/** \internal
* \brief fill lua stack with header info
* \param luastate the lua state
* \param f flow, locked
* \retval cnt number of data items placed on the stack
*
* Places: ipver (number), src ip (string), dst ip (string), protocol (number),
* sp or icmp type (number), dp or icmp code (number).
*/
static int LuaCallbackTuplePushToStackFromFlow(lua_State *luastate, const Flow *f)
{
int ipver = 0;
if (FLOW_IS_IPV4(f)) {
ipver = 4;
} else if (FLOW_IS_IPV6(f)) {
ipver = 6;
}
lua_pushnumber (luastate, ipver);
if (ipver == 0)
return 1;
char srcip[46] = "", dstip[46] = "";
if (FLOW_IS_IPV4(f)) {
PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip));
} else if (FLOW_IS_IPV6(f)) {
PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip));
}
lua_pushstring (luastate, srcip);
lua_pushstring (luastate, dstip);
/* proto and ports (or type/code) */
lua_pushnumber (luastate, f->proto);
if (f->proto == IPPROTO_TCP || f->proto == IPPROTO_UDP) {
lua_pushnumber (luastate, f->sp);
lua_pushnumber (luastate, f->dp);
} else if (f->proto == IPPROTO_ICMP || f->proto == IPPROTO_ICMPV6) {
lua_pushnumber (luastate, f->type);
lua_pushnumber (luastate, f->code);
} else {
lua_pushnumber (luastate, 0);
lua_pushnumber (luastate, 0);
}
return 6;
}
static inline int GetFlowAddresses(Flow *f, Address *ip_src, Address *ip_dst)
{
memset(ip_src, 0, sizeof(*ip_src));
memset(ip_dst, 0, sizeof(*ip_dst));
if (FLOW_IS_IPV4(f)) {
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->src, ip_src);
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->dst, ip_dst);
} else if (FLOW_IS_IPV6(f)) {
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->src, ip_src);
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->dst, ip_dst);
} else {
return -1;
}
return 0;
}
static int LogTcpDataLoggerDir(ThreadVars *tv, void *thread_data, const Flow *f,
const uint8_t *data, uint32_t data_len, uint64_t tx_id, uint8_t flags)
{
SCEnter();
LogTcpDataLogThread *aft = thread_data;
LogTcpDataFileCtx *td = aft->tcpdatalog_ctx;
const char *mode = "a";
if (flags & OUTPUT_STREAMING_FLAG_OPEN)
mode = "w";
if (data && data_len) {
char srcip[46] = "", dstip[46] = "";
if (FLOW_IS_IPV4(f)) {
PrintInet(AF_INET, (const void *)&f->src.addr_data32[0], srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)&f->dst.addr_data32[0], dstip, sizeof(dstip));
} else if (FLOW_IS_IPV6(f)) {
PrintInet(AF_INET6, (const void *)f->src.addr_data32, srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)f->dst.addr_data32, dstip, sizeof(dstip));
}
char name[PATH_MAX];
char tx[64] = { 0 };
if (flags & OUTPUT_STREAMING_FLAG_TRANSACTION) {
snprintf(tx, sizeof(tx), "%"PRIu64, tx_id);
}
snprintf(name, sizeof(name), "%s/%s/%s_%u-%s_%u-%s-%s.data",
td->log_dir,
td->type == STREAMING_HTTP_BODIES ? "http" : "tcp",
srcip, f->sp, dstip, f->dp, tx,
flags & OUTPUT_STREAMING_FLAG_TOSERVER ? "ts" : "tc");
FILE *fp = fopen(name, mode);
BUG_ON(fp == NULL);
// PrintRawDataFp(stdout, (uint8_t *)data, data_len);
fwrite(data, data_len, 1, fp);
fclose(fp);
}
SCReturnInt(TM_ECODE_OK);
}
static int LogTcpDataLoggerFile(ThreadVars *tv, void *thread_data, const Flow *f,
const uint8_t *data, uint32_t data_len, uint64_t tx_id, uint8_t flags)
{
SCEnter();
LogTcpDataLogThread *aft = thread_data;
LogTcpDataFileCtx *td = aft->tcpdatalog_ctx;
if (data && data_len) {
MemBufferReset(aft->buffer);
char srcip[46] = "", dstip[46] = "";
if (FLOW_IS_IPV4(f)) {
PrintInet(AF_INET, (const void *)&f->src.addr_data32[0], srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)&f->dst.addr_data32[0], dstip, sizeof(dstip));
} else if (FLOW_IS_IPV6(f)) {
PrintInet(AF_INET6, (const void *)f->src.addr_data32, srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)f->dst.addr_data32, dstip, sizeof(dstip));
}
char name[PATH_MAX];
snprintf(name, sizeof(name), "%s_%u-%s_%u-%s:",
srcip, f->sp, dstip, f->dp,
flags & OUTPUT_STREAMING_FLAG_TOSERVER ? "ts" : "tc");
PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset,
aft->buffer->size, (uint8_t *)name,strlen(name));
MemBufferWriteString(aft->buffer, "\n");
PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset,
aft->buffer->size, (uint8_t *)data,data_len);
td->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer),
MEMBUFFER_OFFSET(aft->buffer), td->file_ctx);
}
SCReturnInt(TM_ECODE_OK);
}
/**
* \internal
* \brief Pseudo packet setup for flow forced reassembly.
*
* \param direction Direction of the packet. 0 indicates toserver and 1
* indicates toclient.
* \param f Pointer to the flow.
* \param ssn Pointer to the tcp session.
* \param dummy Indicates to create a dummy pseudo packet. Not all pseudo
* packets need to force reassembly, in which case we just
* set dummy ack/seq values.
*/
static inline Packet *FlowForceReassemblyPseudoPacketSetup(Packet *p,
int direction,
Flow *f,
TcpSession *ssn,
int dummy)
{
p->datalink = DLT_RAW;
p->proto = IPPROTO_TCP;
FlowReference(&p->flow, f);
p->flags |= PKT_STREAM_EST;
p->flags |= PKT_STREAM_EOF;
p->flags |= PKT_HAS_FLOW;
p->flags |= PKT_PSEUDO_STREAM_END;
if (direction == 0)
p->flowflags |= FLOW_PKT_TOSERVER;
else
p->flowflags |= FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->payload = NULL;
p->payload_len = 0;
if (FLOW_IS_IPV4(f)) {
if (direction == 0) {
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->src, &p->src);
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->dst, &p->dst);
p->sp = f->sp;
p->dp = f->dp;
} else {
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->src, &p->dst);
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->dst, &p->src);
p->sp = f->dp;
p->dp = f->sp;
}
/* set the ip header */
p->ip4h = (IPV4Hdr *)GET_PKT_DATA(p);
/* version 4 and length 20 bytes for the tcp header */
p->ip4h->ip_verhl = 0x45;
p->ip4h->ip_tos = 0;
p->ip4h->ip_len = htons(40);
p->ip4h->ip_id = 0;
p->ip4h->ip_off = 0;
p->ip4h->ip_ttl = 64;
p->ip4h->ip_proto = IPPROTO_TCP;
//p->ip4h->ip_csum =
if (direction == 0) {
p->ip4h->s_ip_src.s_addr = f->src.addr_data32[0];
p->ip4h->s_ip_dst.s_addr = f->dst.addr_data32[0];
} else {
p->ip4h->s_ip_src.s_addr = f->dst.addr_data32[0];
p->ip4h->s_ip_dst.s_addr = f->src.addr_data32[0];
}
/* set the tcp header */
p->tcph = (TCPHdr *)((uint8_t *)GET_PKT_DATA(p) + 20);
SET_PKT_LEN(p, 40); /* ipv4 hdr + tcp hdr */
} else if (FLOW_IS_IPV6(f)) {
if (direction == 0) {
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->src, &p->src);
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->dst, &p->dst);
p->sp = f->sp;
p->dp = f->dp;
} else {
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->src, &p->dst);
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->dst, &p->src);
p->sp = f->dp;
p->dp = f->sp;
}
/* set the ip header */
p->ip6h = (IPV6Hdr *)GET_PKT_DATA(p);
/* version 6 */
p->ip6h->s_ip6_vfc = 0x60;
p->ip6h->s_ip6_flow = 0;
p->ip6h->s_ip6_nxt = IPPROTO_TCP;
p->ip6h->s_ip6_plen = htons(20);
p->ip6h->s_ip6_hlim = 64;
if (direction == 0) {
p->ip6h->s_ip6_src[0] = f->src.addr_data32[0];
p->ip6h->s_ip6_src[1] = f->src.addr_data32[1];
p->ip6h->s_ip6_src[2] = f->src.addr_data32[2];
p->ip6h->s_ip6_src[3] = f->src.addr_data32[3];
p->ip6h->s_ip6_dst[0] = f->dst.addr_data32[0];
p->ip6h->s_ip6_dst[1] = f->dst.addr_data32[1];
p->ip6h->s_ip6_dst[2] = f->dst.addr_data32[2];
p->ip6h->s_ip6_dst[3] = f->dst.addr_data32[3];
} else {
p->ip6h->s_ip6_src[0] = f->dst.addr_data32[0];
p->ip6h->s_ip6_src[1] = f->dst.addr_data32[1];
p->ip6h->s_ip6_src[2] = f->dst.addr_data32[2];
p->ip6h->s_ip6_src[3] = f->dst.addr_data32[3];
p->ip6h->s_ip6_dst[0] = f->src.addr_data32[0];
p->ip6h->s_ip6_dst[1] = f->src.addr_data32[1];
p->ip6h->s_ip6_dst[2] = f->src.addr_data32[2];
p->ip6h->s_ip6_dst[3] = f->src.addr_data32[3];
}
/* set the tcp header */
p->tcph = (TCPHdr *)((uint8_t *)GET_PKT_DATA(p) + 40);
SET_PKT_LEN(p, 60); /* ipv6 hdr + tcp hdr */
}
p->tcph->th_offx2 = 0x50;
p->tcph->th_flags |= TH_ACK;
p->tcph->th_win = 10;
p->tcph->th_urp = 0;
/* to server */
if (direction == 0) {
p->tcph->th_sport = htons(f->sp);
p->tcph->th_dport = htons(f->dp);
if (dummy) {
p->tcph->th_seq = htonl(ssn->client.next_seq);
p->tcph->th_ack = htonl(ssn->server.last_ack);
} else {
p->tcph->th_seq = htonl(ssn->client.next_seq);
p->tcph->th_ack = htonl(ssn->server.seg_list_tail->seq +
ssn->server.seg_list_tail->payload_len);
}
/* to client */
} else {
p->tcph->th_sport = htons(f->dp);
p->tcph->th_dport = htons(f->sp);
if (dummy) {
p->tcph->th_seq = htonl(ssn->server.next_seq);
p->tcph->th_ack = htonl(ssn->client.last_ack);
} else {
p->tcph->th_seq = htonl(ssn->server.next_seq);
p->tcph->th_ack = htonl(ssn->client.seg_list_tail->seq +
ssn->client.seg_list_tail->payload_len);
}
}
if (FLOW_IS_IPV4(f)) {
p->tcph->th_sum = TCPCalculateChecksum(p->ip4h->s_ip_addrs,
(uint16_t *)p->tcph, 20);
/* calc ipv4 csum as we may log it and barnyard might reject
* a wrong checksum */
p->ip4h->ip_csum = IPV4CalculateChecksum((uint16_t *)p->ip4h,
IPV4_GET_RAW_HLEN(p->ip4h));
} else if (FLOW_IS_IPV6(f)) {
p->tcph->th_sum = TCPCalculateChecksum(p->ip6h->s_ip6_addrs,
(uint16_t *)p->tcph, 20);
}
memset(&p->ts, 0, sizeof(struct timeval));
TimeGet(&p->ts);
AppLayerSetEOF(f);
return p;
}
static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type)
{
char timebuf[64];
char srcip[46] = {0}, dstip[46] = {0};
Port sp, dp;
json_t *js = json_object();
if (unlikely(js == NULL))
return NULL;
struct timeval tv;
memset(&tv, 0x00, sizeof(tv));
TimeGet(&tv);
CreateIsoTimeString(&tv, timebuf, sizeof(timebuf));
if ((f->flags & FLOW_DIR_REVERSED) == 0) {
if (FLOW_IS_IPV4(f)) {
PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip));
} else if (FLOW_IS_IPV6(f)) {
PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip));
}
sp = f->sp;
dp = f->dp;
} else {
if (FLOW_IS_IPV4(f)) {
PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), dstip, sizeof(dstip));
} else if (FLOW_IS_IPV6(f)) {
PrintInet(AF_INET6, (const void *)&(f->dst.address), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)&(f->src.address), dstip, sizeof(dstip));
}
sp = f->dp;
dp = f->sp;
}
char proto[16];
if (SCProtoNameValid(f->proto) == TRUE) {
strlcpy(proto, known_proto[f->proto], sizeof(proto));
} else {
snprintf(proto, sizeof(proto), "%03" PRIu32, f->proto);
}
/* time */
json_object_set_new(js, "timestamp", json_string(timebuf));
CreateJSONFlowId(js, (const Flow *)f);
#if 0 // TODO
/* sensor id */
if (sensor_id >= 0)
json_object_set_new(js, "sensor_id", json_integer(sensor_id));
#endif
/* input interface */
if (f->livedev) {
json_object_set_new(js, "in_iface", json_string(f->livedev->dev));
}
if (event_type) {
json_object_set_new(js, "event_type", json_string(event_type));
}
/* vlan */
if (f->vlan_idx > 0) {
json_t *js_vlan = json_array();
json_array_append_new(js_vlan, json_integer(f->vlan_id[0]));
if (f->vlan_idx > 1) {
json_array_append_new(js_vlan, json_integer(f->vlan_id[1]));
}
json_object_set_new(js, "vlan", js_vlan);
}
/* tuple */
json_object_set_new(js, "src_ip", json_string(srcip));
switch(f->proto) {
case IPPROTO_ICMP:
break;
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set_new(js, "src_port", json_integer(sp));
break;
}
json_object_set_new(js, "dest_ip", json_string(dstip));
switch(f->proto) {
case IPPROTO_ICMP:
break;
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set_new(js, "dest_port", json_integer(dp));
break;
}
json_object_set_new(js, "proto", json_string(proto));
switch (f->proto) {
case IPPROTO_ICMP:
case IPPROTO_ICMPV6:
json_object_set_new(js, "icmp_type",
json_integer(f->icmp_s.type));
json_object_set_new(js, "icmp_code",
json_integer(f->icmp_s.code));
if (f->tosrcpktcnt) {
json_object_set_new(js, "response_icmp_type",
json_integer(f->icmp_d.type));
json_object_set_new(js, "response_icmp_code",
json_integer(f->icmp_d.code));
}
break;
}
return js;
}
static json_t *CreateJSONHeaderFromFlow(Flow *f, char *event_type, int dir)
{
char timebuf[64];
char srcip[46], dstip[46];
Port sp, dp;
json_t *js = json_object();
if (unlikely(js == NULL))
return NULL;
struct timeval tv;
memset(&tv, 0x00, sizeof(tv));
TimeGet(&tv);
CreateIsoTimeString(&tv, timebuf, sizeof(timebuf));
srcip[0] = '\0';
dstip[0] = '\0';
if (FLOW_IS_IPV4(f)) {
if (dir == 0) {
PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip));
} else {
PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), dstip, sizeof(dstip));
}
} else if (FLOW_IS_IPV6(f)) {
if (dir == 0) {
PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip));
} else {
PrintInet(AF_INET6, (const void *)&(f->dst.address), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)&(f->src.address), dstip, sizeof(dstip));
}
}
if (dir == 0) {
sp = f->sp;
dp = f->dp;
} else {
sp = f->dp;
dp = f->sp;
}
char proto[16];
if (SCProtoNameValid(f->proto) == TRUE) {
strlcpy(proto, known_proto[f->proto], sizeof(proto));
} else {
snprintf(proto, sizeof(proto), "%03" PRIu32, f->proto);
}
/* time */
json_object_set_new(js, "timestamp", json_string(timebuf));
CreateJSONFlowId(js, (const Flow *)f);
#if 0 // TODO
/* sensor id */
if (sensor_id >= 0)
json_object_set_new(js, "sensor_id", json_integer(sensor_id));
#endif
if (event_type) {
json_object_set_new(js, "event_type", json_string(event_type));
}
#if 0
/* vlan */
if (f->vlan_id[0] > 0) {
json_t *js_vlan;
switch (f->vlan_idx) {
case 1:
json_object_set_new(js, "vlan",
json_integer(f->vlan_id[0]));
break;
case 2:
js_vlan = json_array();
if (unlikely(js != NULL)) {
json_array_append_new(js_vlan,
json_integer(VLAN_GET_ID1(p)));
json_array_append_new(js_vlan,
json_integer(VLAN_GET_ID2(p)));
json_object_set_new(js, "vlan", js_vlan);
}
break;
default:
/* shouldn't get here */
break;
}
}
#endif
/* tuple */
json_object_set_new(js, "src_ip", json_string(srcip));
switch(f->proto) {
case IPPROTO_ICMP:
break;
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set_new(js, "src_port", json_integer(sp));
break;
}
json_object_set_new(js, "dest_ip", json_string(dstip));
switch(f->proto) {
case IPPROTO_ICMP:
break;
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set_new(js, "dest_port", json_integer(dp));
break;
}
json_object_set_new(js, "proto", json_string(proto));
switch (f->proto) {
case IPPROTO_ICMP:
case IPPROTO_ICMPV6:
json_object_set_new(js, "icmp_type",
json_integer(f->type));
json_object_set_new(js, "icmp_code",
json_integer(f->code));
break;
}
return js;
}
