static void DBLogAlState(void *alstate, AppProto proto,
const Packet *p, json_t *js, const char *name) {
if ((PKT_IS_TOCLIENT(p))) { /* drop server -> client log */
return;
}
char timebuf[64];
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[46], dstip[46];
json_t *dbjs = json_object();
if (dbjs == NULL)
return;
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
} else {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
}
#if 0
char *dbtype = AlstateGetDBType(alstate, proto);
char *username = AlstateGetUsername(alstate, proto);
char *dbname = AlstateGetDBname(alstate, proto);
char *dbopr = AlstateGetDBOpr(alstate, proto);
char *action = AlstateGetAction(alstate, proto);
char *meta = AlstateGetMetaInfo(alstate, proto);
if (dbtype != NULL) {
json_object_set_new(dbjs, "time", timebuf);
}
if (username != NULL) {
json_object_set_new(dbjs, "user", username);
}
if (dbname != NULL) {
json_object_set_new(dbjs, "db_name", dbname);
}
if (dbopr != NULL) {
json_object_set_new(dbjs, "db_operation", dbopr);
}
if (action != NULL) {
json_object_set_new(dbjs, "action", action);
}
if (meta != NULL) {
json_object_set_new(dbjs, "meta_info", meta);
}
#endif
json_object_set_new(js, name, dbjs);
}
static void LogFilestoreLogCreateMetaFile(Packet *p, File *ff, char *filename, int ipver) {
char metafilename[PATH_MAX] = "";
snprintf(metafilename, sizeof(metafilename), "%s.meta", filename);
FILE *fp = fopen(metafilename, "w+");
if (fp != NULL) {
char timebuf[64];
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
fprintf(fp, "TIME: %s\n", timebuf);
if (p->pcap_cnt > 0) {
fprintf(fp, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt);
}
char srcip[46], dstip[46];
Port sp, dp;
switch (ipver) {
case AF_INET:
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
break;
default:
strlcpy(srcip, "<unknown>", sizeof(srcip));
strlcpy(dstip, "<unknown>", sizeof(dstip));
break;
}
sp = p->sp;
dp = p->dp;
fprintf(fp, "SRC IP: %s\n", srcip);
fprintf(fp, "DST IP: %s\n", dstip);
fprintf(fp, "PROTO: %" PRIu32 "\n", p->proto);
if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) {
fprintf(fp, "SRC PORT: %" PRIu16 "\n", sp);
fprintf(fp, "DST PORT: %" PRIu16 "\n", dp);
}
fprintf(fp, "HTTP URI: ");
LogFilestoreMetaGetUri(fp, p, ff);
fprintf(fp, "\n");
fprintf(fp, "HTTP HOST: ");
LogFilestoreMetaGetHost(fp, p, ff);
fprintf(fp, "\n");
fprintf(fp, "HTTP REFERER: ");
LogFilestoreMetaGetReferer(fp, p, ff);
fprintf(fp, "\n");
fprintf(fp, "FILENAME: ");
PrintRawUriFp(fp, ff->name, ff->name_len);
fprintf(fp, "\n");
fclose(fp);
}
}
int TLSGetIPInformations(const Packet *p, char* srcip, size_t srcip_len,
Port* sp, char* dstip, size_t dstip_len,
Port* dp, int ipproto)
{
if ((PKT_IS_TOSERVER(p))) {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p), srcip, srcip_len);
PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p), dstip, dstip_len);
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), srcip, srcip_len);
PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), dstip, dstip_len);
break;
default:
return 0;
}
*sp = p->sp;
*dp = p->dp;
} else {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *) GET_IPV4_DST_ADDR_PTR(p), srcip, srcip_len);
PrintInet(AF_INET, (const void *) GET_IPV4_SRC_ADDR_PTR(p), dstip, dstip_len);
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *) GET_IPV6_DST_ADDR(p), srcip, srcip_len);
PrintInet(AF_INET6, (const void *) GET_IPV6_SRC_ADDR(p), dstip, dstip_len);
break;
default:
return 0;
}
*sp = p->dp;
*dp = p->sp;
}
return 1;
}
TmEcode AlertFastLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
AlertFastLogThread *aft = (AlertFastLogThread *)data;
int i;
char timebuf[64];
char *action = "";
extern uint8_t engine_mode;
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[16], dstip[16];
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
if ((pa->action & ACTION_DROP) && IS_ENGINE_MODE_IPS(engine_mode)) {
action = "[Drop] ";
} else if (pa->action & ACTION_DROP) {
action = "[wDrop] ";
}
char proto[16] = "";
if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) {
strlcpy(proto, known_proto[IPV4_GET_IPPROTO(p)], sizeof(proto));
} else {
snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IPV4_GET_IPPROTO(p));
}
SCMutexLock(&aft->file_ctx->fp_mutex);
fprintf(aft->file_ctx->fp, "%s %s[**] [%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [**] [Classification: %s] [Priority: %"PRIu32"]"
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "\n", timebuf, action,
pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,
proto, srcip, p->sp, dstip, p->dp);
fflush(aft->file_ctx->fp);
aft->file_ctx->alerts++;
SCMutexUnlock(&aft->file_ctx->fp_mutex);
}
return TM_ECODE_OK;
}
/**
* \brief Function which is called to print the IPv4 alerts to the syslog
*
* \param tv Pointer to the threadvars
* \param p Pointer to the packet
* \param data pointer to the AlertSyslogThread
*
* \return On succes return TM_ECODE_OK
*/
static TmEcode AlertSyslogIPv4(ThreadVars *tv, const Packet *p, void *data)
{
AlertSyslogThread *ast = (AlertSyslogThread *)data;
int i;
char *action = "";
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
SCMutexLock(&ast->file_ctx->fp_mutex);
ast->file_ctx->alerts += p->alerts.cnt;
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
char srcip[16], dstip[16];
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "[Drop] ";
} else if (pa->action & ACTION_DROP) {
action = "[wDrop] ";
}
if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) {
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", action, pa->s->gid,
pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,
known_proto[IPV4_GET_IPPROTO(p)], srcip, p->sp, dstip, p->dp);
} else {
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
" {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
}
}
SCMutexUnlock(&ast->file_ctx->fp_mutex);
return TM_ECODE_OK;
}
/** \internal
* \brief fill lua stack with header info
* \param luastate the lua state
* \param p packet
* \retval cnt number of data items placed on the stack
*
* Places: ipver (number), src ip (string), dst ip (string), protocol (number),
* sp or icmp type (number), dp or icmp code (number).
*/
static int LuaCallbackTuplePushToStackFromPacket(lua_State *luastate, const Packet *p)
{
int ipver = 0;
if (PKT_IS_IPV4(p)) {
ipver = 4;
} else if (PKT_IS_IPV6(p)) {
ipver = 6;
}
lua_pushnumber (luastate, ipver);
if (ipver == 0)
return 1;
char srcip[46] = "", dstip[46] = "";
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
}
lua_pushstring (luastate, srcip);
lua_pushstring (luastate, dstip);
/* proto and ports (or type/code) */
lua_pushnumber (luastate, p->proto);
if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) {
lua_pushnumber (luastate, p->sp);
lua_pushnumber (luastate, p->dp);
} else if (p->proto == IPPROTO_ICMP || p->proto == IPPROTO_ICMPV6) {
lua_pushnumber (luastate, p->type);
lua_pushnumber (luastate, p->code);
} else {
lua_pushnumber (luastate, 0);
lua_pushnumber (luastate, 0);
}
return 6;
}
/**
* \brief Log the dropped packets in netfilter format when engine is running
* in inline mode
*
* \param tv Pointer the current thread variables
* \param p Pointer the packet which is being logged
* \param data Pointer to the droplog struct
*
* \return return TM_EODE_OK on success
*/
static int LogDropLogNetFilter (ThreadVars *tv, const Packet *p, void *data)
{
LogDropLogThread *dlt = (LogDropLogThread *)data;
uint16_t proto = 0;
char timebuf[64];
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
SCMutexLock(&dlt->file_ctx->fp_mutex);
if (dlt->file_ctx->rotation_flag) {
dlt->file_ctx->rotation_flag = 0;
if (SCConfLogReopen(dlt->file_ctx) != 0) {
/* Rotation failed, error already logged. */
SCMutexUnlock(&dlt->file_ctx->fp_mutex);
return TM_ECODE_FAILED;
}
}
char srcip[46] = "";
char dstip[46] = "";
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, 16);
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, 16);
fprintf(dlt->file_ctx->fp, "%s: IN= OUT= SRC=%s DST=%s LEN=%"PRIu16" "
"TOS=0x%02"PRIu8" TTL=%"PRIu8" ID=%"PRIu16"", timebuf,
srcip, dstip, IPV4_GET_IPLEN(p), IPV4_GET_IPTOS(p),
IPV4_GET_IPTTL(p), IPV4_GET_IPID(p));
proto = IPV4_GET_IPPROTO(p);
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
fprintf(dlt->file_ctx->fp, "%s: IN= OUT= SRC=%s DST=%s LEN=%"PRIu16""
" TC=%"PRIu32" HOPLIMIT=%"PRIu8" FLOWLBL=%"PRIu32"", timebuf,
srcip, dstip, IPV6_GET_PLEN(p), IPV6_GET_CLASS(p),
IPV6_GET_HLIM(p), IPV6_GET_FLOW(p));
proto = IPV6_GET_L4PROTO(p);
}
if (SCProtoNameValid(proto) == TRUE) {
fprintf(dlt->file_ctx->fp, " PROTO=%s",known_proto[proto]);
} else {
fprintf(dlt->file_ctx->fp, " PROTO=%03"PRIu16"",proto);
}
switch (proto) {
case IPPROTO_TCP:
if (PKT_IS_TCP(p)) {
fprintf(dlt->file_ctx->fp, " SPT=%"PRIu16" DPT=%"PRIu16" "
"SEQ=%"PRIu32" ACK=%"PRIu32" WINDOW=%"PRIu32"",
GET_TCP_SRC_PORT(p), GET_TCP_DST_PORT(p), TCP_GET_SEQ(p),
TCP_GET_ACK(p), TCP_GET_WINDOW(p));
fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_SYN(p) ? " SYN" : "");
fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_ACK(p) ? " ACK" : "");
fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_PUSH(p) ? " PSH" : "");
fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_RST(p) ? " RST" : "");
fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_URG(p) ? " URG" : "");
fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_FIN(p) ? " FIN" : "");
fprintf(dlt->file_ctx->fp, " RES=0x%02"PRIu8" URGP=%"PRIu16"",
TCP_GET_RAW_X2(p->tcph), TCP_GET_URG_POINTER(p));
}
break;
case IPPROTO_UDP:
if (PKT_IS_UDP(p)) {
fprintf(dlt->file_ctx->fp, " SPT=%"PRIu16" DPT=%"PRIu16""
" LEN=%"PRIu16"", UDP_GET_SRC_PORT(p),
UDP_GET_DST_PORT(p), UDP_GET_LEN(p));
}
break;
case IPPROTO_ICMP:
if (PKT_IS_ICMPV4(p)) {
fprintf(dlt->file_ctx->fp, " TYPE=%"PRIu8" CODE=%"PRIu8""
" ID=%"PRIu16" SEQ=%"PRIu16"", ICMPV4_GET_TYPE(p),
ICMPV4_GET_CODE(p), ICMPV4_GET_ID(p), ICMPV4_GET_SEQ(p));
} else if (PKT_IS_ICMPV6(p)) {
fprintf(dlt->file_ctx->fp, " TYPE=%"PRIu8" CODE=%"PRIu8""
" ID=%"PRIu16" SEQ=%"PRIu16"", ICMPV6_GET_TYPE(p),
ICMPV6_GET_CODE(p), ICMPV6_GET_ID(p), ICMPV6_GET_SEQ(p));
}
break;
default:
fprintf(dlt->file_ctx->fp," Unknown protocol");
}
fprintf(dlt->file_ctx->fp,"\n");
fflush(dlt->file_ctx->fp);
dlt->drop_cnt++;
SCMutexUnlock(&dlt->file_ctx->fp_mutex);
return TM_ECODE_OK;
}
static TmEcode LogHttpLogIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
PacketQueue *postpq, int ipproto)
{
SCEnter();
LogHttpLogThread *aft = (LogHttpLogThread *)data;
LogHttpFileCtx *hlog = aft->httplog_ctx;
char timebuf[64];
size_t idx = 0;
/* no flow, no htp state */
if (p->flow == NULL) {
SCReturnInt(TM_ECODE_OK);
}
/* check if we have HTTP state or not */
FLOWLOCK_WRLOCK(p->flow); /* WRITE lock before we updated flow logged id */
uint16_t proto = AppLayerGetProtoFromPacket(p);
if (proto != ALPROTO_HTTP)
goto end;
int r = AppLayerTransactionGetLoggedId(p->flow);
if (r < 0) {
goto end;
}
size_t logged = (size_t)r;
r = HtpTransactionGetLoggableId(p->flow);
if (r < 0) {
goto end;
}
size_t loggable = (size_t)r;
/* nothing to do */
if (logged >= loggable) {
goto end;
}
HtpState *htp_state = (HtpState *)AppLayerGetProtoStateFromPacket(p);
if (htp_state == NULL) {
SCLogDebug("no http state, so no request logging");
goto end;
}
if (htp_state->connp == NULL || htp_state->connp->conn == NULL)
goto end;
htp_tx_t *tx = NULL;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[46], dstip[46];
Port sp, dp;
if ((PKT_IS_TOSERVER(p))) {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
break;
default:
goto end;
}
sp = p->sp;
dp = p->dp;
} else {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip));
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), dstip, sizeof(dstip));
break;
default:
goto end;
}
sp = p->dp;
dp = p->sp;
}
for (idx = logged; idx < loggable; idx++)
{
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL) {
SCLogDebug("tx is NULL not logging !!");
continue;
}
SCLogDebug("got a HTTP request and now logging !!");
/* reset */
MemBufferReset(aft->buffer);
if (hlog->flags & LOG_HTTP_CUSTOM) {
LogHttpLogCustom(aft, tx, &p->ts, srcip, sp, dstip, dp);
} else {
/* time */
MemBufferWriteString(aft->buffer, "%s ", timebuf);
/* hostname */
if (tx->parsed_uri != NULL &&
tx->parsed_uri->hostname != NULL)
{
PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
(uint8_t *)bstr_ptr(tx->parsed_uri->hostname),
bstr_len(tx->parsed_uri->hostname));
} else {
MemBufferWriteString(aft->buffer, "<hostname unknown>");
}
MemBufferWriteString(aft->buffer, " [**] ");
/* uri */
if (tx->request_uri != NULL) {
PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
(uint8_t *)bstr_ptr(tx->request_uri),
bstr_len(tx->request_uri));
}
MemBufferWriteString(aft->buffer, " [**] ");
/* user agent */
htp_header_t *h_user_agent = NULL;
if (tx->request_headers != NULL) {
h_user_agent = table_getc(tx->request_headers, "user-agent");
}
if (h_user_agent != NULL) {
PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
(uint8_t *)bstr_ptr(h_user_agent->value),
bstr_len(h_user_agent->value));
} else {
MemBufferWriteString(aft->buffer, "<useragent unknown>");
}
if (hlog->flags & LOG_HTTP_EXTENDED) {
LogHttpLogExtended(aft, tx);
}
/* ip/tcp header info */
MemBufferWriteString(aft->buffer,
" [**] %s:%" PRIu16 " -> %s:%" PRIu16 "\n",
srcip, sp, dstip, dp);
}
aft->uri_cnt ++;
SCMutexLock(&hlog->file_ctx->fp_mutex);
MemBufferPrintToFPAsString(aft->buffer, hlog->file_ctx->fp);
fflush(hlog->file_ctx->fp);
SCMutexUnlock(&hlog->file_ctx->fp_mutex);
AppLayerTransactionUpdateLoggedId(p->flow);
}
end:
FLOWLOCK_UNLOCK(p->flow);
SCReturnInt(TM_ECODE_OK);
}
int AlertFastLogger(ThreadVars *tv, void *data, const Packet *p)
{
AlertFastLogThread *aft = (AlertFastLogThread *)data;
int i;
char timebuf[64];
int decoder_event = 0;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[46], dstip[46];
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
} else {
decoder_event = 1;
}
/* Buffer to store the generated alert strings. The buffer is
* filled with alert strings until it doesn't have room to store
* another full alert, only then is the buffer written. This is
* more efficient for multiple alerts and only slightly slower for
* single alerts.
*/
char alert_buffer[MAX_FASTLOG_BUFFER_SIZE];
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
char *action = "";
if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "[Drop] ";
} else if (pa->action & ACTION_DROP) {
action = "[wDrop] ";
}
char proto[16] = "";
if (likely(decoder_event == 0)) {
if (SCProtoNameValid(IP_GET_IPPROTO(p)) == TRUE) {
strlcpy(proto, known_proto[IP_GET_IPPROTO(p)], sizeof(proto));
} else {
snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IP_GET_IPPROTO(p));
}
}
/* Create the alert string without locking. */
int size = 0;
if (likely(decoder_event == 0)) {
PrintBufferData(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE,
"%s %s[**] [%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [**] [Classification: %s] [Priority: %"PRIu32"]"
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "\n", timebuf, action,
pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,
proto, srcip, p->sp, dstip, p->dp);
} else {
PrintBufferData(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE,
"%s %s[**] [%" PRIu32 ":%" PRIu32
":%" PRIu32 "] %s [**] [Classification: %s] [Priority: "
"%" PRIu32 "] [**] [Raw pkt: ", timebuf, action, pa->s->gid,
pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio);
PrintBufferRawLineHex(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE,
GET_PKT_DATA(p), GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
if (p->pcap_cnt != 0) {
PrintBufferData(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE,
"] [pcap file packet: %"PRIu64"]\n", p->pcap_cnt);
} else {
PrintBufferData(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE, "]\n");
}
}
/* Write the alert to output file */
AlertFastLogOutputAlert(aft, alert_buffer, size);
}
return TM_ECODE_OK;
}
static TmEcode LogHttpLogIPWrapper(ThreadVars *tv, void *data, const Packet *p, Flow *f, HtpState *htp_state, htp_tx_t *tx, uint64_t tx_id, int ipproto)
{
SCEnter();
LogHttpLogThread *aft = (LogHttpLogThread *)data;
LogHttpFileCtx *hlog = aft->httplog_ctx;
char timebuf[64];
/* check if we have HTTP state or not */
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[46], dstip[46];
Port sp, dp;
if ((PKT_IS_TOSERVER(p))) {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
break;
default:
goto end;
}
sp = p->sp;
dp = p->dp;
} else {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip));
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), dstip, sizeof(dstip));
break;
default:
goto end;
}
sp = p->dp;
dp = p->sp;
}
SCLogDebug("got a HTTP request and now logging !!");
/* reset */
MemBufferReset(aft->buffer);
if (hlog->flags & LOG_HTTP_CUSTOM) {
LogHttpLogCustom(aft, tx, &p->ts, srcip, sp, dstip, dp);
} else {
/* time */
MemBufferWriteString(aft->buffer, "%s ", timebuf);
/* hostname */
if (tx->request_hostname != NULL) {
PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
(uint8_t *)bstr_ptr(tx->request_hostname),
bstr_len(tx->request_hostname));
} else {
MemBufferWriteString(aft->buffer, "<hostname unknown>");
}
MemBufferWriteString(aft->buffer, " [**] ");
/* uri */
if (tx->request_uri != NULL) {
PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
(uint8_t *)bstr_ptr(tx->request_uri),
bstr_len(tx->request_uri));
}
MemBufferWriteString(aft->buffer, " [**] ");
/* user agent */
htp_header_t *h_user_agent = NULL;
if (tx->request_headers != NULL) {
h_user_agent = htp_table_get_c(tx->request_headers, "user-agent");
}
if (h_user_agent != NULL) {
PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
(uint8_t *)bstr_ptr(h_user_agent->value),
bstr_len(h_user_agent->value));
} else {
MemBufferWriteString(aft->buffer, "<useragent unknown>");
}
if (hlog->flags & LOG_HTTP_EXTENDED) {
LogHttpLogExtended(aft, tx);
}
/* ip/tcp header info */
MemBufferWriteString(aft->buffer,
" [**] %s:%" PRIu16 " -> %s:%" PRIu16 "\n",
srcip, sp, dstip, dp);
}
aft->uri_cnt ++;
SCMutexLock(&hlog->file_ctx->fp_mutex);
hlog->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer),
MEMBUFFER_OFFSET(aft->buffer), hlog->file_ctx);
SCMutexUnlock(&hlog->file_ctx->fp_mutex);
end:
SCReturnInt(0);
}
static void LogFilestoreLogCreateMetaFile(const Packet *p, const File *ff, char *base_filename, int ipver) {
if (!FileWriteMeta())
return;
char metafilename[PATH_MAX] = "";
if (snprintf(metafilename, sizeof(metafilename), "%s.meta%s", base_filename,
g_working_file_suffix) == sizeof(metafilename))
return;
FILE *fp = fopen(metafilename, "w+");
if (fp != NULL) {
char timebuf[64];
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
fprintf(fp, "TIME: %s\n", timebuf);
if (p->pcap_cnt > 0) {
fprintf(fp, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt);
}
char srcip[46], dstip[46];
Port sp, dp;
switch (ipver) {
case AF_INET:
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
break;
default:
strlcpy(srcip, "<unknown>", sizeof(srcip));
strlcpy(dstip, "<unknown>", sizeof(dstip));
break;
}
sp = p->sp;
dp = p->dp;
fprintf(fp, "SRC IP: %s\n", srcip);
fprintf(fp, "DST IP: %s\n", dstip);
fprintf(fp, "PROTO: %" PRIu32 "\n", p->proto);
if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) {
fprintf(fp, "SRC PORT: %" PRIu16 "\n", sp);
fprintf(fp, "DST PORT: %" PRIu16 "\n", dp);
}
fprintf(fp, "APP PROTO: %s\n",
AppProtoToString(p->flow->alproto));
/* Only applicable to HTTP traffic */
if (p->flow->alproto == ALPROTO_HTTP) {
fprintf(fp, "HTTP URI: ");
LogFilestoreMetaGetUri(fp, p, ff);
fprintf(fp, "\n");
fprintf(fp, "HTTP HOST: ");
LogFilestoreMetaGetHost(fp, p, ff);
fprintf(fp, "\n");
fprintf(fp, "HTTP REFERER: ");
LogFilestoreMetaGetReferer(fp, p, ff);
fprintf(fp, "\n");
fprintf(fp, "HTTP USER AGENT: ");
LogFilestoreMetaGetUserAgent(fp, p, ff);
fprintf(fp, "\n");
} else if (p->flow->alproto == ALPROTO_SMTP) {
/* Only applicable to SMTP */
LogFilestoreMetaGetSmtp(fp, p, ff);
}
fprintf(fp, "FILENAME: ");
PrintRawUriFp(fp, ff->name, ff->name_len);
fprintf(fp, "\n");
fclose(fp);
}
}
/**
* \brief Add Source and Target fields to the IDMEF alert.
* These objects contains IP addresses, source and destination
* ports (see sections 4.2.4.3 and 4.2.4.4 of RFC 4765).
*
* \return 0 if ok
*/
static int EventToSourceTarget(Packet *p, idmef_alert_t *alert)
{
int ret;
idmef_node_t *node;
idmef_source_t *source;
idmef_target_t *target;
idmef_address_t *address;
idmef_service_t *service;
prelude_string_t *string;
static char saddr[128], daddr[128];
uint8_t ip_vers;
uint8_t ip_proto;
SCEnter();
if ( !p )
SCReturnInt(0);
if ( ! IPH_IS_VALID(p) )
SCReturnInt(0);
if (PKT_IS_IPV4(p)) {
ip_vers = 4;
ip_proto = IPV4_GET_RAW_IPPROTO(p->ip4h);
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), saddr, sizeof(saddr));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), daddr, sizeof(daddr));
} else if (PKT_IS_IPV6(p)) {
ip_vers = 6;
ip_proto = IPV6_GET_L4PROTO(p);
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), saddr, sizeof(saddr));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), daddr, sizeof(daddr));
} else
SCReturnInt(0);
ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_source_new_service(source, &service);
if ( ret < 0 )
SCReturnInt(ret);
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->sp);
idmef_service_set_ip_version(service, ip_vers);
idmef_service_set_iana_protocol_number(service, ip_proto);
ret = idmef_source_new_node(source, &node);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
SCReturnInt(ret);
prelude_string_set_ref(string, saddr);
ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_target_new_service(target, &service);
if ( ret < 0 )
SCReturnInt(ret);
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->dp);
idmef_service_set_ip_version(service, ip_vers);
idmef_service_set_iana_protocol_number(service, ip_proto);
ret = idmef_target_new_node(target, &node);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
SCReturnInt(ret);
prelude_string_set_ref(string, daddr);
SCReturnInt(0);
}
/**
* \internal
* \brief Write meta data on a single line json record
*/
static void LogFileWriteJsonRecord(LogFileLogThread *aft, Packet *p, File *ff, int ipver) {
SCMutexLock(&aft->file_ctx->fp_mutex);
FILE *fp = aft->file_ctx->fp;
char timebuf[64];
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
fprintf(fp, "{ ");
if (ff->file_id > 0)
fprintf(fp, "\"id\": %u, ", ff->file_id);
fprintf(fp, "\"timestamp\": \"");
PrintRawJsonFp(fp, (uint8_t *)timebuf, strlen(timebuf));
fprintf(fp, "\", ");
if (p->pcap_cnt > 0) {
fprintf(fp, "\"pcap_pkt_num\": %"PRIu64", ", p->pcap_cnt);
}
fprintf(fp, "\"ipver\": %d, ", ipver == AF_INET ? 4 : 6);
char srcip[46], dstip[46];
Port sp, dp;
switch (ipver) {
case AF_INET:
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
break;
default:
strlcpy(srcip, "<unknown>", sizeof(srcip));
strlcpy(dstip, "<unknown>", sizeof(dstip));
break;
}
sp = p->sp;
dp = p->dp;
fprintf(fp, "\"srcip\": \"%s\", ", srcip);
fprintf(fp, "\"dstip\": \"%s\", ", dstip);
fprintf(fp, "\"protocol\": %" PRIu32 ", ", p->proto);
if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) {
fprintf(fp, "\"sp\": %" PRIu16 ", ", sp);
fprintf(fp, "\"dp\": %" PRIu16 ", ", dp);
}
fprintf(fp, "\"http_uri\": \"");
LogFileMetaGetUri(fp, p, ff);
fprintf(fp, "\", ");
fprintf(fp, "\"http_host\": \"");
LogFileMetaGetHost(fp, p, ff);
fprintf(fp, "\", ");
fprintf(fp, "\"http_referer\": \"");
LogFileMetaGetReferer(fp, p, ff);
fprintf(fp, "\", ");
fprintf(fp, "\"http_user_agent\": \"");
LogFileMetaGetUserAgent(fp, p, ff);
fprintf(fp, "\", ");
fprintf(fp, "\"filename\": \"");
PrintRawJsonFp(fp, ff->name, ff->name_len);
fprintf(fp, "\", ");
fprintf(fp, "\"magic\": \"");
if (ff->magic) {
PrintRawJsonFp(fp, (uint8_t *)ff->magic, strlen(ff->magic));
} else {
fprintf(fp, "unknown");
}
fprintf(fp, "\", ");
switch (ff->state) {
case FILE_STATE_CLOSED:
fprintf(fp, "\"state\": \"CLOSED\", ");
#ifdef HAVE_NSS
if (ff->flags & FILE_MD5) {
fprintf(fp, "\"md5\": \"");
size_t x;
for (x = 0; x < sizeof(ff->md5); x++) {
fprintf(fp, "%02x", ff->md5[x]);
}
fprintf(fp, "\", ");
}
#endif
break;
case FILE_STATE_TRUNCATED:
fprintf(fp, "\"state\": \"TRUNCATED\", ");
break;
case FILE_STATE_ERROR:
fprintf(fp, "\"state\": \"ERROR\", ");
break;
default:
fprintf(fp, "\"state\": \"UNKNOWN\", ");
break;
}
fprintf(fp, "\"stored\": %s, ", ff->flags & FILE_STORED ? "true" : "false");
fprintf(fp, "\"size\": %"PRIu64" ", ff->size);
fprintf(fp, "}\n");
fflush(fp);
SCMutexUnlock(&aft->file_ctx->fp_mutex);
}
static TmEcode AlertDebugLogger(ThreadVars *tv, const Packet *p, void *thread_data)
{
AlertDebugLogThread *aft = (AlertDebugLogThread *)thread_data;
int i;
char timebuf[64];
const char *pkt_src_str = NULL;
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
MemBufferReset(aft->buffer);
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
MemBufferWriteString(aft->buffer, "+================\n"
"TIME: %s\n", timebuf);
if (p->pcap_cnt > 0) {
MemBufferWriteString(aft->buffer, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt);
}
pkt_src_str = PktSrcToString(p->pkt_src);
MemBufferWriteString(aft->buffer, "PKT SRC: %s\n", pkt_src_str);
char srcip[46], dstip[46];
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
}
MemBufferWriteString(aft->buffer, "SRC IP: %s\n"
"DST IP: %s\n"
"PROTO: %" PRIu32 "\n",
srcip, dstip, p->proto);
if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) {
MemBufferWriteString(aft->buffer, "SRC PORT: %" PRIu32 "\n"
"DST PORT: %" PRIu32 "\n",
p->sp, p->dp);
if (PKT_IS_TCP(p)) {
MemBufferWriteString(aft->buffer, "TCP SEQ: %"PRIu32"\n"
"TCP ACK: %"PRIu32"\n",
TCP_GET_SEQ(p), TCP_GET_ACK(p));
}
}
/* flow stuff */
MemBufferWriteString(aft->buffer, "FLOW: to_server: %s, "
"to_client: %s\n",
p->flowflags & FLOW_PKT_TOSERVER ? "TRUE" : "FALSE",
p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE");
if (p->flow != NULL) {
int applayer = 0;
applayer = StreamTcpAppLayerIsDisabled(p->flow);
CreateTimeString(&p->flow->startts, timebuf, sizeof(timebuf));
MemBufferWriteString(aft->buffer, "FLOW Start TS: %s\n", timebuf);
MemBufferWriteString(aft->buffer, "FLOW PKTS TODST: %"PRIu32"\n"
"FLOW PKTS TOSRC: %"PRIu32"\n"
"FLOW Total Bytes: %"PRIu64"\n",
p->flow->todstpktcnt, p->flow->tosrcpktcnt,
p->flow->todstbytecnt + p->flow->tosrcbytecnt);
MemBufferWriteString(aft->buffer,
"FLOW IPONLY SET: TOSERVER: %s, TOCLIENT: %s\n"
"FLOW ACTION: DROP: %s\n"
"FLOW NOINSPECTION: PACKET: %s, PAYLOAD: %s, APP_LAYER: %s\n"
"FLOW APP_LAYER: DETECTED: %s, PROTO %"PRIu16"\n",
p->flow->flags & FLOW_TOSERVER_IPONLY_SET ? "TRUE" : "FALSE",
p->flow->flags & FLOW_TOCLIENT_IPONLY_SET ? "TRUE" : "FALSE",
p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
applayer ? "TRUE" : "FALSE",
(p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto);
AlertDebugLogFlowVars(aft, p);
}
AlertDebugLogPktVars(aft, p);
/* any stuff */
/* Sig details? */
MemBufferWriteString(aft->buffer,
"PACKET LEN: %" PRIu32 "\n"
"PACKET:\n",
GET_PKT_LEN(p));
PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
GET_PKT_DATA(p), GET_PKT_LEN(p));
MemBufferWriteString(aft->buffer, "ALERT CNT: %" PRIu32 "\n",
p->alerts.cnt);
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
MemBufferWriteString(aft->buffer,
"ALERT MSG [%02d]: %s\n"
"ALERT GID [%02d]: %" PRIu32 "\n"
"ALERT SID [%02d]: %" PRIu32 "\n"
"ALERT REV [%02d]: %" PRIu32 "\n"
"ALERT CLASS [%02d]: %s\n"
"ALERT PRIO [%02d]: %" PRIu32 "\n"
"ALERT FOUND IN [%02d]: %s\n",
i, pa->s->msg,
i, pa->s->gid,
i, pa->s->id,
i, pa->s->rev,
i, pa->s->class_msg ? pa->s->class_msg : "<none>",
i, pa->s->prio,
i,
pa->flags & PACKET_ALERT_FLAG_STREAM_MATCH ? "STREAM" :
(pa->flags & PACKET_ALERT_FLAG_STATE_MATCH ? "STATE" : "PACKET"));
if (pa->flags & PACKET_ALERT_FLAG_TX) {
MemBufferWriteString(aft->buffer,
"ALERT IN TX [%02d]: %"PRIu64"\n", i, pa->tx_id);
} else {
MemBufferWriteString(aft->buffer,
"ALERT IN TX [%02d]: N/A\n", i);
}
if (p->payload_len > 0) {
MemBufferWriteString(aft->buffer,
"PAYLOAD LEN: %" PRIu32 "\n"
"PAYLOAD:\n",
p->payload_len);
PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
p->payload, p->payload_len);
}
if ((pa->flags & PACKET_ALERT_FLAG_STATE_MATCH) ||
(pa->flags & PACKET_ALERT_FLAG_STREAM_MATCH)) {
/* This is an app layer or stream alert */
int ret;
uint8_t flag;
if (!(PKT_IS_TCP(p)) || p->flow == NULL ||
p->flow->protoctx == NULL) {
return TM_ECODE_OK;
}
/* IDS mode reverse the data */
/** \todo improve the order selection policy */
if (p->flowflags & FLOW_PKT_TOSERVER) {
flag = FLOW_PKT_TOCLIENT;
} else {
flag = FLOW_PKT_TOSERVER;
}
ret = StreamSegmentForEach((const Packet *)p, flag,
AlertDebugPrintStreamSegmentCallback,
(void *)aft);
if (ret < 0) {
return TM_ECODE_FAILED;
}
}
}
aft->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer),
MEMBUFFER_OFFSET(aft->buffer), aft->file_ctx);
return TM_ECODE_OK;
}
TmEcode AlertDebugLogger(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
AlertDebugLogThread *aft = (AlertDebugLogThread *)data;
int i;
char timebuf[64];
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
MemBufferReset(aft->buffer);
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
MemBufferWriteString(aft->buffer, "+================\n"
"TIME: %s\n", timebuf);
if (p->pcap_cnt > 0) {
MemBufferWriteString(aft->buffer, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt);
}
char srcip[46], dstip[46];
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
}
MemBufferWriteString(aft->buffer, "SRC IP: %s\n"
"DST IP: %s\n"
"PROTO: %" PRIu32 "\n",
srcip, dstip, p->proto);
if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) {
MemBufferWriteString(aft->buffer, "SRC PORT: %" PRIu32 "\n"
"DST PORT: %" PRIu32 "\n",
p->sp, p->dp);
if (PKT_IS_TCP(p)) {
MemBufferWriteString(aft->buffer, "TCP SEQ: %"PRIu32"\n"
"TCP ACK: %"PRIu32"\n",
TCP_GET_SEQ(p), TCP_GET_ACK(p));
}
}
/* flow stuff */
MemBufferWriteString(aft->buffer, "FLOW: to_server: %s, "
"to_client: %s\n",
p->flowflags & FLOW_PKT_TOSERVER ? "TRUE" : "FALSE",
p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE");
if (p->flow != NULL) {
FLOWLOCK_RDLOCK(p->flow);
CreateTimeString(&p->flow->startts, timebuf, sizeof(timebuf));
MemBufferWriteString(aft->buffer, "FLOW Start TS: %s\n", timebuf);
#ifdef DEBUG
MemBufferWriteString(aft->buffer, "FLOW PKTS TODST: %"PRIu32"\n"
"FLOW PKTS TOSRC: %"PRIu32"\n"
"FLOW Total Bytes: %"PRIu64"\n",
p->flow->todstpktcnt, p->flow->tosrcpktcnt,
p->flow->bytecnt);
#endif
MemBufferWriteString(aft->buffer,
"FLOW IPONLY SET: TOSERVER: %s, TOCLIENT: %s\n"
"FLOW ACTION: DROP: %s, PASS %s\n"
"FLOW NOINSPECTION: PACKET: %s, PAYLOAD: %s, APP_LAYER: %s\n"
"FLOW APP_LAYER: DETECTED: %s, PROTO %"PRIu16"\n",
p->flow->flags & FLOW_TOSERVER_IPONLY_SET ? "TRUE" : "FALSE",
p->flow->flags & FLOW_TOCLIENT_IPONLY_SET ? "TRUE" : "FALSE",
p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
p->flow->flags & FLOW_ACTION_PASS ? "TRUE" : "FALSE",
p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
p->flow->flags & FLOW_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE",
(p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto);
AlertDebugLogFlowVars(aft, p);
AlertDebugLogFlowBits(aft, p);
FLOWLOCK_UNLOCK(p->flow);
}
AlertDebugLogPktVars(aft, p);
/* any stuff */
/* Sig details? */
MemBufferWriteString(aft->buffer,
"PACKET LEN: %" PRIu32 "\n"
"PACKET:\n",
GET_PKT_LEN(p));
PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
GET_PKT_DATA(p), GET_PKT_LEN(p));
MemBufferWriteString(aft->buffer, "ALERT CNT: %" PRIu32 "\n",
p->alerts.cnt);
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
MemBufferWriteString(aft->buffer,
"ALERT MSG [%02d]: %s\n"
"ALERT GID [%02d]: %" PRIu32 "\n"
"ALERT SID [%02d]: %" PRIu32 "\n"
"ALERT REV [%02d]: %" PRIu32 "\n"
"ALERT CLASS [%02d]: %s\n"
"ALERT PRIO [%02d]: %" PRIu32 "\n"
"ALERT FOUND IN [%02d]: %s\n",
i, pa->s->msg,
i, pa->s->gid,
i, pa->s->id,
i, pa->s->rev,
i, pa->s->class_msg ? pa->s->class_msg : "<none>",
i, pa->s->prio,
i,
pa->flags & PACKET_ALERT_FLAG_STREAM_MATCH ? "STREAM" :
(pa->flags & PACKET_ALERT_FLAG_STATE_MATCH ? "STATE" : "PACKET"));
if (p->payload_len > 0) {
MemBufferWriteString(aft->buffer,
"PAYLOAD LEN: %" PRIu32 "\n"
"PAYLOAD:\n",
p->payload_len);
PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
p->payload, p->payload_len);
}
if (pa->flags & PACKET_ALERT_FLAG_STATE_MATCH ||
pa->flags & PACKET_ALERT_FLAG_STREAM_MATCH) {
/* This is an app layer or stream alert */
int ret;
uint8_t flag;
if ((! PKT_IS_TCP(p)) || p->flow == NULL ||
p->flow->protoctx == NULL) {
return TM_ECODE_OK;
}
/* IDS mode reverse the data */
/** \todo improve the order selection policy */
if (p->flowflags & FLOW_PKT_TOSERVER) {
flag = FLOW_PKT_TOCLIENT;
} else {
flag = FLOW_PKT_TOSERVER;
}
ret = StreamSegmentForEach(p, flag,
AlertDebugPrintStreamSegmentCallback,
(void *)aft);
if (ret < 0) {
return TM_ECODE_FAILED;
}
}
}
SCMutexLock(&aft->file_ctx->fp_mutex);
(void)MemBufferPrintToFPAsString(aft->buffer, aft->file_ctx->fp);
fflush(aft->file_ctx->fp);
aft->file_ctx->alerts += p->alerts.cnt;
SCMutexUnlock(&aft->file_ctx->fp_mutex);
return TM_ECODE_OK;
}
/**
* \internal
* \brief Write meta data on a single line json record
*/
static void LogFileWriteJsonRecord(LogFileLogThread *aft, const Packet *p, const File *ff, int ipver)
{
SCMutexLock(&aft->file_ctx->fp_mutex);
/* As writes are done via the LogFileCtx, check for rotation here. */
if (aft->file_ctx->rotation_flag) {
aft->file_ctx->rotation_flag = 0;
if (SCConfLogReopen(aft->file_ctx) != 0) {
SCLogWarning(SC_ERR_FOPEN, "Failed to re-open log file. "
"Logging for this module will be disabled.");
}
}
/* Bail early if no file pointer to write to (in the unlikely
* event file rotation failed. */
if (aft->file_ctx->fp == NULL) {
SCMutexUnlock(&aft->file_ctx->fp_mutex);
return;
}
FILE *fp = aft->file_ctx->fp;
char timebuf[64];
AppProto alproto = FlowGetAppProtocol(p->flow);
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
fprintf(fp, "{ ");
if (ff->file_id > 0)
fprintf(fp, "\"id\": %u, ", ff->file_id);
fprintf(fp, "\"timestamp\": \"");
PrintRawJsonFp(fp, (uint8_t *)timebuf, strlen(timebuf));
fprintf(fp, "\", ");
if (p->pcap_cnt > 0) {
fprintf(fp, "\"pcap_pkt_num\": %"PRIu64", ", p->pcap_cnt);
}
fprintf(fp, "\"ipver\": %d, ", ipver == AF_INET ? 4 : 6);
char srcip[46], dstip[46];
Port sp, dp;
switch (ipver) {
case AF_INET:
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
break;
default:
strlcpy(srcip, "<unknown>", sizeof(srcip));
strlcpy(dstip, "<unknown>", sizeof(dstip));
break;
}
sp = p->sp;
dp = p->dp;
fprintf(fp, "\"srcip\": \"%s\", ", srcip);
fprintf(fp, "\"dstip\": \"%s\", ", dstip);
fprintf(fp, "\"protocol\": %" PRIu32 ", ", p->proto);
if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) {
fprintf(fp, "\"sp\": %" PRIu16 ", ", sp);
fprintf(fp, "\"dp\": %" PRIu16 ", ", dp);
}
if (alproto == ALPROTO_HTTP) {
fprintf(fp, "\"http_uri\": \"");
LogFileMetaGetUri(fp, p, ff);
fprintf(fp, "\", ");
fprintf(fp, "\"http_host\": \"");
LogFileMetaGetHost(fp, p, ff);
fprintf(fp, "\", ");
fprintf(fp, "\"http_referer\": \"");
LogFileMetaGetReferer(fp, p, ff);
fprintf(fp, "\", ");
fprintf(fp, "\"http_user_agent\": \"");
LogFileMetaGetUserAgent(fp, p, ff);
fprintf(fp, "\", ");
} else if (p->flow->alproto == ALPROTO_SMTP) {
/* Only applicable to SMTP */
LogFileMetaGetSmtp(fp, p, ff);
}
fprintf(fp, "\"filename\": \"");
PrintRawJsonFp(fp, ff->name, ff->name_len);
fprintf(fp, "\", ");
#ifdef HAVE_MAGIC
fprintf(fp, "\"magic\": \"");
if (ff->magic) {
PrintRawJsonFp(fp, (uint8_t *)ff->magic, strlen(ff->magic));
} else {
fprintf(fp, "unknown");
}
fprintf(fp, "\", ");
#endif
switch (ff->state) {
case FILE_STATE_CLOSED:
fprintf(fp, "\"state\": \"CLOSED\", ");
#ifdef HAVE_NSS
if (ff->flags & FILE_MD5) {
fprintf(fp, "\"md5\": \"");
size_t x;
for (x = 0; x < sizeof(ff->md5); x++) {
fprintf(fp, "%02x", ff->md5[x]);
}
fprintf(fp, "\", ");
}
if (ff->flags & FILE_SHA1) {
fprintf(fp, "\"sha1\": \"");
size_t x;
for (x = 0; x < sizeof(ff->sha1); x++) {
fprintf(fp, "%02x", ff->sha1[x]);
}
fprintf(fp, "\", ");
}
if (ff->flags & FILE_SHA256) {
fprintf(fp, "\"sha256\": \"");
size_t x;
for (x = 0; x < sizeof(ff->sha256); x++) {
fprintf(fp, "%02x", ff->sha256[x]);
}
fprintf(fp, "\", ");
}
#endif
break;
case FILE_STATE_TRUNCATED:
fprintf(fp, "\"state\": \"TRUNCATED\", ");
break;
case FILE_STATE_ERROR:
fprintf(fp, "\"state\": \"ERROR\", ");
break;
default:
fprintf(fp, "\"state\": \"UNKNOWN\", ");
break;
}
fprintf(fp, "\"stored\": %s, ", ff->flags & FILE_STORED ? "true" : "false");
fprintf(fp, "\"size\": %"PRIu64" ", FileSize(ff));
fprintf(fp, "}\n");
fflush(fp);
SCMutexUnlock(&aft->file_ctx->fp_mutex);
}
TmEcode AlertDebugLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
AlertDebugLogThread *aft = (AlertDebugLogThread *)data;
int i;
char timebuf[64];
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
SCMutexLock(&aft->file_ctx->fp_mutex);
fprintf(aft->file_ctx->fp, "+================\n");
fprintf(aft->file_ctx->fp, "TIME: %s\n", timebuf);
if (p->pcap_cnt > 0) {
fprintf(aft->file_ctx->fp, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt);
}
fprintf(aft->file_ctx->fp, "ALERT CNT: %" PRIu32 "\n", p->alerts.cnt);
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
fprintf(aft->file_ctx->fp, "ALERT MSG [%02d]: %s\n", i, pa->msg);
fprintf(aft->file_ctx->fp, "ALERT GID [%02d]: %" PRIu32 "\n", i, pa->gid);
fprintf(aft->file_ctx->fp, "ALERT SID [%02d]: %" PRIu32 "\n", i, pa->sid);
fprintf(aft->file_ctx->fp, "ALERT REV [%02d]: %" PRIu32 "\n", i, pa->rev);
fprintf(aft->file_ctx->fp, "ALERT CLASS [%02d]: %s\n", i, pa->class_msg);
fprintf(aft->file_ctx->fp, "ALERT PRIO [%02d]: %" PRIu32 "\n", i, pa->prio);
}
char srcip[16], dstip[16];
inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
fprintf(aft->file_ctx->fp, "SRC IP: %s\n", srcip);
fprintf(aft->file_ctx->fp, "DST IP: %s\n", dstip);
fprintf(aft->file_ctx->fp, "PROTO: %" PRIu32 "\n", IPV4_GET_IPPROTO(p));
if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) {
fprintf(aft->file_ctx->fp, "SRC PORT: %" PRIu32 "\n", p->sp);
fprintf(aft->file_ctx->fp, "DST PORT: %" PRIu32 "\n", p->dp);
if (PKT_IS_TCP(p)) {
fprintf(aft->file_ctx->fp, "TCP SEQ: %"PRIu32"\n", TCP_GET_SEQ(p));
fprintf(aft->file_ctx->fp, "TCP ACK: %"PRIu32"\n", TCP_GET_ACK(p));
}
}
/* flow stuff */
fprintf(aft->file_ctx->fp, "FLOW: to_server: %s, to_client: %s\n",
p->flowflags & FLOW_PKT_TOSERVER ? "TRUE" : "FALSE",
p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE");
if (p->flow != NULL) {
SCMutexLock(&p->flow->m);
CreateTimeString(&p->flow->startts, timebuf, sizeof(timebuf));
fprintf(aft->file_ctx->fp, "FLOW Start TS: %s\n",timebuf);
fprintf(aft->file_ctx->fp, "FLOW PKTS TODST: %"PRIu32"\n",p->flow->todstpktcnt);
fprintf(aft->file_ctx->fp, "FLOW PKTS TOSRC: %"PRIu32"\n",p->flow->tosrcpktcnt);
fprintf(aft->file_ctx->fp, "FLOW Total Bytes: %"PRIu64"\n",p->flow->bytecnt);
fprintf(aft->file_ctx->fp, "FLOW IPONLY SET: TOSERVER: %s, TOCLIENT: %s\n",
p->flow->flags & FLOW_TOSERVER_IPONLY_SET ? "TRUE" : "FALSE",
p->flow->flags & FLOW_TOCLIENT_IPONLY_SET ? "TRUE" : "FALSE");
fprintf(aft->file_ctx->fp, "FLOW ACTION: DROP: %s, PASS %s\n",
p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
p->flow->flags & FLOW_ACTION_PASS ? "TRUE" : "FALSE");
fprintf(aft->file_ctx->fp, "FLOW NOINSPECTION: PACKET: %s, PAYLOAD: %s, APP_LAYER: %s\n",
p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
p->flow->alflags & FLOW_AL_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE");
fprintf(aft->file_ctx->fp, "FLOW APP_LAYER: DETECTED: %s, PROTO %"PRIu16"\n",
p->flow->alflags & FLOW_AL_PROTO_DETECT_DONE ? "TRUE" : "FALSE", p->flow->alproto);
AlertDebugLogFlowVars(aft, p);
AlertDebugLogFlowBits(aft, p);
SCMutexUnlock(&p->flow->m);
}
AlertDebugLogPktVars(aft, p);
/* any stuff */
/* Sig details? */
aft->file_ctx->alerts += p->alerts.cnt;
fprintf(aft->file_ctx->fp, "PACKET LEN: %" PRIu32 "\n", GET_PKT_LEN(p));
fprintf(aft->file_ctx->fp, "PACKET:\n");
PrintRawDataFp(aft->file_ctx->fp, GET_PKT_DATA(p), GET_PKT_LEN(p));
fflush(aft->file_ctx->fp);
SCMutexUnlock(&aft->file_ctx->fp_mutex);
return TM_ECODE_OK;
}
json_t *CreateJSONHeader(Packet *p, int direction_sensitive, char *event_type)
{
char timebuf[64];
char srcip[46], dstip[46];
Port sp, dp;
json_t *js = json_object();
if (unlikely(js == NULL))
return NULL;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
srcip[0] = '\0';
dstip[0] = '\0';
if (direction_sensitive) {
if ((PKT_IS_TOCLIENT(p))) {
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
}
sp = p->sp;
dp = p->dp;
} else {
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), dstip, sizeof(dstip));
}
sp = p->dp;
dp = p->sp;
}
} else {
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
}
sp = p->sp;
dp = p->dp;
}
char proto[16];
if (SCProtoNameValid(IP_GET_IPPROTO(p)) == TRUE) {
strlcpy(proto, known_proto[IP_GET_IPPROTO(p)], sizeof(proto));
} else {
snprintf(proto, sizeof(proto), "%03" PRIu32, IP_GET_IPPROTO(p));
}
/* time & tx */
json_object_set_new(js, "time", json_string(timebuf));
/* sensor id */
if (sensor_id >= 0)
json_object_set_new(js, "sensor_id", json_integer(sensor_id));
/* pcap_cnt */
if (p->pcap_cnt != 0) {
json_object_set_new(js, "pcap_cnt", json_integer(p->pcap_cnt));
}
if (event_type) {
json_object_set_new(js, "event_type", json_string(event_type));
}
/* vlan */
if (p->vlan_idx > 0) {
json_t *js_vlan;
switch (p->vlan_idx) {
case 1:
json_object_set_new(js, "vlan",
json_integer(ntohs(GET_VLAN_ID(p->vlanh[0]))));
break;
case 2:
js_vlan = json_array();
if (unlikely(js != NULL)) {
json_array_append_new(js_vlan,
json_integer(ntohs(GET_VLAN_ID(p->vlanh[0]))));
json_array_append_new(js_vlan,
json_integer(ntohs(GET_VLAN_ID(p->vlanh[1]))));
json_object_set_new(js, "vlan", js_vlan);
}
break;
default:
/* shouldn't get here */
break;
}
}
/* tuple */
json_object_set_new(js, "src_ip", json_string(srcip));
switch(p->proto) {
case IPPROTO_ICMP:
break;
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set_new(js, "src_port", json_integer(sp));
break;
}
json_object_set_new(js, "dest_ip", json_string(dstip));
switch(p->proto) {
case IPPROTO_ICMP:
break;
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set_new(js, "dest_port", json_integer(dp));
break;
}
json_object_set_new(js, "proto", json_string(proto));
switch (p->proto) {
case IPPROTO_ICMP:
if (p->icmpv4h) {
json_object_set_new(js, "icmp_type",
json_integer(p->icmpv4h->type));
json_object_set_new(js, "icmp_code",
json_integer(p->icmpv4h->code));
}
break;
case IPPROTO_ICMPV6:
if (p->icmpv6h) {
json_object_set_new(js, "icmp_type",
json_integer(p->icmpv6h->type));
json_object_set_new(js, "icmp_code",
json_integer(p->icmpv6h->code));
}
break;
}
return js;
}
/**
* \brief Add five tuple from packet to JSON object
*
* \param p Packet
* \param dir log direction (packet or flow)
* \param js JSON object
*/
void JsonFiveTuple(const Packet *p, enum OutputJsonLogDirection dir, json_t *js)
{
char srcip[46] = {0}, dstip[46] = {0};
Port sp, dp;
char proto[16];
switch (dir) {
case LOG_DIR_PACKET:
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
dstip, sizeof(dstip));
} else {
/* Not an IP packet so don't do anything */
return;
}
sp = p->sp;
dp = p->dp;
break;
case LOG_DIR_FLOW:
case LOG_DIR_FLOW_TOSERVER:
if ((PKT_IS_TOSERVER(p))) {
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
dstip, sizeof(dstip));
}
sp = p->sp;
dp = p->dp;
} else {
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
dstip, sizeof(dstip));
}
sp = p->dp;
dp = p->sp;
}
break;
case LOG_DIR_FLOW_TOCLIENT:
if ((PKT_IS_TOCLIENT(p))) {
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
dstip, sizeof(dstip));
}
sp = p->sp;
dp = p->dp;
} else {
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
dstip, sizeof(dstip));
}
sp = p->dp;
dp = p->sp;
}
break;
default:
DEBUG_VALIDATE_BUG_ON(1);
return;
}
if (SCProtoNameValid(IP_GET_IPPROTO(p)) == TRUE) {
strlcpy(proto, known_proto[IP_GET_IPPROTO(p)], sizeof(proto));
} else {
snprintf(proto, sizeof(proto), "%03" PRIu32, IP_GET_IPPROTO(p));
}
json_object_set_new(js, "src_ip", json_string(srcip));
switch(p->proto) {
case IPPROTO_ICMP:
break;
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set_new(js, "src_port", json_integer(sp));
break;
}
json_object_set_new(js, "dest_ip", json_string(dstip));
switch(p->proto) {
case IPPROTO_ICMP:
break;
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set_new(js, "dest_port", json_integer(dp));
break;
}
json_object_set_new(js, "proto", json_string(proto));
}