diff options
author | Ashlee Young <ashlee@onosfw.com> | 2015-09-09 22:21:41 -0700 |
---|---|---|
committer | Ashlee Young <ashlee@onosfw.com> | 2015-09-09 22:21:41 -0700 |
commit | 8879b125d26e8db1a5633de5a9c692eb2d1c4f83 (patch) | |
tree | c7259d85a991b83dfa85ab2e339360669fc1f58e /framework/src/suricata/src/output-json.c | |
parent | 13d05bc8458758ee39cb829098241e89616717ee (diff) |
suricata checkin based on commit id a4bce14770beee46a537eda3c3f6e8e8565d5d0a
Change-Id: I9a214fa0ee95e58fc640e50bd604dac7f42db48f
Diffstat (limited to 'framework/src/suricata/src/output-json.c')
-rw-r--r-- | framework/src/suricata/src/output-json.c | 584 |
1 files changed, 584 insertions, 0 deletions
diff --git a/framework/src/suricata/src/output-json.c b/framework/src/suricata/src/output-json.c new file mode 100644 index 00000000..74289f1b --- /dev/null +++ b/framework/src/suricata/src/output-json.c @@ -0,0 +1,584 @@ +/* Copyright (C) 2007-2013 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Tom DeCanio <td@npulsetech.com> + * + * Logs alerts in JSON format. + * + */ + +#include "suricata-common.h" +#include "debug.h" +#include "detect.h" +#include "flow.h" +#include "conf.h" + +#include "threads.h" +#include "tm-threads.h" +#include "threadvars.h" +#include "util-debug.h" + +#include "util-unittest.h" +#include "util-unittest-helper.h" + +#include "detect.h" +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-reference.h" +#include "app-layer-parser.h" +#include "util-classification-config.h" +#include "util-syslog.h" + +#include "output.h" +#include "output-json.h" + +#include "util-byte.h" +#include "util-privs.h" +#include "util-print.h" +#include "util-proto-name.h" +#include "util-optimize.h" +#include "util-buffer.h" +#include "util-logopenfile.h" +#include "util-device.h" + + +#ifndef HAVE_LIBJANSSON + +/** Handle the case where no JSON support is compiled in. + * + */ + +TmEcode OutputJson (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *); +TmEcode OutputJsonThreadInit(ThreadVars *, void *, void **); +TmEcode OutputJsonThreadDeinit(ThreadVars *, void *); +int OutputJsonOpenFileCtx(LogFileCtx *, char *); +void OutputJsonRegisterTests(void); + +void TmModuleOutputJsonRegister (void) +{ + tmm_modules[TMM_OUTPUTJSON].name = "OutputJSON"; + tmm_modules[TMM_OUTPUTJSON].ThreadInit = OutputJsonThreadInit; + tmm_modules[TMM_OUTPUTJSON].Func = OutputJson; + tmm_modules[TMM_OUTPUTJSON].ThreadDeinit = OutputJsonThreadDeinit; + tmm_modules[TMM_OUTPUTJSON].RegisterTests = OutputJsonRegisterTests; +} + +OutputCtx *OutputJsonInitCtx(ConfNode *conf) +{ + SCLogDebug("Can't init JSON output - JSON support was disabled during build."); + return NULL; +} + +TmEcode OutputJsonThreadInit(ThreadVars *t, void *initdata, void **data) +{ + SCLogDebug("Can't init JSON output thread - JSON support was disabled during build."); + return TM_ECODE_FAILED; +} + +TmEcode OutputJson (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq) +{ + return TM_ECODE_OK; +} + +TmEcode OutputJsonThreadDeinit(ThreadVars *t, void *data) +{ + return TM_ECODE_FAILED; +} + +void OutputJsonRegisterTests (void) +{ +} + +#else /* implied we do have JSON support */ + +#include <jansson.h> + +#define DEFAULT_LOG_FILENAME "eve.json" +#define DEFAULT_ALERT_SYSLOG_FACILITY_STR "local0" +#define DEFAULT_ALERT_SYSLOG_FACILITY LOG_LOCAL0 +#define DEFAULT_ALERT_SYSLOG_LEVEL LOG_INFO +#define MODULE_NAME "OutputJSON" + +#define OUTPUT_BUFFER_SIZE 65535 + +#ifndef OS_WIN32 +static int alert_syslog_level = DEFAULT_ALERT_SYSLOG_LEVEL; +#endif /* OS_WIN32 */ + +TmEcode OutputJson (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *); +TmEcode OutputJsonThreadInit(ThreadVars *, void *, void **); +TmEcode OutputJsonThreadDeinit(ThreadVars *, void *); +void OutputJsonExitPrintStats(ThreadVars *, void *); +void OutputJsonRegisterTests(void); +static void OutputJsonDeInitCtx(OutputCtx *); + +void TmModuleOutputJsonRegister (void) +{ + tmm_modules[TMM_OUTPUTJSON].name = MODULE_NAME; + tmm_modules[TMM_OUTPUTJSON].ThreadInit = OutputJsonThreadInit; + tmm_modules[TMM_OUTPUTJSON].Func = OutputJson; + tmm_modules[TMM_OUTPUTJSON].ThreadExitPrintStats = OutputJsonExitPrintStats; + tmm_modules[TMM_OUTPUTJSON].ThreadDeinit = OutputJsonThreadDeinit; + tmm_modules[TMM_OUTPUTJSON].RegisterTests = OutputJsonRegisterTests; + tmm_modules[TMM_OUTPUTJSON].cap_flags = 0; + + OutputRegisterModule(MODULE_NAME, "eve-log", OutputJsonInitCtx); +} + +/* Default Sensor ID value */ +static int64_t sensor_id = -1; /* -1 = not defined */ + +/** \brief jsonify tcp flags field + * Only add 'true' fields in an attempt to keep things reasonably compact. + */ +void JsonTcpFlags(uint8_t flags, json_t *js) +{ + if (flags & TH_SYN) + json_object_set_new(js, "syn", json_true()); + if (flags & TH_FIN) + json_object_set_new(js, "fin", json_true()); + if (flags & TH_RST) + json_object_set_new(js, "rst", json_true()); + if (flags & TH_PUSH) + json_object_set_new(js, "psh", json_true()); + if (flags & TH_ACK) + json_object_set_new(js, "ack", json_true()); + if (flags & TH_URG) + json_object_set_new(js, "urg", json_true()); + if (flags & TH_ECN) + json_object_set_new(js, "ecn", json_true()); + if (flags & TH_CWR) + json_object_set_new(js, "cwr", json_true()); +} + +void CreateJSONFlowId(json_t *js, const Flow *f) +{ + if (f == NULL) + return; +#if __WORDSIZE == 64 + uint64_t addr = (uint64_t)f; +#else + uint32_t addr = (uint32_t)f; +#endif + json_object_set_new(js, "flow_id", json_integer(addr)); +} + +json_t *CreateJSONHeader(Packet *p, int direction_sensitive, char *event_type) +{ + char timebuf[64]; + char srcip[46], dstip[46]; + Port sp, dp; + + json_t *js = json_object(); + if (unlikely(js == NULL)) + return NULL; + + CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf)); + + srcip[0] = '\0'; + dstip[0] = '\0'; + if (direction_sensitive) { + if ((PKT_IS_TOSERVER(p))) { + if (PKT_IS_IPV4(p)) { + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); + } else if (PKT_IS_IPV6(p)) { + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); + } + sp = p->sp; + dp = p->dp; + } else { + if (PKT_IS_IPV4(p)) { + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip)); + } else if (PKT_IS_IPV6(p)) { + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), dstip, sizeof(dstip)); + } + sp = p->dp; + dp = p->sp; + } + } else { + if (PKT_IS_IPV4(p)) { + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); + } else if (PKT_IS_IPV6(p)) { + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); + } + sp = p->sp; + dp = p->dp; + } + + char proto[16]; + if (SCProtoNameValid(IP_GET_IPPROTO(p)) == TRUE) { + strlcpy(proto, known_proto[IP_GET_IPPROTO(p)], sizeof(proto)); + } else { + snprintf(proto, sizeof(proto), "%03" PRIu32, IP_GET_IPPROTO(p)); + } + + /* time & tx */ + json_object_set_new(js, "timestamp", json_string(timebuf)); + + CreateJSONFlowId(js, (const Flow *)p->flow); + + /* sensor id */ + if (sensor_id >= 0) + json_object_set_new(js, "sensor_id", json_integer(sensor_id)); + + /* input interface */ + if (p->livedev) { + json_object_set_new(js, "in_iface", json_string(p->livedev->dev)); + } + + /* pcap_cnt */ + if (p->pcap_cnt != 0) { + json_object_set_new(js, "pcap_cnt", json_integer(p->pcap_cnt)); + } + + if (event_type) { + json_object_set_new(js, "event_type", json_string(event_type)); + } + + /* vlan */ + if (p->vlan_idx > 0) { + json_t *js_vlan; + switch (p->vlan_idx) { + case 1: + json_object_set_new(js, "vlan", + json_integer(VLAN_GET_ID1(p))); + break; + case 2: + js_vlan = json_array(); + if (unlikely(js != NULL)) { + json_array_append_new(js_vlan, + json_integer(VLAN_GET_ID1(p))); + json_array_append_new(js_vlan, + json_integer(VLAN_GET_ID2(p))); + json_object_set_new(js, "vlan", js_vlan); + } + break; + default: + /* shouldn't get here */ + break; + } + } + + /* tuple */ + json_object_set_new(js, "src_ip", json_string(srcip)); + switch(p->proto) { + case IPPROTO_ICMP: + break; + case IPPROTO_UDP: + case IPPROTO_TCP: + case IPPROTO_SCTP: + json_object_set_new(js, "src_port", json_integer(sp)); + break; + } + json_object_set_new(js, "dest_ip", json_string(dstip)); + switch(p->proto) { + case IPPROTO_ICMP: + break; + case IPPROTO_UDP: + case IPPROTO_TCP: + case IPPROTO_SCTP: + json_object_set_new(js, "dest_port", json_integer(dp)); + break; + } + json_object_set_new(js, "proto", json_string(proto)); + switch (p->proto) { + case IPPROTO_ICMP: + if (p->icmpv4h) { + json_object_set_new(js, "icmp_type", + json_integer(p->icmpv4h->type)); + json_object_set_new(js, "icmp_code", + json_integer(p->icmpv4h->code)); + } + break; + case IPPROTO_ICMPV6: + if (p->icmpv6h) { + json_object_set_new(js, "icmp_type", + json_integer(p->icmpv6h->type)); + json_object_set_new(js, "icmp_code", + json_integer(p->icmpv6h->code)); + } + break; + } + + return js; +} + +int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer *buffer) +{ + char *js_s = json_dumps(js, + JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII| +#ifdef JSON_ESCAPE_SLASH + JSON_ESCAPE_SLASH +#else + 0 +#endif + ); + if (unlikely(js_s == NULL)) + return TM_ECODE_OK; + + SCMutexLock(&file_ctx->fp_mutex); + if (file_ctx->type == LOGFILE_TYPE_SYSLOG) + { + if (file_ctx->prefix != NULL) + { + syslog(alert_syslog_level, "%s%s", file_ctx->prefix, js_s); + } + else + { + syslog(alert_syslog_level, "%s", js_s); + } + } + else if (file_ctx->type == LOGFILE_TYPE_FILE || + file_ctx->type == LOGFILE_TYPE_UNIX_DGRAM || + file_ctx->type == LOGFILE_TYPE_UNIX_STREAM) + { + if (file_ctx->prefix != NULL) + { + MemBufferWriteString(buffer, "%s%s\n", file_ctx->prefix, js_s); + } + else + { + MemBufferWriteString(buffer, "%s\n", js_s); + } + file_ctx->Write((const char *)MEMBUFFER_BUFFER(buffer), + MEMBUFFER_OFFSET(buffer), file_ctx); + } + SCMutexUnlock(&file_ctx->fp_mutex); + free(js_s); + return 0; +} + +TmEcode OutputJson (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq) +{ + return TM_ECODE_OK; +} + +TmEcode OutputJsonThreadInit(ThreadVars *t, void *initdata, void **data) +{ + AlertJsonThread *aft = SCMalloc(sizeof(AlertJsonThread)); + if (unlikely(aft == NULL)) + return TM_ECODE_FAILED; + memset(aft, 0, sizeof(AlertJsonThread)); + + if(initdata == NULL) + { + SCLogDebug("Error getting context for AlertJson. \"initdata\" argument NULL"); + SCFree(aft); + return TM_ECODE_FAILED; + } + + *data = (void *)aft; + return TM_ECODE_OK; +} + +TmEcode OutputJsonThreadDeinit(ThreadVars *t, void *data) +{ + AlertJsonThread *aft = (AlertJsonThread *)data; + if (aft == NULL) { + return TM_ECODE_OK; + } + + SCFree(aft); + return TM_ECODE_OK; +} + +void OutputJsonExitPrintStats(ThreadVars *tv, void *data) +{ + AlertJsonThread *aft = (AlertJsonThread *)data; + if (aft == NULL) { + return; + } + + SCLogInfo("JSON output wrote %" PRIu64 " alerts", aft->file_ctx->alerts); + +} + +/** + * \brief Create a new LogFileCtx for "fast" output style. + * \param conf The configuration node for this output. + * \return A LogFileCtx pointer on success, NULL on failure. + */ +OutputCtx *OutputJsonInitCtx(ConfNode *conf) +{ + OutputJsonCtx *json_ctx = SCCalloc(1, sizeof(OutputJsonCtx));; + if (unlikely(json_ctx == NULL)) { + SCLogDebug("AlertJsonInitCtx: Could not create new LogFileCtx"); + return NULL; + } + + json_ctx->file_ctx = LogFileNewCtx(); + if (unlikely(json_ctx->file_ctx == NULL)) { + SCLogDebug("AlertJsonInitCtx: Could not create new LogFileCtx"); + SCFree(json_ctx); + return NULL; + } + + OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx)); + if (unlikely(output_ctx == NULL)) { + LogFileFreeCtx(json_ctx->file_ctx); + SCFree(json_ctx); + return NULL; + } + + output_ctx->data = json_ctx; + output_ctx->DeInit = OutputJsonDeInitCtx; + + if (conf) { + const char *output_s = ConfNodeLookupChildValue(conf, "filetype"); + + // Backwards compatibility + if (output_s == NULL) { + output_s = ConfNodeLookupChildValue(conf, "type"); + } + + if (output_s != NULL) { + if (strcmp(output_s, "file") == 0 || + strcmp(output_s, "regular") == 0) { + json_ctx->json_out = LOGFILE_TYPE_FILE; + } else if (strcmp(output_s, "syslog") == 0) { + json_ctx->json_out = LOGFILE_TYPE_SYSLOG; + } else if (strcmp(output_s, "unix_dgram") == 0) { + json_ctx->json_out = LOGFILE_TYPE_UNIX_DGRAM; + } else if (strcmp(output_s, "unix_stream") == 0) { + json_ctx->json_out = LOGFILE_TYPE_UNIX_STREAM; + } else { + SCLogError(SC_ERR_INVALID_ARGUMENT, + "Invalid JSON output option: %s", output_s); + exit(EXIT_FAILURE); + } + } + + const char *prefix = ConfNodeLookupChildValue(conf, "prefix"); + if (prefix != NULL) + { + json_ctx->file_ctx->prefix = SCStrdup(prefix); + if (json_ctx->file_ctx->prefix == NULL) + { + SCLogError(SC_ERR_MEM_ALLOC, + "Failed to allocate memory for eve-log.prefix setting."); + exit(EXIT_FAILURE); + } + } + + if (json_ctx->json_out == LOGFILE_TYPE_FILE || + json_ctx->json_out == LOGFILE_TYPE_UNIX_DGRAM || + json_ctx->json_out == LOGFILE_TYPE_UNIX_STREAM) + { + if (SCConfLogOpenGeneric(conf, json_ctx->file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) { + LogFileFreeCtx(json_ctx->file_ctx); + SCFree(json_ctx); + SCFree(output_ctx); + return NULL; + } + OutputRegisterFileRotationFlag(&json_ctx->file_ctx->rotation_flag); + + const char *format_s = ConfNodeLookupChildValue(conf, "format"); + if (format_s != NULL) { + if (strcmp(format_s, "indent") == 0) { + json_ctx->format = INDENT; + } else if (strcmp(format_s, "compact") == 0) { + json_ctx->format = COMPACT; + } else { + SCLogError(SC_ERR_INVALID_ARGUMENT, + "Invalid JSON format option: %s", format_s); + exit(EXIT_FAILURE); + } + } + } else if (json_ctx->json_out == LOGFILE_TYPE_SYSLOG) { + const char *facility_s = ConfNodeLookupChildValue(conf, "facility"); + if (facility_s == NULL) { + facility_s = DEFAULT_ALERT_SYSLOG_FACILITY_STR; + } + + int facility = SCMapEnumNameToValue(facility_s, SCSyslogGetFacilityMap()); + if (facility == -1) { + SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid syslog facility: \"%s\"," + " now using \"%s\" as syslog facility", facility_s, + DEFAULT_ALERT_SYSLOG_FACILITY_STR); + facility = DEFAULT_ALERT_SYSLOG_FACILITY; + } + + const char *level_s = ConfNodeLookupChildValue(conf, "level"); + if (level_s != NULL) { + int level = SCMapEnumNameToValue(level_s, SCSyslogGetLogLevelMap()); + if (level != -1) { + alert_syslog_level = level; + } + } + + const char *ident = ConfNodeLookupChildValue(conf, "identity"); + /* if null we just pass that to openlog, which will then + * figure it out by itself. */ + + openlog(ident, LOG_PID|LOG_NDELAY, facility); + + } + + const char *sensor_id_s = ConfNodeLookupChildValue(conf, "sensor-id"); + if (sensor_id_s != NULL) { + if (ByteExtractStringUint64((uint64_t *)&sensor_id, 10, 0, sensor_id_s) == -1) { + SCLogError(SC_ERR_INVALID_ARGUMENT, + "Failed to initialize JSON output, " + "invalid sensor-is: %s", sensor_id_s); + exit(EXIT_FAILURE); + } + } + + json_ctx->file_ctx->type = json_ctx->json_out; + } + + SCLogDebug("returning output_ctx %p", output_ctx); + return output_ctx; +} + +static void OutputJsonDeInitCtx(OutputCtx *output_ctx) +{ + OutputJsonCtx *json_ctx = (OutputJsonCtx *)output_ctx->data; + LogFileCtx *logfile_ctx = json_ctx->file_ctx; + LogFileFreeCtx(logfile_ctx); + SCFree(json_ctx); + SCFree(output_ctx); +} + +/*------------------------------Unittests-------------------------------------*/ + +#ifdef UNITTESTS + +#endif /* UNITTESTS */ + +/** + * \brief This function registers unit tests for AlertFastLog API. + */ +void OutputJsonRegisterTests(void) +{ + +#ifdef UNITTESTS + +#endif /* UNITTESTS */ + +} +#endif |