static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
{
MemBuffer *payload = aft->payload_buffer;
AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
json_t *hjs = NULL;
int i;
if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
return TM_ECODE_OK;
json_t *js = CreateJSONHeader((Packet *)p, 0, "alert");
if (unlikely(js == NULL))
return TM_ECODE_OK;
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
MemBufferReset(aft->json_buffer);
/* alert */
AlertJsonHeader(p, pa, js);
if (json_output_ctx->flags & LOG_JSON_HTTP) {
if (p->flow != NULL) {
uint16_t proto = FlowGetAppProtocol(p->flow);
/* http alert */
if (proto == ALPROTO_HTTP) {
hjs = JsonHttpAddMetadata(p->flow, pa->tx_id);
if (hjs)
json_object_set_new(js, "http", hjs);
}
}
}
if (json_output_ctx->flags & LOG_JSON_TLS) {
if (p->flow != NULL) {
uint16_t proto = FlowGetAppProtocol(p->flow);
/* http alert */
if (proto == ALPROTO_TLS)
AlertJsonTls(p->flow, js);
}
}
if (json_output_ctx->flags & LOG_JSON_SSH) {
if (p->flow != NULL) {
uint16_t proto = FlowGetAppProtocol(p->flow);
/* http alert */
if (proto == ALPROTO_SSH)
AlertJsonSsh(p->flow, js);
}
}
if (json_output_ctx->flags & LOG_JSON_SMTP) {
if (p->flow != NULL) {
uint16_t proto = FlowGetAppProtocol(p->flow);
/* http alert */
if (proto == ALPROTO_SMTP) {
hjs = JsonSMTPAddMetadata(p->flow, pa->tx_id);
if (hjs)
json_object_set_new(js, "smtp", hjs);
hjs = JsonEmailAddMetadata(p->flow, pa->tx_id);
if (hjs)
json_object_set_new(js, "email", hjs);
}
}
}
/* payload */
if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
int stream = (p->proto == IPPROTO_TCP) ?
(pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_STREAM_MATCH) ?
1 : 0) : 0;
/* Is this a stream? If so, pack part of it into the payload field */
if (stream) {
uint8_t flag;
MemBufferReset(payload);
if (p->flowflags & FLOW_PKT_TOSERVER) {
flag = FLOW_PKT_TOCLIENT;
} else {
flag = FLOW_PKT_TOSERVER;
}
StreamSegmentForEach((const Packet *)p, flag,
AlertJsonDumpStreamSegmentCallback,
(void *)payload);
if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
unsigned long len = json_output_ctx->payload_buffer_size * 2;
uint8_t encoded[len];
Base64Encode(payload->buffer, payload->offset, encoded, &len);
json_object_set_new(js, "payload", json_string((char *)encoded));
}
if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
uint8_t printable_buf[payload->offset + 1];
uint32_t offset = 0;
PrintStringsToBuffer(printable_buf, &offset,
sizeof(printable_buf),
payload->buffer, payload->offset);
json_object_set_new(js, "payload_printable",
json_string((char *)printable_buf));
}
} else {
/* This is a single packet and not a stream */
if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
unsigned long len = p->payload_len * 2 + 1;
uint8_t encoded[len];
Base64Encode(p->payload, p->payload_len, encoded, &len);
json_object_set_new(js, "payload", json_string((char *)encoded));
}
if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
uint8_t printable_buf[p->payload_len + 1];
uint32_t offset = 0;
PrintStringsToBuffer(printable_buf, &offset,
p->payload_len + 1,
p->payload, p->payload_len);
json_object_set_new(js, "payload_printable", json_string((char *)printable_buf));
}
}
json_object_set_new(js, "stream", json_integer(stream));
}
/* base64-encoded full packet */
if (json_output_ctx->flags & LOG_JSON_PACKET) {
AlertJsonPacket(p, js);
}
HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
/* xff header */
if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
int have_xff_ip = 0;
char buffer[XFF_MAXLEN];
if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
if (pa->flags & PACKET_ALERT_FLAG_TX) {
have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN);
} else {
have_xff_ip = HttpXFFGetIP(p, xff_cfg, buffer, XFF_MAXLEN);
}
}
if (have_xff_ip) {
if (xff_cfg->flags & XFF_EXTRADATA) {
json_object_set_new(js, "xff", json_string(buffer));
}
else if (xff_cfg->flags & XFF_OVERWRITE) {
if (p->flowflags & FLOW_PKT_TOCLIENT) {
json_object_set(js, "dest_ip", json_string(buffer));
} else {
json_object_set(js, "src_ip", json_string(buffer));
}
}
}
}
OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer);
json_object_del(js, "alert");
}
json_object_clear(js);
json_decref(js);
if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
LOG_JSON_TAGGED_PACKETS)) {
MemBufferReset(aft->json_buffer);
json_t *packetjs = CreateJSONHeader((Packet *)p, 0, "packet");
if (unlikely(packetjs != NULL)) {
AlertJsonPacket(p, packetjs);
OutputJSONBuffer(packetjs, aft->file_ctx, &aft->json_buffer);
json_decref(packetjs);
}
}
return TM_ECODE_OK;
}
/**
* \internal
* \brief Write meta data on a single line json record
*/
static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const File *ff)
{
json_t *js = CreateJSONHeader((Packet *)p, 0, "fileinfo"); //TODO const
json_t *hjs = NULL;
if (unlikely(js == NULL))
return;
/* reset */
MemBufferReset(aft->buffer);
switch (p->flow->alproto) {
case ALPROTO_HTTP:
hjs = JsonHttpAddMetadata(p->flow, ff->txid);
if (hjs)
json_object_set_new(js, "http", hjs);
break;
case ALPROTO_SMTP:
hjs = JsonSMTPAddMetadata(p->flow, ff->txid);
if (hjs)
json_object_set_new(js, "smtp", hjs);
hjs = JsonEmailAddMetadata(p->flow, ff->txid);
if (hjs)
json_object_set_new(js, "email", hjs);
break;
}
json_object_set_new(js, "app_proto",
json_string(AppProtoToString(p->flow->alproto)));
json_t *fjs = json_object();
if (unlikely(fjs == NULL)) {
json_decref(js);
return;
}
char *s = BytesToString(ff->name, ff->name_len);
json_object_set_new(fjs, "filename", json_string(s));
if (s != NULL)
SCFree(s);
if (ff->magic)
json_object_set_new(fjs, "magic", json_string((char *)ff->magic));
switch (ff->state) {
case FILE_STATE_CLOSED:
json_object_set_new(fjs, "state", json_string("CLOSED"));
#ifdef HAVE_NSS
if (ff->flags & FILE_MD5) {
size_t x;
int i;
char s[256];
for (i = 0, x = 0; x < sizeof(ff->md5); x++) {
i += snprintf(&s[i], 255-i, "%02x", ff->md5[x]);
}
json_object_set_new(fjs, "md5", json_string(s));
}
#endif
break;
case FILE_STATE_TRUNCATED:
json_object_set_new(fjs, "state", json_string("TRUNCATED"));
break;
case FILE_STATE_ERROR:
json_object_set_new(fjs, "state", json_string("ERROR"));
break;
default:
json_object_set_new(fjs, "state", json_string("UNKNOWN"));
break;
}
json_object_set_new(fjs, "stored",
(ff->flags & FILE_STORED) ? json_true() : json_false());
if (ff->flags & FILE_STORED) {
json_object_set_new(fjs, "file_id", json_integer(ff->file_id));
}
json_object_set_new(fjs, "size", json_integer(ff->size));
json_object_set_new(fjs, "tx_id", json_integer(ff->txid));
/* originally just 'file', but due to bug 1127 naming it fileinfo */
json_object_set_new(js, "fileinfo", fjs);
OutputJSONBuffer(js, aft->filelog_ctx->file_ctx, &aft->buffer);
json_object_del(js, "fileinfo");
switch (p->flow->alproto) {
case ALPROTO_HTTP:
json_object_del(js, "http");
break;
case ALPROTO_SMTP:
json_object_del(js, "smtp");
json_object_del(js, "email");
break;
}
json_object_clear(js);
json_decref(js);
}
