/** \internal * \brief fill lua stack with header info * \param luastate the lua state * \param f flow, locked * \retval cnt number of data items placed on the stack * * Places: ipver (number), src ip (string), dst ip (string), protocol (number), * sp or icmp type (number), dp or icmp code (number). */ static int LuaCallbackTuplePushToStackFromFlow(lua_State *luastate, const Flow *f) { int ipver = 0; if (FLOW_IS_IPV4(f)) { ipver = 4; } else if (FLOW_IS_IPV6(f)) { ipver = 6; } lua_pushnumber (luastate, ipver); if (ipver == 0) return 1; char srcip[46] = "", dstip[46] = ""; if (FLOW_IS_IPV4(f)) { PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip)); } else if (FLOW_IS_IPV6(f)) { PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip)); } lua_pushstring (luastate, srcip); lua_pushstring (luastate, dstip); /* proto and ports (or type/code) */ lua_pushnumber (luastate, f->proto); if (f->proto == IPPROTO_TCP || f->proto == IPPROTO_UDP) { lua_pushnumber (luastate, f->sp); lua_pushnumber (luastate, f->dp); } else if (f->proto == IPPROTO_ICMP || f->proto == IPPROTO_ICMPV6) { lua_pushnumber (luastate, f->type); lua_pushnumber (luastate, f->code); } else { lua_pushnumber (luastate, 0); lua_pushnumber (luastate, 0); } return 6; }
static inline int GetFlowAddresses(Flow *f, Address *ip_src, Address *ip_dst) { memset(ip_src, 0, sizeof(*ip_src)); memset(ip_dst, 0, sizeof(*ip_dst)); if (FLOW_IS_IPV4(f)) { FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->src, ip_src); FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->dst, ip_dst); } else if (FLOW_IS_IPV6(f)) { FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->src, ip_src); FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->dst, ip_dst); } else { return -1; } return 0; }
static int LogTcpDataLoggerDir(ThreadVars *tv, void *thread_data, const Flow *f, const uint8_t *data, uint32_t data_len, uint64_t tx_id, uint8_t flags) { SCEnter(); LogTcpDataLogThread *aft = thread_data; LogTcpDataFileCtx *td = aft->tcpdatalog_ctx; const char *mode = "a"; if (flags & OUTPUT_STREAMING_FLAG_OPEN) mode = "w"; if (data && data_len) { char srcip[46] = "", dstip[46] = ""; if (FLOW_IS_IPV4(f)) { PrintInet(AF_INET, (const void *)&f->src.addr_data32[0], srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)&f->dst.addr_data32[0], dstip, sizeof(dstip)); } else if (FLOW_IS_IPV6(f)) { PrintInet(AF_INET6, (const void *)f->src.addr_data32, srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)f->dst.addr_data32, dstip, sizeof(dstip)); } char name[PATH_MAX]; char tx[64] = { 0 }; if (flags & OUTPUT_STREAMING_FLAG_TRANSACTION) { snprintf(tx, sizeof(tx), "%"PRIu64, tx_id); } snprintf(name, sizeof(name), "%s/%s/%s_%u-%s_%u-%s-%s.data", td->log_dir, td->type == STREAMING_HTTP_BODIES ? "http" : "tcp", srcip, f->sp, dstip, f->dp, tx, flags & OUTPUT_STREAMING_FLAG_TOSERVER ? "ts" : "tc"); FILE *fp = fopen(name, mode); BUG_ON(fp == NULL); // PrintRawDataFp(stdout, (uint8_t *)data, data_len); fwrite(data, data_len, 1, fp); fclose(fp); } SCReturnInt(TM_ECODE_OK); }
static int LogTcpDataLoggerFile(ThreadVars *tv, void *thread_data, const Flow *f, const uint8_t *data, uint32_t data_len, uint64_t tx_id, uint8_t flags) { SCEnter(); LogTcpDataLogThread *aft = thread_data; LogTcpDataFileCtx *td = aft->tcpdatalog_ctx; if (data && data_len) { MemBufferReset(aft->buffer); char srcip[46] = "", dstip[46] = ""; if (FLOW_IS_IPV4(f)) { PrintInet(AF_INET, (const void *)&f->src.addr_data32[0], srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)&f->dst.addr_data32[0], dstip, sizeof(dstip)); } else if (FLOW_IS_IPV6(f)) { PrintInet(AF_INET6, (const void *)f->src.addr_data32, srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)f->dst.addr_data32, dstip, sizeof(dstip)); } char name[PATH_MAX]; snprintf(name, sizeof(name), "%s_%u-%s_%u-%s:", srcip, f->sp, dstip, f->dp, flags & OUTPUT_STREAMING_FLAG_TOSERVER ? "ts" : "tc"); PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size, (uint8_t *)name,strlen(name)); MemBufferWriteString(aft->buffer, "\n"); PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size, (uint8_t *)data,data_len); td->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer), MEMBUFFER_OFFSET(aft->buffer), td->file_ctx); } SCReturnInt(TM_ECODE_OK); }
/** * \internal * \brief Pseudo packet setup for flow forced reassembly. * * \param direction Direction of the packet. 0 indicates toserver and 1 * indicates toclient. * \param f Pointer to the flow. * \param ssn Pointer to the tcp session. * \param dummy Indicates to create a dummy pseudo packet. Not all pseudo * packets need to force reassembly, in which case we just * set dummy ack/seq values. */ static inline Packet *FlowForceReassemblyPseudoPacketSetup(Packet *p, int direction, Flow *f, TcpSession *ssn, int dummy) { p->datalink = DLT_RAW; p->proto = IPPROTO_TCP; FlowReference(&p->flow, f); p->flags |= PKT_STREAM_EST; p->flags |= PKT_STREAM_EOF; p->flags |= PKT_HAS_FLOW; p->flags |= PKT_PSEUDO_STREAM_END; if (direction == 0) p->flowflags |= FLOW_PKT_TOSERVER; else p->flowflags |= FLOW_PKT_TOCLIENT; p->flowflags |= FLOW_PKT_ESTABLISHED; p->payload = NULL; p->payload_len = 0; if (FLOW_IS_IPV4(f)) { if (direction == 0) { FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->src, &p->src); FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->dst, &p->dst); p->sp = f->sp; p->dp = f->dp; } else { FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->src, &p->dst); FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->dst, &p->src); p->sp = f->dp; p->dp = f->sp; } /* set the ip header */ p->ip4h = (IPV4Hdr *)GET_PKT_DATA(p); /* version 4 and length 20 bytes for the tcp header */ p->ip4h->ip_verhl = 0x45; p->ip4h->ip_tos = 0; p->ip4h->ip_len = htons(40); p->ip4h->ip_id = 0; p->ip4h->ip_off = 0; p->ip4h->ip_ttl = 64; p->ip4h->ip_proto = IPPROTO_TCP; //p->ip4h->ip_csum = if (direction == 0) { p->ip4h->s_ip_src.s_addr = f->src.addr_data32[0]; p->ip4h->s_ip_dst.s_addr = f->dst.addr_data32[0]; } else { p->ip4h->s_ip_src.s_addr = f->dst.addr_data32[0]; p->ip4h->s_ip_dst.s_addr = f->src.addr_data32[0]; } /* set the tcp header */ p->tcph = (TCPHdr *)((uint8_t *)GET_PKT_DATA(p) + 20); SET_PKT_LEN(p, 40); /* ipv4 hdr + tcp hdr */ } else if (FLOW_IS_IPV6(f)) { if (direction == 0) { FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->src, &p->src); FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->dst, &p->dst); p->sp = f->sp; p->dp = f->dp; } else { FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->src, &p->dst); FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->dst, &p->src); p->sp = f->dp; p->dp = f->sp; } /* set the ip header */ p->ip6h = (IPV6Hdr *)GET_PKT_DATA(p); /* version 6 */ p->ip6h->s_ip6_vfc = 0x60; p->ip6h->s_ip6_flow = 0; p->ip6h->s_ip6_nxt = IPPROTO_TCP; p->ip6h->s_ip6_plen = htons(20); p->ip6h->s_ip6_hlim = 64; if (direction == 0) { p->ip6h->s_ip6_src[0] = f->src.addr_data32[0]; p->ip6h->s_ip6_src[1] = f->src.addr_data32[1]; p->ip6h->s_ip6_src[2] = f->src.addr_data32[2]; p->ip6h->s_ip6_src[3] = f->src.addr_data32[3]; p->ip6h->s_ip6_dst[0] = f->dst.addr_data32[0]; p->ip6h->s_ip6_dst[1] = f->dst.addr_data32[1]; p->ip6h->s_ip6_dst[2] = f->dst.addr_data32[2]; p->ip6h->s_ip6_dst[3] = f->dst.addr_data32[3]; } else { p->ip6h->s_ip6_src[0] = f->dst.addr_data32[0]; p->ip6h->s_ip6_src[1] = f->dst.addr_data32[1]; p->ip6h->s_ip6_src[2] = f->dst.addr_data32[2]; p->ip6h->s_ip6_src[3] = f->dst.addr_data32[3]; p->ip6h->s_ip6_dst[0] = f->src.addr_data32[0]; p->ip6h->s_ip6_dst[1] = f->src.addr_data32[1]; p->ip6h->s_ip6_dst[2] = f->src.addr_data32[2]; p->ip6h->s_ip6_dst[3] = f->src.addr_data32[3]; } /* set the tcp header */ p->tcph = (TCPHdr *)((uint8_t *)GET_PKT_DATA(p) + 40); SET_PKT_LEN(p, 60); /* ipv6 hdr + tcp hdr */ } p->tcph->th_offx2 = 0x50; p->tcph->th_flags |= TH_ACK; p->tcph->th_win = 10; p->tcph->th_urp = 0; /* to server */ if (direction == 0) { p->tcph->th_sport = htons(f->sp); p->tcph->th_dport = htons(f->dp); if (dummy) { p->tcph->th_seq = htonl(ssn->client.next_seq); p->tcph->th_ack = htonl(ssn->server.last_ack); } else { p->tcph->th_seq = htonl(ssn->client.next_seq); p->tcph->th_ack = htonl(ssn->server.seg_list_tail->seq + ssn->server.seg_list_tail->payload_len); } /* to client */ } else { p->tcph->th_sport = htons(f->dp); p->tcph->th_dport = htons(f->sp); if (dummy) { p->tcph->th_seq = htonl(ssn->server.next_seq); p->tcph->th_ack = htonl(ssn->client.last_ack); } else { p->tcph->th_seq = htonl(ssn->server.next_seq); p->tcph->th_ack = htonl(ssn->client.seg_list_tail->seq + ssn->client.seg_list_tail->payload_len); } } if (FLOW_IS_IPV4(f)) { p->tcph->th_sum = TCPCalculateChecksum(p->ip4h->s_ip_addrs, (uint16_t *)p->tcph, 20); /* calc ipv4 csum as we may log it and barnyard might reject * a wrong checksum */ p->ip4h->ip_csum = IPV4CalculateChecksum((uint16_t *)p->ip4h, IPV4_GET_RAW_HLEN(p->ip4h)); } else if (FLOW_IS_IPV6(f)) { p->tcph->th_sum = TCPCalculateChecksum(p->ip6h->s_ip6_addrs, (uint16_t *)p->tcph, 20); } memset(&p->ts, 0, sizeof(struct timeval)); TimeGet(&p->ts); AppLayerSetEOF(f); return p; }
static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type) { char timebuf[64]; char srcip[46] = {0}, dstip[46] = {0}; Port sp, dp; json_t *js = json_object(); if (unlikely(js == NULL)) return NULL; struct timeval tv; memset(&tv, 0x00, sizeof(tv)); TimeGet(&tv); CreateIsoTimeString(&tv, timebuf, sizeof(timebuf)); if ((f->flags & FLOW_DIR_REVERSED) == 0) { if (FLOW_IS_IPV4(f)) { PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip)); } else if (FLOW_IS_IPV6(f)) { PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip)); } sp = f->sp; dp = f->dp; } else { if (FLOW_IS_IPV4(f)) { PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), dstip, sizeof(dstip)); } else if (FLOW_IS_IPV6(f)) { PrintInet(AF_INET6, (const void *)&(f->dst.address), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)&(f->src.address), dstip, sizeof(dstip)); } sp = f->dp; dp = f->sp; } char proto[16]; if (SCProtoNameValid(f->proto) == TRUE) { strlcpy(proto, known_proto[f->proto], sizeof(proto)); } else { snprintf(proto, sizeof(proto), "%03" PRIu32, f->proto); } /* time */ json_object_set_new(js, "timestamp", json_string(timebuf)); CreateJSONFlowId(js, (const Flow *)f); #if 0 // TODO /* sensor id */ if (sensor_id >= 0) json_object_set_new(js, "sensor_id", json_integer(sensor_id)); #endif /* input interface */ if (f->livedev) { json_object_set_new(js, "in_iface", json_string(f->livedev->dev)); } if (event_type) { json_object_set_new(js, "event_type", json_string(event_type)); } /* vlan */ if (f->vlan_idx > 0) { json_t *js_vlan = json_array(); json_array_append_new(js_vlan, json_integer(f->vlan_id[0])); if (f->vlan_idx > 1) { json_array_append_new(js_vlan, json_integer(f->vlan_id[1])); } json_object_set_new(js, "vlan", js_vlan); } /* tuple */ json_object_set_new(js, "src_ip", json_string(srcip)); switch(f->proto) { case IPPROTO_ICMP: break; case IPPROTO_UDP: case IPPROTO_TCP: case IPPROTO_SCTP: json_object_set_new(js, "src_port", json_integer(sp)); break; } json_object_set_new(js, "dest_ip", json_string(dstip)); switch(f->proto) { case IPPROTO_ICMP: break; case IPPROTO_UDP: case IPPROTO_TCP: case IPPROTO_SCTP: json_object_set_new(js, "dest_port", json_integer(dp)); break; } json_object_set_new(js, "proto", json_string(proto)); switch (f->proto) { case IPPROTO_ICMP: case IPPROTO_ICMPV6: json_object_set_new(js, "icmp_type", json_integer(f->icmp_s.type)); json_object_set_new(js, "icmp_code", json_integer(f->icmp_s.code)); if (f->tosrcpktcnt) { json_object_set_new(js, "response_icmp_type", json_integer(f->icmp_d.type)); json_object_set_new(js, "response_icmp_code", json_integer(f->icmp_d.code)); } break; } return js; }
static json_t *CreateJSONHeaderFromFlow(Flow *f, char *event_type, int dir) { char timebuf[64]; char srcip[46], dstip[46]; Port sp, dp; json_t *js = json_object(); if (unlikely(js == NULL)) return NULL; struct timeval tv; memset(&tv, 0x00, sizeof(tv)); TimeGet(&tv); CreateIsoTimeString(&tv, timebuf, sizeof(timebuf)); srcip[0] = '\0'; dstip[0] = '\0'; if (FLOW_IS_IPV4(f)) { if (dir == 0) { PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip)); } else { PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), dstip, sizeof(dstip)); } } else if (FLOW_IS_IPV6(f)) { if (dir == 0) { PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip)); } else { PrintInet(AF_INET6, (const void *)&(f->dst.address), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)&(f->src.address), dstip, sizeof(dstip)); } } if (dir == 0) { sp = f->sp; dp = f->dp; } else { sp = f->dp; dp = f->sp; } char proto[16]; if (SCProtoNameValid(f->proto) == TRUE) { strlcpy(proto, known_proto[f->proto], sizeof(proto)); } else { snprintf(proto, sizeof(proto), "%03" PRIu32, f->proto); } /* time */ json_object_set_new(js, "timestamp", json_string(timebuf)); CreateJSONFlowId(js, (const Flow *)f); #if 0 // TODO /* sensor id */ if (sensor_id >= 0) json_object_set_new(js, "sensor_id", json_integer(sensor_id)); #endif if (event_type) { json_object_set_new(js, "event_type", json_string(event_type)); } #if 0 /* vlan */ if (f->vlan_id[0] > 0) { json_t *js_vlan; switch (f->vlan_idx) { case 1: json_object_set_new(js, "vlan", json_integer(f->vlan_id[0])); break; case 2: js_vlan = json_array(); if (unlikely(js != NULL)) { json_array_append_new(js_vlan, json_integer(VLAN_GET_ID1(p))); json_array_append_new(js_vlan, json_integer(VLAN_GET_ID2(p))); json_object_set_new(js, "vlan", js_vlan); } break; default: /* shouldn't get here */ break; } } #endif /* tuple */ json_object_set_new(js, "src_ip", json_string(srcip)); switch(f->proto) { case IPPROTO_ICMP: break; case IPPROTO_UDP: case IPPROTO_TCP: case IPPROTO_SCTP: json_object_set_new(js, "src_port", json_integer(sp)); break; } json_object_set_new(js, "dest_ip", json_string(dstip)); switch(f->proto) { case IPPROTO_ICMP: break; case IPPROTO_UDP: case IPPROTO_TCP: case IPPROTO_SCTP: json_object_set_new(js, "dest_port", json_integer(dp)); break; } json_object_set_new(js, "proto", json_string(proto)); switch (f->proto) { case IPPROTO_ICMP: case IPPROTO_ICMPV6: json_object_set_new(js, "icmp_type", json_integer(f->type)); json_object_set_new(js, "icmp_code", json_integer(f->code)); break; } return js; }