/**
* \brief Check if we need to drop-log this packet
*
* \param tv Pointer the current thread variables
* \param p Pointer the packet which is tested
*
* \retval bool TRUE or FALSE
*/
static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
{
if (!EngineModeIsIPS()) {
SCLogDebug("engine is not running in inline mode, so returning");
return FALSE;
}
if (PKT_IS_PSEUDOPKT(p)) {
SCLogDebug("drop log doesn't log pseudo packets");
return FALSE;
}
if (g_droplog_flows_start && p->flow != NULL) {
int ret = FALSE;
/* for a flow that will be dropped fully, log just once per direction */
if (p->flow->flags & FLOW_ACTION_DROP) {
if (PKT_IS_TOSERVER(p) && !(p->flow->flags & FLOW_TOSERVER_DROP_LOGGED))
ret = TRUE;
else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
ret = TRUE;
}
/* if drop is caused by signature, log anyway */
if (p->alerts.drop.action != 0)
ret = TRUE;
return ret;
} else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
return TRUE;
}
return FALSE;
}
/**
* \brief Check if we need to drop-log this packet
*
* \param tv Pointer the current thread variables
* \param p Pointer the packet which is tested
*
* \retval bool TRUE or FALSE
*/
static int LogDropCondition(ThreadVars *tv, const Packet *p)
{
if (!EngineModeIsIPS()) {
SCLogDebug("engine is not running in inline mode, so returning");
return FALSE;
}
if (PKT_IS_PSEUDOPKT(p)) {
SCLogDebug("drop log doesn't log pseudo packets");
return FALSE;
}
if (p->flow != NULL) {
int ret = FALSE;
FLOWLOCK_RDLOCK(p->flow);
if (p->flow->flags & FLOW_ACTION_DROP) {
if (PKT_IS_TOSERVER(p) && !(p->flow->flags & FLOW_TOSERVER_DROP_LOGGED))
ret = TRUE;
else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
ret = TRUE;
}
FLOWLOCK_UNLOCK(p->flow);
return ret;
} else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
return TRUE;
}
return FALSE;
}
void AlertJsonHeader(const PacketAlert *pa, json_t *js)
{
char *action = "allowed";
if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) {
action = "blocked";
} else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "blocked";
}
json_t *ajs = json_object();
if (ajs == NULL) {
json_decref(js);
return;
}
json_object_set_new(ajs, "action", json_string(action));
json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
json_object_set_new(ajs, "signature",
json_string((pa->s->msg) ? pa->s->msg : ""));
json_object_set_new(ajs, "category",
json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
if (pa->flags & PACKET_ALERT_FLAG_TX)
json_object_set_new(ajs, "tx_id", json_integer(pa->tx_id));
/* alert */
json_object_set_new(js, "alert", ajs);
}
/** Handle the case where no JSON support is compiled in.
*
*/
static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
{
MemBuffer *buffer = (MemBuffer *)aft->buffer;
int i;
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
json_t *js = CreateJSONHeader((Packet *)p, 0, "alert");
if (unlikely(js == NULL))
return TM_ECODE_OK;
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
char *action = "allowed";
if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) {
action = "blocked";
} else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "blocked";
}
json_t *ajs = json_object();
if (ajs == NULL) {
json_decref(js);
return TM_ECODE_OK;
}
MemBufferReset(buffer);
json_object_set_new(ajs, "action", json_string(action));
json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
json_object_set_new(ajs, "signature",
json_string((pa->s->msg) ? pa->s->msg : ""));
json_object_set_new(ajs, "category",
json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
/* alert */
json_object_set_new(js, "alert", ajs);
OutputJSONBuffer(js, aft->file_ctx, aft->buffer);
json_object_del(js, "alert");
}
json_object_clear(js);
json_decref(js);
return TM_ECODE_OK;
}
/**
* \brief Function which is called to print the decode alerts to the syslog
*
* \param tv Pointer to the threadvars
* \param p Pointer to the packet
* \param data pointer to the AlertSyslogThread
* \param pq pointer the to packet queue
* \param postpq pointer to the post processed packet queue
*
* \return On succes return TM_ECODE_OK
*/
static TmEcode AlertSyslogDecoderEvent(ThreadVars *tv, const Packet *p, void *data)
{
AlertSyslogThread *ast = (AlertSyslogThread *)data;
int i;
char *action = "";
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
SCMutexLock(&ast->file_ctx->fp_mutex);
ast->file_ctx->alerts += p->alerts.cnt;
char temp_buf_hdr[512];
char temp_buf_pkt[65] = "";
char temp_buf_tail[32];
char alert[2048] = "";
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "[Drop] ";
} else if (pa->action & ACTION_DROP) {
action = "[wDrop] ";
}
snprintf(temp_buf_hdr, sizeof(temp_buf_hdr), "%s[%" PRIu32 ":%" PRIu32
":%" PRIu32 "] %s [Classification: %s] [Priority: %" PRIu32
"] [**] [Raw pkt: ", action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg,
pa->s->class_msg, pa->s->prio);
strlcpy(alert, temp_buf_hdr, sizeof(alert));
PrintRawLineHexBuf(temp_buf_pkt, sizeof(temp_buf_pkt), GET_PKT_DATA(p), GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
strlcat(alert, temp_buf_pkt, sizeof(alert));
if (p->pcap_cnt != 0) {
snprintf(temp_buf_tail, sizeof(temp_buf_tail), "] [pcap file packet: %"PRIu64"]",
p->pcap_cnt);
} else {
temp_buf_tail[0] = ']';
temp_buf_tail[1] = '\0';
}
strlcat(alert, temp_buf_tail, sizeof(alert));
syslog(alert_syslog_level, "%s", alert);
}
SCMutexUnlock(&ast->file_ctx->fp_mutex);
return TM_ECODE_OK;
}
/**
* \brief Function which is called to print the IPv6 alerts to the syslog
*
* \param tv Pointer to the threadvars
* \param p Pointer to the packet
* \param data pointer to the AlertSyslogThread
*
* \return On succes return TM_ECODE_OK
*/
static TmEcode AlertSyslogIPv6(ThreadVars *tv, const Packet *p, void *data)
{
AlertSyslogThread *ast = (AlertSyslogThread *)data;
int i;
char *action = "";
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
SCMutexLock(&ast->file_ctx->fp_mutex);
ast->file_ctx->alerts += p->alerts.cnt;
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
char srcip[46], dstip[46];
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "[Drop] ";
} else if (pa->action & ACTION_DROP) {
action = "[wDrop] ";
}
if (SCProtoNameValid(IPV6_GET_L4PROTO(p)) == TRUE) {
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [Classification: %s] [Priority: %"
"" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "",
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp,
dstip, p->dp);
} else {
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [Classification: %s] [Priority: %"
"" PRIu32 "] {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
}
}
SCMutexUnlock(&ast->file_ctx->fp_mutex);
return TM_ECODE_OK;
}
void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js)
{
char *action = "allowed";
/* use packet action if rate_filter modified the action */
if (unlikely(pa->flags & PACKET_ALERT_RATE_FILTER_MODIFIED)) {
if (PACKET_TEST_ACTION(p, (ACTION_DROP|ACTION_REJECT|
ACTION_REJECT_DST|ACTION_REJECT_BOTH))) {
action = "blocked";
}
} else {
if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) {
action = "blocked";
} else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "blocked";
}
}
/* Add tx_id to root element for correlation with other events. */
json_object_del(js, "tx_id");
if (pa->flags & PACKET_ALERT_FLAG_TX)
json_object_set_new(js, "tx_id", json_integer(pa->tx_id));
json_t *ajs = json_object();
if (ajs == NULL) {
json_decref(js);
return;
}
json_object_set_new(ajs, "action", json_string(action));
json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
json_object_set_new(ajs, "signature",
json_string((pa->s->msg) ? pa->s->msg : ""));
json_object_set_new(ajs, "category",
json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
if (p->tenant_id > 0)
json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));
/* alert */
json_object_set_new(js, "alert", ajs);
}
static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
{
int i;
char timebuf[64];
json_t *js;
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf));
for (i = 0; i < p->alerts.cnt; i++) {
MemBufferReset(aft->json_buffer);
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
char *action = "allowed";
if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) {
action = "blocked";
} else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "blocked";
}
char buf[(32 * 3) + 1];
PrintRawLineHexBuf(buf, sizeof(buf), GET_PKT_DATA(p), GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
js = json_object();
if (js == NULL)
return TM_ECODE_OK;
json_t *ajs = json_object();
if (ajs == NULL) {
json_decref(js);
return TM_ECODE_OK;
}
/* time & tx */
json_object_set_new(js, "timestamp", json_string(timebuf));
/* tuple */
//json_object_set_new(js, "srcip", json_string(srcip));
//json_object_set_new(js, "sp", json_integer(p->sp));
//json_object_set_new(js, "dstip", json_string(dstip));
//json_object_set_new(js, "dp", json_integer(p->dp));
//json_object_set_new(js, "proto", json_integer(proto));
json_object_set_new(ajs, "action", json_string(action));
json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
json_object_set_new(ajs, "signature",
json_string((pa->s->msg) ? pa->s->msg : ""));
json_object_set_new(ajs, "category",
json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
if (p->tenant_id > 0)
json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));
/* alert */
json_object_set_new(js, "alert", ajs);
OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer);
json_object_clear(js);
json_decref(js);
}
return TM_ECODE_OK;
}
static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
{
MemBuffer *payload = aft->payload_buffer;
AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
int i;
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
json_t *js = CreateJSONHeader((Packet *)p, 0, "alert");
if (unlikely(js == NULL))
return TM_ECODE_OK;
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
MemBufferReset(aft->json_buffer);
/* alert */
AlertJsonHeader(pa, js);
if (json_output_ctx->flags & LOG_JSON_HTTP) {
if (p->flow != NULL) {
FLOWLOCK_RDLOCK(p->flow);
uint16_t proto = FlowGetAppProtocol(p->flow);
/* http alert */
if (proto == ALPROTO_HTTP)
AlertJsonHttp(p->flow, js);
FLOWLOCK_UNLOCK(p->flow);
}
}
if (json_output_ctx->flags & LOG_JSON_TLS) {
if (p->flow != NULL) {
FLOWLOCK_RDLOCK(p->flow);
uint16_t proto = FlowGetAppProtocol(p->flow);
/* http alert */
if (proto == ALPROTO_TLS)
AlertJsonTls(p->flow, js);
FLOWLOCK_UNLOCK(p->flow);
}
}
if (json_output_ctx->flags & LOG_JSON_SSH) {
if (p->flow != NULL) {
FLOWLOCK_RDLOCK(p->flow);
uint16_t proto = FlowGetAppProtocol(p->flow);
/* http alert */
if (proto == ALPROTO_SSH)
AlertJsonSsh(p->flow, js);
FLOWLOCK_UNLOCK(p->flow);
}
}
/* payload */
if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
int stream = (p->proto == IPPROTO_TCP) ?
(pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_STREAM_MATCH) ?
1 : 0) : 0;
/* Is this a stream? If so, pack part of it into the payload field */
if (stream) {
uint8_t flag;
MemBufferReset(payload);
if (!EngineModeIsIPS()) {
if (p->flowflags & FLOW_PKT_TOSERVER) {
flag = FLOW_PKT_TOCLIENT;
} else {
flag = FLOW_PKT_TOSERVER;
}
} else {
if (p->flowflags & FLOW_PKT_TOSERVER) {
flag = FLOW_PKT_TOSERVER;
} else {
flag = FLOW_PKT_TOCLIENT;
}
}
StreamSegmentForEach((const Packet *)p, flag,
AlertJsonDumpStreamSegmentCallback,
(void *)payload);
if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
unsigned long len = JSON_STREAM_BUFFER_SIZE * 2;
uint8_t encoded[len];
Base64Encode((unsigned char *)payload, payload->offset, encoded, &len);
json_object_set_new(js, "payload", json_string((char *)encoded));
}
if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
uint8_t printable_buf[payload->offset + 1];
uint32_t offset = 0;
PrintStringsToBuffer(printable_buf, &offset,
sizeof(printable_buf),
(unsigned char *)payload, payload->offset);
json_object_set_new(js, "payload_printable",
json_string((char *)printable_buf));
}
} else {
/* This is a single packet and not a stream */
if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
unsigned long len = p->payload_len * 2 + 1;
uint8_t encoded[len];
Base64Encode(p->payload, p->payload_len, encoded, &len);
json_object_set_new(js, "payload", json_string((char *)encoded));
}
if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
uint8_t printable_buf[p->payload_len + 1];
uint32_t offset = 0;
PrintStringsToBuffer(printable_buf, &offset,
p->payload_len + 1,
p->payload, p->payload_len);
json_object_set_new(js, "payload_printable", json_string((char *)printable_buf));
}
}
json_object_set_new(js, "stream", json_integer(stream));
}
/* base64-encoded full packet */
if (json_output_ctx->flags & LOG_JSON_PACKET) {
unsigned long len = GET_PKT_LEN(p) * 2;
uint8_t encoded_packet[len];
Base64Encode((unsigned char*) GET_PKT_DATA(p), GET_PKT_LEN(p), encoded_packet, &len);
json_object_set_new(js, "packet", json_string((char *)encoded_packet));
}
HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
/* xff header */
if (!(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
int have_xff_ip = 0;
char buffer[XFF_MAXLEN];
FLOWLOCK_RDLOCK(p->flow);
if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
if (pa->flags & PACKET_ALERT_FLAG_TX) {
have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN);
} else {
have_xff_ip = HttpXFFGetIP(p, xff_cfg, buffer, XFF_MAXLEN);
}
}
FLOWLOCK_UNLOCK(p->flow);
if (have_xff_ip) {
if (xff_cfg->flags & XFF_EXTRADATA) {
json_object_set_new(js, "xff", json_string(buffer));
}
else if (xff_cfg->flags & XFF_OVERWRITE) {
if (p->flowflags & FLOW_PKT_TOCLIENT) {
json_object_set(js, "dest_ip", json_string(buffer));
} else {
json_object_set(js, "src_ip", json_string(buffer));
}
}
}
}
OutputJSONBuffer(js, aft->file_ctx, aft->json_buffer);
json_object_del(js, "alert");
}
json_object_clear(js);
json_decref(js);
return TM_ECODE_OK;
}
int AlertFastLogger(ThreadVars *tv, void *data, const Packet *p)
{
AlertFastLogThread *aft = (AlertFastLogThread *)data;
int i;
char timebuf[64];
int decoder_event = 0;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[46], dstip[46];
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
} else {
decoder_event = 1;
}
/* Buffer to store the generated alert strings. The buffer is
* filled with alert strings until it doesn't have room to store
* another full alert, only then is the buffer written. This is
* more efficient for multiple alerts and only slightly slower for
* single alerts.
*/
char alert_buffer[MAX_FASTLOG_BUFFER_SIZE];
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
char *action = "";
if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "[Drop] ";
} else if (pa->action & ACTION_DROP) {
action = "[wDrop] ";
}
char proto[16] = "";
if (likely(decoder_event == 0)) {
if (SCProtoNameValid(IP_GET_IPPROTO(p)) == TRUE) {
strlcpy(proto, known_proto[IP_GET_IPPROTO(p)], sizeof(proto));
} else {
snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IP_GET_IPPROTO(p));
}
}
/* Create the alert string without locking. */
int size = 0;
if (likely(decoder_event == 0)) {
PrintBufferData(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE,
"%s %s[**] [%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [**] [Classification: %s] [Priority: %"PRIu32"]"
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "\n", timebuf, action,
pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,
proto, srcip, p->sp, dstip, p->dp);
} else {
PrintBufferData(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE,
"%s %s[**] [%" PRIu32 ":%" PRIu32
":%" PRIu32 "] %s [**] [Classification: %s] [Priority: "
"%" PRIu32 "] [**] [Raw pkt: ", timebuf, action, pa->s->gid,
pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio);
PrintBufferRawLineHex(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE,
GET_PKT_DATA(p), GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
if (p->pcap_cnt != 0) {
PrintBufferData(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE,
"] [pcap file packet: %"PRIu64"]\n", p->pcap_cnt);
} else {
PrintBufferData(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE, "]\n");
}
}
/* Write the alert to output file */
AlertFastLogOutputAlert(aft, alert_buffer, size);
}
return TM_ECODE_OK;
}
/** Handle the case where no JSON support is compiled in.
*
*/
static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
{
MemBuffer *payload = aft->payload_buffer;
int i;
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
MemBufferReset(aft->json_buffer);
json_t *js = CreateJSONHeader((Packet *)p, 0, "alert");
if (unlikely(js == NULL))
return TM_ECODE_OK;
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
char *action = "allowed";
if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) {
action = "blocked";
} else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "blocked";
}
json_t *ajs = json_object();
if (ajs == NULL) {
json_decref(js);
return TM_ECODE_OK;
}
json_object_set_new(ajs, "action", json_string(action));
json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
json_object_set_new(ajs, "signature",
json_string((pa->s->msg) ? pa->s->msg : ""));
json_object_set_new(ajs, "category",
json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
/* alert */
json_object_set_new(js, "alert", ajs);
/* payload */
if (aft->file_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
int stream = (p->proto == IPPROTO_TCP) ?
(pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_STREAM_MATCH) ?
1 : 0) : 0;
/* Is this a stream? If so, pack part of it into the payload field */
if (stream) {
uint8_t flag;
MemBufferReset(payload);
if (p->flowflags & FLOW_PKT_TOSERVER) {
flag = FLOW_PKT_TOCLIENT;
} else {
flag = FLOW_PKT_TOSERVER;
}
StreamSegmentForEach((const Packet *)p, flag,
AlertJsonPrintStreamSegmentCallback,
(void *)payload);
if (aft->file_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
unsigned long len = JSON_STREAM_BUFFER_SIZE * 2;
unsigned char encoded[len];
Base64Encode((unsigned char *)payload, payload->offset, encoded, &len);
json_object_set_new(js, "payload", json_string((char *)encoded));
}
if (aft->file_ctx->flags & LOG_JSON_PAYLOAD) {
json_object_set_new(js, "payload_printable",
json_string((char *)payload->buffer));
}
} else {
/* This is a single packet and not a stream */
unsigned char packet_buf[p->payload_len + 1];
uint32_t offset = 0;
PrintStringsToBuffer(packet_buf, &offset,
p->payload_len + 1,
p->payload, p->payload_len);
if (aft->file_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
unsigned long len = sizeof(packet_buf) * 2;
unsigned char encoded[len];
Base64Encode(packet_buf, offset, encoded, &len);
json_object_set_new(js, "payload", json_string((char *)encoded));
}
if (aft->file_ctx->flags & LOG_JSON_PAYLOAD) {
json_object_set_new(js, "payload_printable", json_string((char *)packet_buf));
}
}
json_object_set_new(js, "stream", json_integer(stream));
}
/* base64-encoded full packet */
if (aft->file_ctx->flags & LOG_JSON_PACKET) {
unsigned long len = GET_PKT_LEN(p) * 2;
unsigned char encoded_packet[len];
Base64Encode((unsigned char*) GET_PKT_DATA(p), GET_PKT_LEN(p), encoded_packet, &len);
json_object_set_new(js, "packet", json_string((char *)encoded_packet));
}
OutputJSONBuffer(js, aft->file_ctx, aft->json_buffer);
json_object_del(js, "alert");
}
json_object_clear(js);
json_decref(js);
return TM_ECODE_OK;
}
/**
* \brief Log the dropped packets in netfilter format when engine is running
* in inline mode
*
* \param tv Pointer the current thread variables
* \param p Pointer the packet which is being logged
*
* \return return TM_EODE_OK on success
*/
static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
{
JsonDropOutputCtx *drop_ctx = aft->drop_ctx;
json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "drop");
if (unlikely(js == NULL))
return TM_ECODE_OK;
JsonAddCommonOptions(&drop_ctx->cfg, p, p->flow, js);
json_t *djs = json_object();
if (unlikely(djs == NULL)) {
json_decref(js);
return TM_ECODE_OK;
}
/* reset */
MemBufferReset(aft->buffer);
uint16_t proto = 0;
if (PKT_IS_IPV4(p)) {
json_object_set_new(djs, "len", json_integer(IPV4_GET_IPLEN(p)));
json_object_set_new(djs, "tos", json_integer(IPV4_GET_IPTOS(p)));
json_object_set_new(djs, "ttl", json_integer(IPV4_GET_IPTTL(p)));
json_object_set_new(djs, "ipid", json_integer(IPV4_GET_IPID(p)));
proto = IPV4_GET_IPPROTO(p);
} else if (PKT_IS_IPV6(p)) {
json_object_set_new(djs, "len", json_integer(IPV6_GET_PLEN(p)));
json_object_set_new(djs, "tc", json_integer(IPV6_GET_CLASS(p)));
json_object_set_new(djs, "hoplimit", json_integer(IPV6_GET_HLIM(p)));
json_object_set_new(djs, "flowlbl", json_integer(IPV6_GET_FLOW(p)));
proto = IPV6_GET_L4PROTO(p);
}
switch (proto) {
case IPPROTO_TCP:
if (PKT_IS_TCP(p)) {
json_object_set_new(djs, "tcpseq", json_integer(TCP_GET_SEQ(p)));
json_object_set_new(djs, "tcpack", json_integer(TCP_GET_ACK(p)));
json_object_set_new(djs, "tcpwin", json_integer(TCP_GET_WINDOW(p)));
json_object_set_new(djs, "syn", TCP_ISSET_FLAG_SYN(p) ? json_true() : json_false());
json_object_set_new(djs, "ack", TCP_ISSET_FLAG_ACK(p) ? json_true() : json_false());
json_object_set_new(djs, "psh", TCP_ISSET_FLAG_PUSH(p) ? json_true() : json_false());
json_object_set_new(djs, "rst", TCP_ISSET_FLAG_RST(p) ? json_true() : json_false());
json_object_set_new(djs, "urg", TCP_ISSET_FLAG_URG(p) ? json_true() : json_false());
json_object_set_new(djs, "fin", TCP_ISSET_FLAG_FIN(p) ? json_true() : json_false());
json_object_set_new(djs, "tcpres", json_integer(TCP_GET_RAW_X2(p->tcph)));
json_object_set_new(djs, "tcpurgp", json_integer(TCP_GET_URG_POINTER(p)));
}
break;
case IPPROTO_UDP:
if (PKT_IS_UDP(p)) {
json_object_set_new(djs, "udplen", json_integer(UDP_GET_LEN(p)));
}
break;
case IPPROTO_ICMP:
if (PKT_IS_ICMPV4(p)) {
json_object_set_new(djs, "icmp_id", json_integer(ICMPV4_GET_ID(p)));
json_object_set_new(djs, "icmp_seq", json_integer(ICMPV4_GET_SEQ(p)));
} else if(PKT_IS_ICMPV6(p)) {
json_object_set_new(djs, "icmp_id", json_integer(ICMPV6_GET_ID(p)));
json_object_set_new(djs, "icmp_seq", json_integer(ICMPV6_GET_SEQ(p)));
}
break;
}
json_object_set_new(js, "drop", djs);
if (aft->drop_ctx->flags & LOG_DROP_ALERTS) {
int logged = 0;
int i;
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
if ((pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) ||
((pa->action & ACTION_DROP) && EngineModeIsIPS()))
{
AlertJsonHeader(NULL, p, pa, js, 0);
logged = 1;
}
}
if (logged == 0) {
if (p->alerts.drop.action != 0) {
const PacketAlert *pa = &p->alerts.drop;
AlertJsonHeader(NULL, p, pa, js, 0);
}
}
}
OutputJSONBuffer(js, aft->drop_ctx->file_ctx, &aft->buffer);
json_object_del(js, "drop");
json_object_clear(js);
json_decref(js);
return TM_ECODE_OK;
}
