWVAR: \"%s\" => \"",
fvname);
for (i = 0; i < fv->data.fv_str.value_len; i++) {
if (isprint(fv->data.fv_str.value[i])) {
MemBufferWriteString(aft->buffer, "%c",
fv->data.fv_str.value[i]);
} else {
MemBufferWriteString(aft->buffer, "\\%02X",
fv->data.fv_str.value[i]);
}
}
MemBufferWriteString(aft->buffer, "\"\n");
} else if (fv->datatype == FLOWVAR_TYPE_INT) {
const char *fvname = VarNameStoreLookupById(fv->idx,
VAR_TYPE_FLOW_INT);
MemBufferWriteString(aft->buffer, "FLOWINT: \"%s\" =>"
" %"PRIu32"\n", fvname, fv->data.fv_int.value);
}
}
gv = gv->next;
}
}
/**
* \brief Add flow variables to a json object.
*
* Adds "flowvars" (map), "flowints" (map) and "flowbits" (array) to
* the json object provided as js_root.
*/
static void JsonAddFlowVars(const Flow *f, json_t *js_root, json_t **js_traffic)
{
if (f == NULL || f->flowvar == NULL) {
return;
}
json_t *js_flowvars = NULL;
json_t *js_traffic_id = NULL;
json_t *js_traffic_label = NULL;
json_t *js_flowints = NULL;
json_t *js_flowbits = NULL;
GenericVar *gv = f->flowvar;
while (gv != NULL) {
if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) {
FlowVar *fv = (FlowVar *)gv;
if (fv->datatype == FLOWVAR_TYPE_STR && fv->key == NULL) {
const char *varname = VarNameStoreLookupById(fv->idx,
VAR_TYPE_FLOW_VAR);
if (varname) {
if (js_flowvars == NULL) {
js_flowvars = json_array();
if (js_flowvars == NULL)
break;
}
uint32_t len = fv->data.fv_str.value_len;
uint8_t printable_buf[len + 1];
uint32_t offset = 0;
PrintStringsToBuffer(printable_buf, &offset,
sizeof(printable_buf),
fv->data.fv_str.value, fv->data.fv_str.value_len);
json_t *js_flowvar = json_object();
if (unlikely(js_flowvar == NULL)) {
break;
}
json_object_set_new(js_flowvar, varname,
json_string((char *)printable_buf));
json_array_append_new(js_flowvars, js_flowvar);
}
} else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) {
if (js_flowvars == NULL) {
js_flowvars = json_array();
if (js_flowvars == NULL)
break;
}
uint8_t keybuf[fv->keylen + 1];
uint32_t offset = 0;
PrintStringsToBuffer(keybuf, &offset,
sizeof(keybuf),
fv->key, fv->keylen);
uint32_t len = fv->data.fv_str.value_len;
uint8_t printable_buf[len + 1];
offset = 0;
PrintStringsToBuffer(printable_buf, &offset,
sizeof(printable_buf),
fv->data.fv_str.value, fv->data.fv_str.value_len);
json_t *js_flowvar = json_object();
if (unlikely(js_flowvar == NULL)) {
break;
}
json_object_set_new(js_flowvar, (const char *)keybuf,
json_string((char *)printable_buf));
json_array_append_new(js_flowvars, js_flowvar);
} else if (fv->datatype == FLOWVAR_TYPE_INT) {
const char *varname = VarNameStoreLookupById(fv->idx,
VAR_TYPE_FLOW_INT);
if (varname) {
if (js_flowints == NULL) {
js_flowints = json_object();
if (js_flowints == NULL)
break;
}
json_object_set_new(js_flowints, varname,
json_integer(fv->data.fv_int.value));
}
}
} else if (gv->type == DETECT_FLOWBITS) {
FlowBit *fb = (FlowBit *)gv;
const char *varname = VarNameStoreLookupById(fb->idx,
VAR_TYPE_FLOW_BIT);
if (varname) {
if (SCStringHasPrefix(varname, TRAFFIC_ID_PREFIX)) {
if (js_traffic_id == NULL) {
js_traffic_id = json_array();
if (unlikely(js_traffic_id == NULL)) {
break;
}
}
json_array_append_new(js_traffic_id,
json_string(&varname[traffic_id_prefix_len]));
} else if (SCStringHasPrefix(varname, TRAFFIC_LABEL_PREFIX)) {
if (js_traffic_label == NULL) {
js_traffic_label = json_array();
if (unlikely(js_traffic_label == NULL)) {
break;
}
}
json_array_append_new(js_traffic_label,
json_string(&varname[traffic_label_prefix_len]));
} else {
if (js_flowbits == NULL) {
js_flowbits = json_array();
if (unlikely(js_flowbits == NULL))
break;
}
json_array_append_new(js_flowbits, json_string(varname));
}
}
}
gv = gv->next;
}
if (js_flowbits) {
json_object_set_new(js_root, "flowbits", js_flowbits);
}
if (js_flowints) {
json_object_set_new(js_root, "flowints", js_flowints);
}
if (js_flowvars) {
json_object_set_new(js_root, "flowvars", js_flowvars);
}
if (js_traffic_id != NULL || js_traffic_label != NULL) {
*js_traffic = json_object();
if (likely(*js_traffic != NULL)) {
if (js_traffic_id != NULL) {
json_object_set_new(*js_traffic, "id", js_traffic_id);
}
if (js_traffic_label != NULL) {
json_object_set_new(*js_traffic, "label", js_traffic_label);
}
}
}
}
