aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/suricata/src/output-json.c
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/suricata/src/output-json.c')
-rw-r--r--framework/src/suricata/src/output-json.c584
1 files changed, 584 insertions, 0 deletions
diff --git a/framework/src/suricata/src/output-json.c b/framework/src/suricata/src/output-json.c
new file mode 100644
index 00000000..74289f1b
--- /dev/null
+++ b/framework/src/suricata/src/output-json.c
@@ -0,0 +1,584 @@
+/* Copyright (C) 2007-2013 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Tom DeCanio <td@npulsetech.com>
+ *
+ * Logs alerts in JSON format.
+ *
+ */
+
+#include "suricata-common.h"
+#include "debug.h"
+#include "detect.h"
+#include "flow.h"
+#include "conf.h"
+
+#include "threads.h"
+#include "tm-threads.h"
+#include "threadvars.h"
+#include "util-debug.h"
+
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-reference.h"
+#include "app-layer-parser.h"
+#include "util-classification-config.h"
+#include "util-syslog.h"
+
+#include "output.h"
+#include "output-json.h"
+
+#include "util-byte.h"
+#include "util-privs.h"
+#include "util-print.h"
+#include "util-proto-name.h"
+#include "util-optimize.h"
+#include "util-buffer.h"
+#include "util-logopenfile.h"
+#include "util-device.h"
+
+
+#ifndef HAVE_LIBJANSSON
+
+/** Handle the case where no JSON support is compiled in.
+ *
+ */
+
+TmEcode OutputJson (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
+TmEcode OutputJsonThreadInit(ThreadVars *, void *, void **);
+TmEcode OutputJsonThreadDeinit(ThreadVars *, void *);
+int OutputJsonOpenFileCtx(LogFileCtx *, char *);
+void OutputJsonRegisterTests(void);
+
+void TmModuleOutputJsonRegister (void)
+{
+ tmm_modules[TMM_OUTPUTJSON].name = "OutputJSON";
+ tmm_modules[TMM_OUTPUTJSON].ThreadInit = OutputJsonThreadInit;
+ tmm_modules[TMM_OUTPUTJSON].Func = OutputJson;
+ tmm_modules[TMM_OUTPUTJSON].ThreadDeinit = OutputJsonThreadDeinit;
+ tmm_modules[TMM_OUTPUTJSON].RegisterTests = OutputJsonRegisterTests;
+}
+
+OutputCtx *OutputJsonInitCtx(ConfNode *conf)
+{
+ SCLogDebug("Can't init JSON output - JSON support was disabled during build.");
+ return NULL;
+}
+
+TmEcode OutputJsonThreadInit(ThreadVars *t, void *initdata, void **data)
+{
+ SCLogDebug("Can't init JSON output thread - JSON support was disabled during build.");
+ return TM_ECODE_FAILED;
+}
+
+TmEcode OutputJson (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
+{
+ return TM_ECODE_OK;
+}
+
+TmEcode OutputJsonThreadDeinit(ThreadVars *t, void *data)
+{
+ return TM_ECODE_FAILED;
+}
+
+void OutputJsonRegisterTests (void)
+{
+}
+
+#else /* implied we do have JSON support */
+
+#include <jansson.h>
+
+#define DEFAULT_LOG_FILENAME "eve.json"
+#define DEFAULT_ALERT_SYSLOG_FACILITY_STR "local0"
+#define DEFAULT_ALERT_SYSLOG_FACILITY LOG_LOCAL0
+#define DEFAULT_ALERT_SYSLOG_LEVEL LOG_INFO
+#define MODULE_NAME "OutputJSON"
+
+#define OUTPUT_BUFFER_SIZE 65535
+
+#ifndef OS_WIN32
+static int alert_syslog_level = DEFAULT_ALERT_SYSLOG_LEVEL;
+#endif /* OS_WIN32 */
+
+TmEcode OutputJson (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
+TmEcode OutputJsonThreadInit(ThreadVars *, void *, void **);
+TmEcode OutputJsonThreadDeinit(ThreadVars *, void *);
+void OutputJsonExitPrintStats(ThreadVars *, void *);
+void OutputJsonRegisterTests(void);
+static void OutputJsonDeInitCtx(OutputCtx *);
+
+void TmModuleOutputJsonRegister (void)
+{
+ tmm_modules[TMM_OUTPUTJSON].name = MODULE_NAME;
+ tmm_modules[TMM_OUTPUTJSON].ThreadInit = OutputJsonThreadInit;
+ tmm_modules[TMM_OUTPUTJSON].Func = OutputJson;
+ tmm_modules[TMM_OUTPUTJSON].ThreadExitPrintStats = OutputJsonExitPrintStats;
+ tmm_modules[TMM_OUTPUTJSON].ThreadDeinit = OutputJsonThreadDeinit;
+ tmm_modules[TMM_OUTPUTJSON].RegisterTests = OutputJsonRegisterTests;
+ tmm_modules[TMM_OUTPUTJSON].cap_flags = 0;
+
+ OutputRegisterModule(MODULE_NAME, "eve-log", OutputJsonInitCtx);
+}
+
+/* Default Sensor ID value */
+static int64_t sensor_id = -1; /* -1 = not defined */
+
+/** \brief jsonify tcp flags field
+ * Only add 'true' fields in an attempt to keep things reasonably compact.
+ */
+void JsonTcpFlags(uint8_t flags, json_t *js)
+{
+ if (flags & TH_SYN)
+ json_object_set_new(js, "syn", json_true());
+ if (flags & TH_FIN)
+ json_object_set_new(js, "fin", json_true());
+ if (flags & TH_RST)
+ json_object_set_new(js, "rst", json_true());
+ if (flags & TH_PUSH)
+ json_object_set_new(js, "psh", json_true());
+ if (flags & TH_ACK)
+ json_object_set_new(js, "ack", json_true());
+ if (flags & TH_URG)
+ json_object_set_new(js, "urg", json_true());
+ if (flags & TH_ECN)
+ json_object_set_new(js, "ecn", json_true());
+ if (flags & TH_CWR)
+ json_object_set_new(js, "cwr", json_true());
+}
+
+void CreateJSONFlowId(json_t *js, const Flow *f)
+{
+ if (f == NULL)
+ return;
+#if __WORDSIZE == 64
+ uint64_t addr = (uint64_t)f;
+#else
+ uint32_t addr = (uint32_t)f;
+#endif
+ json_object_set_new(js, "flow_id", json_integer(addr));
+}
+
+json_t *CreateJSONHeader(Packet *p, int direction_sensitive, char *event_type)
+{
+ char timebuf[64];
+ char srcip[46], dstip[46];
+ Port sp, dp;
+
+ json_t *js = json_object();
+ if (unlikely(js == NULL))
+ return NULL;
+
+ CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf));
+
+ srcip[0] = '\0';
+ dstip[0] = '\0';
+ if (direction_sensitive) {
+ if ((PKT_IS_TOSERVER(p))) {
+ if (PKT_IS_IPV4(p)) {
+ PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
+ PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
+ } else if (PKT_IS_IPV6(p)) {
+ PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
+ PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
+ }
+ sp = p->sp;
+ dp = p->dp;
+ } else {
+ if (PKT_IS_IPV4(p)) {
+ PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip));
+ PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip));
+ } else if (PKT_IS_IPV6(p)) {
+ PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), srcip, sizeof(srcip));
+ PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), dstip, sizeof(dstip));
+ }
+ sp = p->dp;
+ dp = p->sp;
+ }
+ } else {
+ if (PKT_IS_IPV4(p)) {
+ PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
+ PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
+ } else if (PKT_IS_IPV6(p)) {
+ PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
+ PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
+ }
+ sp = p->sp;
+ dp = p->dp;
+ }
+
+ char proto[16];
+ if (SCProtoNameValid(IP_GET_IPPROTO(p)) == TRUE) {
+ strlcpy(proto, known_proto[IP_GET_IPPROTO(p)], sizeof(proto));
+ } else {
+ snprintf(proto, sizeof(proto), "%03" PRIu32, IP_GET_IPPROTO(p));
+ }
+
+ /* time & tx */
+ json_object_set_new(js, "timestamp", json_string(timebuf));
+
+ CreateJSONFlowId(js, (const Flow *)p->flow);
+
+ /* sensor id */
+ if (sensor_id >= 0)
+ json_object_set_new(js, "sensor_id", json_integer(sensor_id));
+
+ /* input interface */
+ if (p->livedev) {
+ json_object_set_new(js, "in_iface", json_string(p->livedev->dev));
+ }
+
+ /* pcap_cnt */
+ if (p->pcap_cnt != 0) {
+ json_object_set_new(js, "pcap_cnt", json_integer(p->pcap_cnt));
+ }
+
+ if (event_type) {
+ json_object_set_new(js, "event_type", json_string(event_type));
+ }
+
+ /* vlan */
+ if (p->vlan_idx > 0) {
+ json_t *js_vlan;
+ switch (p->vlan_idx) {
+ case 1:
+ json_object_set_new(js, "vlan",
+ json_integer(VLAN_GET_ID1(p)));
+ break;
+ case 2:
+ js_vlan = json_array();
+ if (unlikely(js != NULL)) {
+ json_array_append_new(js_vlan,
+ json_integer(VLAN_GET_ID1(p)));
+ json_array_append_new(js_vlan,
+ json_integer(VLAN_GET_ID2(p)));
+ json_object_set_new(js, "vlan", js_vlan);
+ }
+ break;
+ default:
+ /* shouldn't get here */
+ break;
+ }
+ }
+
+ /* tuple */
+ json_object_set_new(js, "src_ip", json_string(srcip));
+ switch(p->proto) {
+ case IPPROTO_ICMP:
+ break;
+ case IPPROTO_UDP:
+ case IPPROTO_TCP:
+ case IPPROTO_SCTP:
+ json_object_set_new(js, "src_port", json_integer(sp));
+ break;
+ }
+ json_object_set_new(js, "dest_ip", json_string(dstip));
+ switch(p->proto) {
+ case IPPROTO_ICMP:
+ break;
+ case IPPROTO_UDP:
+ case IPPROTO_TCP:
+ case IPPROTO_SCTP:
+ json_object_set_new(js, "dest_port", json_integer(dp));
+ break;
+ }
+ json_object_set_new(js, "proto", json_string(proto));
+ switch (p->proto) {
+ case IPPROTO_ICMP:
+ if (p->icmpv4h) {
+ json_object_set_new(js, "icmp_type",
+ json_integer(p->icmpv4h->type));
+ json_object_set_new(js, "icmp_code",
+ json_integer(p->icmpv4h->code));
+ }
+ break;
+ case IPPROTO_ICMPV6:
+ if (p->icmpv6h) {
+ json_object_set_new(js, "icmp_type",
+ json_integer(p->icmpv6h->type));
+ json_object_set_new(js, "icmp_code",
+ json_integer(p->icmpv6h->code));
+ }
+ break;
+ }
+
+ return js;
+}
+
+int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer *buffer)
+{
+ char *js_s = json_dumps(js,
+ JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII|
+#ifdef JSON_ESCAPE_SLASH
+ JSON_ESCAPE_SLASH
+#else
+ 0
+#endif
+ );
+ if (unlikely(js_s == NULL))
+ return TM_ECODE_OK;
+
+ SCMutexLock(&file_ctx->fp_mutex);
+ if (file_ctx->type == LOGFILE_TYPE_SYSLOG)
+ {
+ if (file_ctx->prefix != NULL)
+ {
+ syslog(alert_syslog_level, "%s%s", file_ctx->prefix, js_s);
+ }
+ else
+ {
+ syslog(alert_syslog_level, "%s", js_s);
+ }
+ }
+ else if (file_ctx->type == LOGFILE_TYPE_FILE ||
+ file_ctx->type == LOGFILE_TYPE_UNIX_DGRAM ||
+ file_ctx->type == LOGFILE_TYPE_UNIX_STREAM)
+ {
+ if (file_ctx->prefix != NULL)
+ {
+ MemBufferWriteString(buffer, "%s%s\n", file_ctx->prefix, js_s);
+ }
+ else
+ {
+ MemBufferWriteString(buffer, "%s\n", js_s);
+ }
+ file_ctx->Write((const char *)MEMBUFFER_BUFFER(buffer),
+ MEMBUFFER_OFFSET(buffer), file_ctx);
+ }
+ SCMutexUnlock(&file_ctx->fp_mutex);
+ free(js_s);
+ return 0;
+}
+
+TmEcode OutputJson (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
+{
+ return TM_ECODE_OK;
+}
+
+TmEcode OutputJsonThreadInit(ThreadVars *t, void *initdata, void **data)
+{
+ AlertJsonThread *aft = SCMalloc(sizeof(AlertJsonThread));
+ if (unlikely(aft == NULL))
+ return TM_ECODE_FAILED;
+ memset(aft, 0, sizeof(AlertJsonThread));
+
+ if(initdata == NULL)
+ {
+ SCLogDebug("Error getting context for AlertJson. \"initdata\" argument NULL");
+ SCFree(aft);
+ return TM_ECODE_FAILED;
+ }
+
+ *data = (void *)aft;
+ return TM_ECODE_OK;
+}
+
+TmEcode OutputJsonThreadDeinit(ThreadVars *t, void *data)
+{
+ AlertJsonThread *aft = (AlertJsonThread *)data;
+ if (aft == NULL) {
+ return TM_ECODE_OK;
+ }
+
+ SCFree(aft);
+ return TM_ECODE_OK;
+}
+
+void OutputJsonExitPrintStats(ThreadVars *tv, void *data)
+{
+ AlertJsonThread *aft = (AlertJsonThread *)data;
+ if (aft == NULL) {
+ return;
+ }
+
+ SCLogInfo("JSON output wrote %" PRIu64 " alerts", aft->file_ctx->alerts);
+
+}
+
+/**
+ * \brief Create a new LogFileCtx for "fast" output style.
+ * \param conf The configuration node for this output.
+ * \return A LogFileCtx pointer on success, NULL on failure.
+ */
+OutputCtx *OutputJsonInitCtx(ConfNode *conf)
+{
+ OutputJsonCtx *json_ctx = SCCalloc(1, sizeof(OutputJsonCtx));;
+ if (unlikely(json_ctx == NULL)) {
+ SCLogDebug("AlertJsonInitCtx: Could not create new LogFileCtx");
+ return NULL;
+ }
+
+ json_ctx->file_ctx = LogFileNewCtx();
+ if (unlikely(json_ctx->file_ctx == NULL)) {
+ SCLogDebug("AlertJsonInitCtx: Could not create new LogFileCtx");
+ SCFree(json_ctx);
+ return NULL;
+ }
+
+ OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
+ if (unlikely(output_ctx == NULL)) {
+ LogFileFreeCtx(json_ctx->file_ctx);
+ SCFree(json_ctx);
+ return NULL;
+ }
+
+ output_ctx->data = json_ctx;
+ output_ctx->DeInit = OutputJsonDeInitCtx;
+
+ if (conf) {
+ const char *output_s = ConfNodeLookupChildValue(conf, "filetype");
+
+ // Backwards compatibility
+ if (output_s == NULL) {
+ output_s = ConfNodeLookupChildValue(conf, "type");
+ }
+
+ if (output_s != NULL) {
+ if (strcmp(output_s, "file") == 0 ||
+ strcmp(output_s, "regular") == 0) {
+ json_ctx->json_out = LOGFILE_TYPE_FILE;
+ } else if (strcmp(output_s, "syslog") == 0) {
+ json_ctx->json_out = LOGFILE_TYPE_SYSLOG;
+ } else if (strcmp(output_s, "unix_dgram") == 0) {
+ json_ctx->json_out = LOGFILE_TYPE_UNIX_DGRAM;
+ } else if (strcmp(output_s, "unix_stream") == 0) {
+ json_ctx->json_out = LOGFILE_TYPE_UNIX_STREAM;
+ } else {
+ SCLogError(SC_ERR_INVALID_ARGUMENT,
+ "Invalid JSON output option: %s", output_s);
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ const char *prefix = ConfNodeLookupChildValue(conf, "prefix");
+ if (prefix != NULL)
+ {
+ json_ctx->file_ctx->prefix = SCStrdup(prefix);
+ if (json_ctx->file_ctx->prefix == NULL)
+ {
+ SCLogError(SC_ERR_MEM_ALLOC,
+ "Failed to allocate memory for eve-log.prefix setting.");
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ if (json_ctx->json_out == LOGFILE_TYPE_FILE ||
+ json_ctx->json_out == LOGFILE_TYPE_UNIX_DGRAM ||
+ json_ctx->json_out == LOGFILE_TYPE_UNIX_STREAM)
+ {
+ if (SCConfLogOpenGeneric(conf, json_ctx->file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
+ LogFileFreeCtx(json_ctx->file_ctx);
+ SCFree(json_ctx);
+ SCFree(output_ctx);
+ return NULL;
+ }
+ OutputRegisterFileRotationFlag(&json_ctx->file_ctx->rotation_flag);
+
+ const char *format_s = ConfNodeLookupChildValue(conf, "format");
+ if (format_s != NULL) {
+ if (strcmp(format_s, "indent") == 0) {
+ json_ctx->format = INDENT;
+ } else if (strcmp(format_s, "compact") == 0) {
+ json_ctx->format = COMPACT;
+ } else {
+ SCLogError(SC_ERR_INVALID_ARGUMENT,
+ "Invalid JSON format option: %s", format_s);
+ exit(EXIT_FAILURE);
+ }
+ }
+ } else if (json_ctx->json_out == LOGFILE_TYPE_SYSLOG) {
+ const char *facility_s = ConfNodeLookupChildValue(conf, "facility");
+ if (facility_s == NULL) {
+ facility_s = DEFAULT_ALERT_SYSLOG_FACILITY_STR;
+ }
+
+ int facility = SCMapEnumNameToValue(facility_s, SCSyslogGetFacilityMap());
+ if (facility == -1) {
+ SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid syslog facility: \"%s\","
+ " now using \"%s\" as syslog facility", facility_s,
+ DEFAULT_ALERT_SYSLOG_FACILITY_STR);
+ facility = DEFAULT_ALERT_SYSLOG_FACILITY;
+ }
+
+ const char *level_s = ConfNodeLookupChildValue(conf, "level");
+ if (level_s != NULL) {
+ int level = SCMapEnumNameToValue(level_s, SCSyslogGetLogLevelMap());
+ if (level != -1) {
+ alert_syslog_level = level;
+ }
+ }
+
+ const char *ident = ConfNodeLookupChildValue(conf, "identity");
+ /* if null we just pass that to openlog, which will then
+ * figure it out by itself. */
+
+ openlog(ident, LOG_PID|LOG_NDELAY, facility);
+
+ }
+
+ const char *sensor_id_s = ConfNodeLookupChildValue(conf, "sensor-id");
+ if (sensor_id_s != NULL) {
+ if (ByteExtractStringUint64((uint64_t *)&sensor_id, 10, 0, sensor_id_s) == -1) {
+ SCLogError(SC_ERR_INVALID_ARGUMENT,
+ "Failed to initialize JSON output, "
+ "invalid sensor-is: %s", sensor_id_s);
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ json_ctx->file_ctx->type = json_ctx->json_out;
+ }
+
+ SCLogDebug("returning output_ctx %p", output_ctx);
+ return output_ctx;
+}
+
+static void OutputJsonDeInitCtx(OutputCtx *output_ctx)
+{
+ OutputJsonCtx *json_ctx = (OutputJsonCtx *)output_ctx->data;
+ LogFileCtx *logfile_ctx = json_ctx->file_ctx;
+ LogFileFreeCtx(logfile_ctx);
+ SCFree(json_ctx);
+ SCFree(output_ctx);
+}
+
+/*------------------------------Unittests-------------------------------------*/
+
+#ifdef UNITTESTS
+
+#endif /* UNITTESTS */
+
+/**
+ * \brief This function registers unit tests for AlertFastLog API.
+ */
+void OutputJsonRegisterTests(void)
+{
+
+#ifdef UNITTESTS
+
+#endif /* UNITTESTS */
+
+}
+#endif