suricata.8.0.0/custom-logger_8c_source.html

/* Copyright (C) 2023-2024 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */


#include "suricata-common.h"

#include "suricata-plugin.h"


#include "output-packet.h"

#include "output-flow.h"

#include "output-tx.h"

#include "util-print.h"

#include "output.h"


static int CustomPacketLogger(ThreadVars *tv, void *thread_data, const Packet *p)

{

    char src_ip[46] = { 0 }, dst_ip[46] = { 0 };


    if (PacketIsIPv4(p)) {

        PrintInet(AF_INET, (const void *)&(p->src.addr_data32[0]), src_ip, sizeof(src_ip));

        PrintInet(AF_INET, (const void *)&(p->dst.addr_data32[0]), dst_ip, sizeof(dst_ip));

    } else if (PacketIsIPv6(p)) {

        PrintInet(AF_INET6, (const void *)&(p->src.address), src_ip, sizeof(src_ip));

        PrintInet(AF_INET6, (const void *)&(p->dst.address), dst_ip, sizeof(dst_ip));

    } else {

        SCLogNotice("Packet is not IP");

        return 0;

    }

    SCLogNotice("Packet: %s -> %s", src_ip, dst_ip);

    return 0;

}


static bool CustomPacketLoggerCondition(ThreadVars *tv, void *thread_data, const Packet *)

{

    /* Always true for this example. */

    return true;

}


static int CustomFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)

{

    char src_ip[46] = { 0 }, dst_ip[46] = { 0 };

    Port sp, dp;


    if ((f->flags & FLOW_DIR_REVERSED) == 0) {

        if (FLOW_IS_IPV4(f)) {

            PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), src_ip, sizeof(src_ip));

            PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dst_ip, sizeof(dst_ip));

        } else if (FLOW_IS_IPV6(f)) {

            PrintInet(AF_INET6, (const void *)&(f->src.address), src_ip, sizeof(src_ip));

            PrintInet(AF_INET6, (const void *)&(f->dst.address), dst_ip, sizeof(dst_ip));

        }

        sp = f->sp;

        dp = f->dp;

    } else {

        if (FLOW_IS_IPV4(f)) {

            PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), src_ip, sizeof(src_ip));

            PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), dst_ip, sizeof(dst_ip));

        } else if (FLOW_IS_IPV6(f)) {

            PrintInet(AF_INET6, (const void *)&(f->dst.address), src_ip, sizeof(src_ip));

            PrintInet(AF_INET6, (const void *)&(f->src.address), dst_ip, sizeof(dst_ip));

        }

        sp = f->dp;

        dp = f->sp;

    }


    SCLogNotice("Flow: %s:%u -> %s:%u", src_ip, sp, dst_ip, dp);


    return 0;

}


static int CustomDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state,

        void *tx, uint64_t tx_id)

{

    SCLogNotice("We have a DNS transaction");

    return 0;

}


static TmEcode ThreadInit(ThreadVars *tv, const void *initdata, void **data)

{

    return TM_ECODE_OK;

}


static TmEcode ThreadDeinit(ThreadVars *tv, void *data)

{

    // Nothing to do. If we allocated data in ThreadInit we would free

    // it here.

    return TM_ECODE_OK;

}


static void OnLoggingReady(void *arg)

{

    SCOutputRegisterPacketLogger(LOGGER_USER, "custom-packet-logger", CustomPacketLogger,

            CustomPacketLoggerCondition, NULL, ThreadInit, ThreadDeinit);

    SCOutputRegisterFlowLogger(

            "custom-flow-logger", CustomFlowLogger, NULL, ThreadInit, ThreadDeinit);

    SCOutputRegisterTxLogger(LOGGER_USER, "custom-dns-logger", ALPROTO_DNS, CustomDnsLogger, NULL,

            -1, -1, NULL, ThreadInit, ThreadDeinit);

}


static void Init(void)

{

    // Register our callback for when logging is ready.

    SCRegisterOnLoggingReady(OnLoggingReady, NULL);

}


const SCPlugin PluginRegistration = {

    .version = SC_API_VERSION,

    .suricata_version = SC_PACKAGE_VERSION,

    .name = "CustomLogger",

    .plugin_version = "1.0.0",

    .author = "Firstname Lastname",

    .license = "GPLv2",

    .Init = Init,

};


const SCPlugin *SCPluginRegister(void)

{

    return &PluginRegistration;

}


ALPROTO_DNS
@ ALPROTO_DNS
Definition app-layer-protos.h:47

SCPluginRegister
const SCPlugin * SCPluginRegister(void)
Definition custom-logger.c:128

PluginRegistration
const SCPlugin PluginRegistration
Definition custom-logger.c:118

Port
uint16_t Port
Definition decode.h:218

FLOW_IS_IPV6
#define FLOW_IS_IPV6(f)
Definition flow.h:172

FLOW_DIR_REVERSED
#define FLOW_DIR_REVERSED
Definition flow.h:112

FLOW_IS_IPV4
#define FLOW_IS_IPV4(f)
Definition flow.h:170

tv
ThreadVars * tv
Definition fuzz_decodepcapfile.c:32

SCOutputRegisterFlowLogger
int SCOutputRegisterFlowLogger(const char *name, FlowLogger LogFunc, void *initdata, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Register a flow logger.
Definition output-flow.c:58

output-flow.h

SCOutputRegisterPacketLogger
int SCOutputRegisterPacketLogger(LoggerId logger_id, const char *name, PacketLogger LogFunc, PacketLogCondition ConditionFunc, void *initdata, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Register a packet logger.
Definition output-packet.c:55

output-packet.h

SCOutputRegisterTxLogger
int SCOutputRegisterTxLogger(LoggerId id, const char *name, AppProto alproto, TxLogger LogFunc, void *initdata, int tc_log_progress, int ts_log_progress, TxLoggerCondition LogCondition, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Register a transaction logger.
Definition output-tx.c:66

output-tx.h

SCRegisterOnLoggingReady
int SCRegisterOnLoggingReady(SCOnLoggingReadyCallback callback, void *arg)
Register a callback to be called when logging is ready.
Definition output.c:757

output.h

Address_::address
union Address_::@30 address

FlowAddress_::address
union FlowAddress_::@128 address

Flow_
Flow data structure.
Definition flow.h:356

Flow_::dp
Port dp
Definition flow.h:372

Flow_::flags
uint32_t flags
Definition flow.h:421

Flow_::src
FlowAddress src
Definition flow.h:359

Flow_::sp
Port sp
Definition flow.h:361

Flow_::dst
FlowAddress dst
Definition flow.h:359

Packet_
Definition decode.h:501

Packet_::src
Address src
Definition decode.h:505

Packet_::dst
Address dst
Definition decode.h:506

SCPlugin_
Definition suricata-plugin.h:41

SCPlugin_::version
uint64_t version
Definition suricata-plugin.h:43

ThreadVars_
Per thread variable structure.
Definition threadvars.h:58

suricata-common.h

LOGGER_USER
@ LOGGER_USER
Definition suricata-common.h:515

suricata-plugin.h

SC_PACKAGE_VERSION
#define SC_PACKAGE_VERSION
Definition suricata-plugin.h:36

TmEcode
TmEcode
Definition tm-threads-common.h:80

TM_ECODE_OK
@ TM_ECODE_OK
Definition tm-threads-common.h:81

SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition util-debug.h:243

PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition util-print.c:231

util-print.h