suricata.8.0.0/output-eve-stream_8c_source.html

/* Copyright (C) 2023-2024 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */


/**

 * \file

 */


#include "suricata-common.h"

#include "packet.h"

#include "detect.h"

#include "flow.h"

#include "conf.h"


#include "threads.h"

#include "tm-threads.h"

#include "threadvars.h"

#include "util-debug.h"


#include "decode-ipv4.h"

#include "detect-parse.h"

#include "detect-engine.h"

#include "detect-engine-mpm.h"

#include "detect-reference.h"


#include "output.h"

#include "output-json.h"

#include "output-json-flow.h"

#include "output-eve-stream.h"


#include "stream-tcp.h"


#include "util-unittest.h"

#include "util-unittest-helper.h"

#include "util-classification-config.h"

#include "util-privs.h"

#include "util-print.h"

#include "util-proto-name.h"

#include "util-logopenfile.h"

#include "util-time.h"

#include "util-buffer.h"


#include "action-globals.h"


#define MODULE_NAME "EveStreamLog"


typedef struct EveStreamOutputCtx_ {

    uint16_t trigger_flags; /**< presence of flags in packet trigger logging. 0xffff for all. */

    OutputJsonCtx *eve_ctx;

} EveStreamOutputCtx;


typedef struct EveStreamLogThread_ {

    EveStreamOutputCtx *stream_ctx;

    OutputJsonThreadCtx *ctx;

} EveStreamLogThread;


static TmEcode EveStreamLogThreadInit(ThreadVars *t, const void *initdata, void **data)

{

    EveStreamLogThread *aft = SCCalloc(1, sizeof(EveStreamLogThread));

    if (unlikely(aft == NULL))

        return TM_ECODE_FAILED;


    if (initdata == NULL) {

        SCLogDebug("Error getting context for EveLogDrop.  \"initdata\" argument NULL");

        goto error_exit;

    }


    /** Use the Output Context (file pointer and mutex) */

    aft->stream_ctx = ((OutputCtx *)initdata)->data;

    aft->ctx = CreateEveThreadCtx(t, aft->stream_ctx->eve_ctx);

    if (!aft->ctx) {

        goto error_exit;

    }


    *data = (void *)aft;

    return TM_ECODE_OK;


error_exit:

    SCFree(aft);

    return TM_ECODE_FAILED;

}


static TmEcode EveStreamLogThreadDeinit(ThreadVars *t, void *data)

{

    EveStreamLogThread *aft = (EveStreamLogThread *)data;

    if (aft == NULL) {

        return TM_ECODE_OK;

    }


    FreeEveThreadCtx(aft->ctx);


    /* clear memory */

    memset(aft, 0, sizeof(*aft));


    SCFree(aft);

    return TM_ECODE_OK;

}


static void EveStreamOutputCtxFree(EveStreamOutputCtx *ctx)

{

    if (ctx != NULL) {

        SCFree(ctx);

    }

}


static void EveStreamLogDeInitCtxSub(OutputCtx *output_ctx)

{

    OutputDropLoggerDisable();


    EveStreamOutputCtx *ctx = output_ctx->data;

    SCFree(ctx);

    SCLogDebug("cleaning up sub output_ctx %p", output_ctx);

    SCFree(output_ctx);

}


static uint16_t SetFlag(SCConfNode *conf, const char *opt, const uint16_t inflag)

{

    const char *v = SCConfNodeLookupChildValue(conf, opt);

    if (v != NULL && SCConfValIsTrue(v)) {

        return inflag;

    }

    return 0;

}


static OutputInitResult EveStreamLogInitCtxSub(SCConfNode *conf, OutputCtx *parent_ctx)

{

    OutputInitResult result = { NULL, false };

    OutputJsonCtx *ajt = parent_ctx->data;


    EveStreamOutputCtx *ctx = SCCalloc(1, sizeof(*ctx));

    if (ctx == NULL)

        return result;


    OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));

    if (unlikely(output_ctx == NULL)) {

        EveStreamOutputCtxFree(ctx);

        return result;

    }


    if (conf) {

        // TODO add all flags


        ctx->trigger_flags |= SetFlag(conf, "event-set", STREAM_PKT_FLAG_EVENTSET);

        ctx->trigger_flags |= SetFlag(conf, "state-update", STREAM_PKT_FLAG_STATE_UPDATE);

        ctx->trigger_flags |=

                SetFlag(conf, "spurious-retransmission", STREAM_PKT_FLAG_SPURIOUS_RETRANSMISSION);

        ctx->trigger_flags |= SetFlag(conf, "tcp-session-reuse", STREAM_PKT_FLAG_TCP_SESSION_REUSE);


        ctx->trigger_flags |= SetFlag(conf, "all", 0xFFFF);

        SCLogDebug("trigger_flags %04x", ctx->trigger_flags);

    }

    ctx->eve_ctx = ajt;


    output_ctx->data = ctx;

    output_ctx->DeInit = EveStreamLogDeInitCtxSub;


    result.ctx = output_ctx;

    result.ok = true;


    SCLogWarning("eve.stream facility is EXPERIMENTAL and can change w/o notice");

    return result;

}


void EveAddFlowTcpStreamFlags(const TcpStream *stream, const char *name, SCJsonBuilder *jb)

{

    SCJbOpenArray(jb, name);

    if (stream->flags & STREAMTCP_STREAM_FLAG_HAS_GAP)

        SCJbAppendString(jb, "has_gap");

    if (stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)

        SCJbAppendString(jb, "noreassembly");

    if (stream->flags & STREAMTCP_STREAM_FLAG_KEEPALIVE)

        SCJbAppendString(jb, "keepalive");

    if (stream->flags & STREAMTCP_STREAM_FLAG_DEPTH_REACHED)

        SCJbAppendString(jb, "depth_reached");

    if (stream->flags & STREAMTCP_STREAM_FLAG_TRIGGER_RAW)

        SCJbAppendString(jb, "trigger_raw");

    if (stream->flags & STREAMTCP_STREAM_FLAG_TIMESTAMP)

        SCJbAppendString(jb, "timestamp");

    if (stream->flags & STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP)

        SCJbAppendString(jb, "zero_timestamp");

    if (stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED)

        SCJbAppendString(jb, "appproto_detection_completed");

    if (stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED)

        SCJbAppendString(jb, "appproto_detection_skipped");

    if (stream->flags & STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED)

        SCJbAppendString(jb, "new_raw_disabled");

    if (stream->flags & STREAMTCP_STREAM_FLAG_DISABLE_RAW)

        SCJbAppendString(jb, "disable_raw");

    if (stream->flags & STREAMTCP_STREAM_FLAG_RST_RECV)

        SCJbAppendString(jb, "rst_recv");

    SCJbClose(jb);

}


void EveAddFlowTcpFlags(const TcpSession *ssn, const char *name, SCJsonBuilder *jb)

{

    SCJbOpenObject(jb, "flags");


    SCJbOpenArray(jb, name);

    if (ssn->flags & STREAMTCP_FLAG_MIDSTREAM) {

        SCJbAppendString(jb, "midstream");

    }

    if (ssn->flags & STREAMTCP_FLAG_MIDSTREAM_ESTABLISHED) {

        SCJbAppendString(jb, "midstream_established");

    }

    if (ssn->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK) {

        SCJbAppendString(jb, "midstream_synack");

    }

    if (ssn->flags & STREAMTCP_FLAG_TIMESTAMP) {

        SCJbAppendString(jb, "timestamp");

    }

    if (ssn->flags & STREAMTCP_FLAG_SERVER_WSCALE) {

        SCJbAppendString(jb, "server_wscale");

    }

    if (ssn->flags & STREAMTCP_FLAG_CLOSED_BY_RST) {

        SCJbAppendString(jb, "closed_by_rst");

    }

    if (ssn->flags & STREAMTCP_FLAG_4WHS) {

        SCJbAppendString(jb, "4whs");

    }

    if (ssn->flags & STREAMTCP_FLAG_DETECTION_EVASION_ATTEMPT) {

        SCJbAppendString(jb, "detect_evasion_attempt");

    }

    if (ssn->flags & STREAMTCP_FLAG_CLIENT_SACKOK) {

        SCJbAppendString(jb, "client_sackok");

    }

    if (ssn->flags & STREAMTCP_FLAG_CLIENT_SACKOK) {

        SCJbAppendString(jb, "sackok");

    }

    if (ssn->flags & STREAMTCP_FLAG_3WHS_CONFIRMED) {

        SCJbAppendString(jb, "3whs_confirmed");

    }

    if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {

        SCJbAppendString(jb, "app_layer_disabled");

    }

    if (ssn->flags & STREAMTCP_FLAG_BYPASS) {

        SCJbAppendString(jb, "bypass");

    }

    if (ssn->flags & STREAMTCP_FLAG_TCP_FAST_OPEN) {

        SCJbAppendString(jb, "tcp_fast_open");

    }

    if (ssn->flags & STREAMTCP_FLAG_TFO_DATA_IGNORED) {

        SCJbAppendString(jb, "tfo_data_ignored");

    }

    SCJbClose(jb);

    SCJbClose(jb);

}


static void LogStreamSB(const StreamingBuffer *sb, SCJsonBuilder *js)

{

    SCJbSetUint(js, "sb_region_size", sb->region.buf_size);

}


static void LogStream(const TcpStream *stream, SCJsonBuilder *js)

{

    SCJbSetUint(js, "isn", stream->isn);

    SCJbSetUint(js, "next_seq", stream->next_seq);

    SCJbSetUint(js, "last_ack", stream->last_ack);

    SCJbSetUint(js, "next_win", stream->next_win);

    if (!(stream->flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) {

        SCJbSetUint(js, "base_seq", stream->base_seq);

        SCJbSetUint(js, "segs_right_edge", stream->segs_right_edge);

    }

    SCJbSetUint(js, "window", stream->window);

    SCJbSetUint(js, "wscale", stream->wscale);


    EveAddFlowTcpStreamFlags(stream, "flags", js);


    TcpSegment *s;

    uint32_t segs = 0;

    RB_FOREACH(s, TCPSEG, (struct TCPSEG *)&stream->seg_tree)

    {

        segs++;

    }

    SCJbSetUint(js, "seg_cnt", segs);

    LogStreamSB(&stream->sb, js);

}


/**

 * \brief   Log the stream packets

 *

 * \param tv    Pointer the current thread variables

 * \param data  Pointer to the EveStreamLogThread struct

 * \param p     Pointer the packet which is being logged

 *

 * \retval 0 on success

 */

static int EveStreamLogger(ThreadVars *tv, void *thread_data, const Packet *p)

{

    EveStreamLogThread *td = thread_data;

    EveStreamOutputCtx *ctx = td->stream_ctx;


    JsonAddrInfo addr = json_addr_info_zero;

    JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);


    SCJsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, "stream_tcp", &addr, ctx->eve_ctx);

    if (unlikely(js == NULL))

        return TM_ECODE_OK;


    if (p->flow != NULL) {

        if (p->flowflags & FLOW_PKT_TOSERVER) {

            SCJbSetString(js, "direction", "to_server");

        } else {

            SCJbSetString(js, "direction", "to_client");

        }

    }


    SCJbOpenObject(js, "stream_tcp");

    SCJbOpenObject(js, "packet");


    if (PacketIsIPv4(p)) {

        const IPV4Hdr *ip4h = PacketGetIPv4(p);

        SCJbSetUint(js, "len", IPV4_GET_RAW_IPLEN(ip4h));

        SCJbSetUint(js, "tos", IPV4_GET_RAW_IPTOS(ip4h));

        SCJbSetUint(js, "ttl", IPV4_GET_RAW_IPTTL(ip4h));

        SCJbSetUint(js, "ipid", IPV4_GET_RAW_IPID(ip4h));

    } else if (PacketIsIPv6(p)) {

        const IPV6Hdr *ip6h = PacketGetIPv6(p);

        SCJbSetUint(js, "len", IPV6_GET_RAW_PLEN(ip6h));

        SCJbSetUint(js, "tc", IPV6_GET_RAW_CLASS(ip6h));

        SCJbSetUint(js, "hoplimit", IPV6_GET_RAW_HLIM(ip6h));

        SCJbSetUint(js, "flowlbl", IPV6_GET_RAW_FLOW(ip6h));

    }

    if (PacketIsTCP(p)) {

        const TCPHdr *tcph = PacketGetTCP(p);

        SCJbSetUint(js, "tcpseq", TCP_GET_RAW_SEQ(tcph));

        SCJbSetUint(js, "tcpack", TCP_GET_RAW_ACK(tcph));

        SCJbSetUint(js, "tcpwin", TCP_GET_RAW_WINDOW(tcph));

        SCJbSetBool(js, "syn", TCP_ISSET_FLAG_RAW_SYN(tcph) ? true : false);

        SCJbSetBool(js, "ack", TCP_ISSET_FLAG_RAW_ACK(tcph) ? true : false);

        SCJbSetBool(js, "psh", TCP_ISSET_FLAG_RAW_PUSH(tcph) ? true : false);

        SCJbSetBool(js, "rst", TCP_ISSET_FLAG_RAW_RST(tcph) ? true : false);

        SCJbSetBool(js, "urg", TCP_ISSET_FLAG_RAW_URG(tcph) ? true : false);

        SCJbSetBool(js, "fin", TCP_ISSET_FLAG_RAW_FIN(tcph) ? true : false);

        SCJbSetUint(js, "tcpres", TCP_GET_RAW_X2(tcph));

        SCJbSetUint(js, "tcpurgp", TCP_GET_RAW_URG_POINTER(tcph));


        SCJbOpenArray(js, "flags");

        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_RETRANSMISSION)

            SCJbAppendString(js, "retransmission");

        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_SPURIOUS_RETRANSMISSION)

            SCJbAppendString(js, "spurious_retransmission");

        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_KEEPALIVE)

            SCJbAppendString(js, "keepalive");

        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_KEEPALIVEACK)

            SCJbAppendString(js, "keepalive_ack");

        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_WINDOWUPDATE)

            SCJbAppendString(js, "window_update");


        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_EVENTSET)

            SCJbAppendString(js, "event_set");

        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_STATE_UPDATE)

            SCJbAppendString(js, "state_update");

        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_DUP_ACK)

            SCJbAppendString(js, "dup_ack");

        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_DSACK)

            SCJbAppendString(js, "dsack");

        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_ACK_UNSEEN_DATA)

            SCJbAppendString(js, "ack_unseen_data");

        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_TCP_SESSION_REUSE)

            SCJbAppendString(js, "tcp_session_reuse");

        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE)

            SCJbAppendString(js, "zero_window_probe");

        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE_ACK)

            SCJbAppendString(js, "zero_window_probe_ack");

        SCJbClose(js);

    }

    SCJbClose(js);


    SCJbOpenObject(js, "session");

    if (p->flow != NULL && p->flow->protoctx != NULL) {

        const TcpSession *ssn = p->flow->protoctx;

        const char *tcp_state = StreamTcpStateAsString(ssn->state);

        if (tcp_state != NULL)

            SCJbSetString(js, "state", tcp_state);

        if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_STATE_UPDATE) {

            const char *tcp_pstate = StreamTcpStateAsString(ssn->pstate);

            if (tcp_pstate != NULL)

                SCJbSetString(js, "pstate", tcp_pstate);

        }

        EveAddFlowTcpFlags(ssn, "flags", js);


        SCJbOpenObject(js, "client");

        LogStream(&ssn->client, js);

        SCJbClose(js);

        SCJbOpenObject(js, "server");

        LogStream(&ssn->server, js);

        SCJbClose(js);

    }

    SCJbClose(js);


    if (p->l4.vars.tcp.stream_pkt_flags & STREAM_PKT_FLAG_EVENTSET) {

        SCJbOpenArray(js, "events");

        for (int i = 0; i < p->events.cnt; i++) {

            uint8_t event_code = p->events.events[i];

            bool is_decode = EVENT_IS_DECODER_PACKET_ERROR(event_code);

            if (is_decode)

                continue;

            if (event_code >= DECODE_EVENT_MAX)

                continue;

            const char *event = DEvents[event_code].event_name;

            if (event == NULL)

                continue;

            SCJbAppendString(js, event);

        }

        SCJbClose(js);

    }


    if (p->drop_reason != 0) {

        const char *str = PacketDropReasonToString(p->drop_reason);

        SCJbSetString(js, "reason", str);

    }


    /* Close stream. */

    SCJbClose(js);


    OutputJsonBuilderBuffer(tv, p, p->flow, js, td->ctx);

    SCJbFree(js);


    return TM_ECODE_OK;

}


/**

 * \brief Check if we need to log this packet

 *

 * \param tv    Pointer the current thread variables

 * \param p     Pointer the packet which is tested

 *

 * \retval bool true or false

 */

static bool EveStreamLogCondition(ThreadVars *tv, void *data, const Packet *p)

{

    EveStreamLogThread *td = data;

    EveStreamOutputCtx *ctx = td->stream_ctx;


    return (p->proto == IPPROTO_TCP &&

            (ctx->trigger_flags == 0xffff ||

                    (p->l4.vars.tcp.stream_pkt_flags & ctx->trigger_flags) != 0));

}


void EveStreamLogRegister(void)

{

    OutputPacketLoggerFunctions output_logger_functions = {

        .LogFunc = EveStreamLogger,

        .FlushFunc = OutputJsonLogFlush,

        .ConditionFunc = EveStreamLogCondition,

        .ThreadInitFunc = EveStreamLogThreadInit,

        .ThreadDeinitFunc = EveStreamLogThreadDeinit,

        .ThreadExitPrintStatsFunc = NULL,

    };


    OutputRegisterPacketSubModule(LOGGER_JSON_STREAM, "eve-log", MODULE_NAME, "eve-log.stream",

            EveStreamLogInitCtxSub, &output_logger_functions);

}


action-globals.h

SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition conf.c:551

SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition conf.c:824

conf.h

DEvents
const struct DecodeEvents_ DEvents[]
Definition decode-events.c:29

EVENT_IS_DECODER_PACKET_ERROR
#define EVENT_IS_DECODER_PACKET_ERROR(e)
Definition decode-events.h:321

DECODE_EVENT_MAX
@ DECODE_EVENT_MAX
Definition decode-events.h:318

decode-ipv4.h

IPV4_GET_RAW_IPTOS
#define IPV4_GET_RAW_IPTOS(ip4h)
Definition decode-ipv4.h:97

IPV4_GET_RAW_IPLEN
#define IPV4_GET_RAW_IPLEN(ip4h)
Definition decode-ipv4.h:98

IPV4_GET_RAW_IPTTL
#define IPV4_GET_RAW_IPTTL(ip4h)
Definition decode-ipv4.h:102

IPV4_GET_RAW_IPID
#define IPV4_GET_RAW_IPID(ip4h)
Definition decode-ipv4.h:99

IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition decode-ipv6.h:66

IPV6_GET_RAW_HLIM
#define IPV6_GET_RAW_HLIM(ip6h)
Definition decode-ipv6.h:67

IPV6_GET_RAW_FLOW
#define IPV6_GET_RAW_FLOW(ip6h)
Definition decode-ipv6.h:64

IPV6_GET_RAW_CLASS
#define IPV6_GET_RAW_CLASS(ip6h)
Definition decode-ipv6.h:63

TCP_GET_RAW_SEQ
#define TCP_GET_RAW_SEQ(tcph)
Definition decode-tcp.h:80

TCP_ISSET_FLAG_RAW_PUSH
#define TCP_ISSET_FLAG_RAW_PUSH(tcph)
Definition decode-tcp.h:122

TCP_ISSET_FLAG_RAW_ACK
#define TCP_ISSET_FLAG_RAW_ACK(tcph)
Definition decode-tcp.h:123

TCP_GET_RAW_ACK
#define TCP_GET_RAW_ACK(tcph)
Definition decode-tcp.h:81

TCP_ISSET_FLAG_RAW_FIN
#define TCP_ISSET_FLAG_RAW_FIN(tcph)
Definition decode-tcp.h:119

TCP_GET_RAW_X2
#define TCP_GET_RAW_X2(tcph)
Definition decode-tcp.h:73

TCP_GET_RAW_URG_POINTER
#define TCP_GET_RAW_URG_POINTER(tcph)
Definition decode-tcp.h:84

TCP_ISSET_FLAG_RAW_RST
#define TCP_ISSET_FLAG_RAW_RST(tcph)
Definition decode-tcp.h:121

TCP_ISSET_FLAG_RAW_SYN
#define TCP_ISSET_FLAG_RAW_SYN(tcph)
Definition decode-tcp.h:120

TCP_GET_RAW_WINDOW
#define TCP_GET_RAW_WINDOW(tcph)
Definition decode-tcp.h:83

TCP_ISSET_FLAG_RAW_URG
#define TCP_ISSET_FLAG_RAW_URG(tcph)
Definition decode-tcp.h:124

detect-engine-mpm.h

detect-engine.h

detect-parse.h

detect-reference.h

detect.h

flow.h

FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition flow.h:233

tv
ThreadVars * tv
Definition fuzz_decodepcapfile.c:32

PacketDropReasonToString
const char * PacketDropReasonToString(enum PacketDropReason r)
Definition decode.c:903

ctx
struct Thresholds ctx

LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition output-eve-bindgen.h:32

EveAddFlowTcpStreamFlags
void EveAddFlowTcpStreamFlags(const TcpStream *stream, const char *name, SCJsonBuilder *jb)
Definition output-eve-stream.c:177

MODULE_NAME
#define MODULE_NAME
Definition output-eve-stream.c:58

EveAddFlowTcpFlags
void EveAddFlowTcpFlags(const TcpSession *ssn, const char *name, SCJsonBuilder *jb)
Definition output-eve-stream.c:207

EveStreamOutputCtx
struct EveStreamOutputCtx_ EveStreamOutputCtx

EveStreamLogRegister
void EveStreamLogRegister(void)
Definition output-eve-stream.c:453

EveStreamLogThread
struct EveStreamLogThread_ EveStreamLogThread

output-eve-stream.h

OutputJsonLogFlush
int OutputJsonLogFlush(ThreadVars *tv, void *thread_data, const Packet *p)
Definition output-json-common.c:73

CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition output-json-common.c:29

FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition output-json-common.c:58

output-json-flow.h

CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition output-json.c:850

JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition output-json.c:486

json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition output-json.c:81

OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition output-json.c:1015

output-json.h

OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, OutputPacketLoggerFunctions *output_logger_functions)
Register a packet output sub-module.
Definition output.c:234

OutputDropLoggerDisable
void OutputDropLoggerDisable(void)
Definition output.c:680

output.h

packet.h

STREAM_PKT_FLAG_DSACK
#define STREAM_PKT_FLAG_DSACK
Definition stream-tcp-private.h:320

STREAM_PKT_FLAG_RETRANSMISSION
#define STREAM_PKT_FLAG_RETRANSMISSION
Definition stream-tcp-private.h:312

STREAMTCP_STREAM_FLAG_NOREASSEMBLY
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY
Definition stream-tcp-private.h:219

STREAMTCP_STREAM_FLAG_TIMESTAMP
#define STREAMTCP_STREAM_FLAG_TIMESTAMP
Definition stream-tcp-private.h:228

STREAMTCP_STREAM_FLAG_DISABLE_RAW
#define STREAMTCP_STREAM_FLAG_DISABLE_RAW
Definition stream-tcp-private.h:238

STREAMTCP_FLAG_CLOSED_BY_RST
#define STREAMTCP_FLAG_CLOSED_BY_RST
Definition stream-tcp-private.h:180

STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE
#define STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE
Definition stream-tcp-private.h:323

STREAMTCP_FLAG_BYPASS
#define STREAMTCP_FLAG_BYPASS
Definition stream-tcp-private.h:203

STREAMTCP_FLAG_SERVER_WSCALE
#define STREAMTCP_FLAG_SERVER_WSCALE
Definition stream-tcp-private.h:178

STREAM_PKT_FLAG_DUP_ACK
#define STREAM_PKT_FLAG_DUP_ACK
Definition stream-tcp-private.h:319

STREAM_PKT_FLAG_SPURIOUS_RETRANSMISSION
#define STREAM_PKT_FLAG_SPURIOUS_RETRANSMISSION
Definition stream-tcp-private.h:313

STREAM_PKT_FLAG_WINDOWUPDATE
#define STREAM_PKT_FLAG_WINDOWUPDATE
Definition stream-tcp-private.h:317

STREAMTCP_FLAG_TFO_DATA_IGNORED
#define STREAMTCP_FLAG_TFO_DATA_IGNORED
Definition stream-tcp-private.h:207

STREAMTCP_STREAM_FLAG_TRIGGER_RAW
#define STREAMTCP_STREAM_FLAG_TRIGGER_RAW
Definition stream-tcp-private.h:225

STREAM_PKT_FLAG_STATE_UPDATE
#define STREAM_PKT_FLAG_STATE_UPDATE
Definition stream-tcp-private.h:314

STREAM_PKT_FLAG_EVENTSET
#define STREAM_PKT_FLAG_EVENTSET
Definition stream-tcp-private.h:318

STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE_ACK
#define STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE_ACK
Definition stream-tcp-private.h:324

STREAM_PKT_FLAG_ACK_UNSEEN_DATA
#define STREAM_PKT_FLAG_ACK_UNSEEN_DATA
Definition stream-tcp-private.h:321

STREAMTCP_FLAG_MIDSTREAM
#define STREAMTCP_FLAG_MIDSTREAM
Definition stream-tcp-private.h:170

STREAMTCP_FLAG_TCP_FAST_OPEN
#define STREAMTCP_FLAG_TCP_FAST_OPEN
Definition stream-tcp-private.h:205

STREAMTCP_FLAG_DETECTION_EVASION_ATTEMPT
#define STREAMTCP_FLAG_DETECTION_EVASION_ATTEMPT
Definition stream-tcp-private.h:188

STREAMTCP_FLAG_3WHS_CONFIRMED
#define STREAMTCP_FLAG_3WHS_CONFIRMED
Definition stream-tcp-private.h:199

STREAM_PKT_FLAG_KEEPALIVEACK
#define STREAM_PKT_FLAG_KEEPALIVEACK
Definition stream-tcp-private.h:316

STREAMTCP_FLAG_4WHS
#define STREAMTCP_FLAG_4WHS
Definition stream-tcp-private.h:185

STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED
Definition stream-tcp-private.h:234

STREAMTCP_FLAG_TIMESTAMP
#define STREAMTCP_FLAG_TIMESTAMP
Definition stream-tcp-private.h:176

STREAMTCP_STREAM_FLAG_KEEPALIVE
#define STREAMTCP_STREAM_FLAG_KEEPALIVE
Definition stream-tcp-private.h:221

STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED
#define STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED
Definition stream-tcp-private.h:236

STREAMTCP_FLAG_MIDSTREAM_SYNACK
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK
Definition stream-tcp-private.h:174

STREAMTCP_STREAM_FLAG_RST_RECV
#define STREAMTCP_STREAM_FLAG_RST_RECV
Definition stream-tcp-private.h:240

STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP
#define STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP
Definition stream-tcp-private.h:230

STREAMTCP_FLAG_MIDSTREAM_ESTABLISHED
#define STREAMTCP_FLAG_MIDSTREAM_ESTABLISHED
Definition stream-tcp-private.h:172

STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
Definition stream-tcp-private.h:232

STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition stream-tcp-private.h:201

STREAMTCP_STREAM_FLAG_HAS_GAP
#define STREAMTCP_STREAM_FLAG_HAS_GAP
Definition stream-tcp-private.h:217

STREAM_PKT_FLAG_KEEPALIVE
#define STREAM_PKT_FLAG_KEEPALIVE
Definition stream-tcp-private.h:315

STREAMTCP_FLAG_CLIENT_SACKOK
#define STREAMTCP_FLAG_CLIENT_SACKOK
Definition stream-tcp-private.h:190

STREAM_PKT_FLAG_TCP_SESSION_REUSE
#define STREAM_PKT_FLAG_TCP_SESSION_REUSE
Definition stream-tcp-private.h:322

STREAMTCP_STREAM_FLAG_DEPTH_REACHED
#define STREAMTCP_STREAM_FLAG_DEPTH_REACHED
Definition stream-tcp-private.h:223

StreamTcpStateAsString
const char * StreamTcpStateAsString(const enum TcpState state)
Definition stream-tcp.c:7112

stream-tcp.h

DecodeEvents_::event_name
const char * event_name
Definition decode-events.h:327

EveStreamLogThread_
Definition output-eve-stream.c:65

EveStreamLogThread_::stream_ctx
EveStreamOutputCtx * stream_ctx
Definition output-eve-stream.c:66

EveStreamLogThread_::ctx
OutputJsonThreadCtx * ctx
Definition output-eve-stream.c:67

EveStreamOutputCtx_
Definition output-eve-stream.c:60

EveStreamOutputCtx_::eve_ctx
OutputJsonCtx * eve_ctx
Definition output-eve-stream.c:62

EveStreamOutputCtx_::trigger_flags
uint16_t trigger_flags
Definition output-eve-stream.c:61

Flow_::protoctx
void * protoctx
Definition flow.h:441

IPV4Hdr_
Definition decode-ipv4.h:72

IPV6Hdr_
Definition decode-ipv6.h:32

JsonAddrInfo_
Definition output-json.h:41

OutputCtx_
Definition tm-modules.h:88

OutputCtx_::data
void * data
Definition tm-modules.h:91

OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition tm-modules.h:94

OutputInitResult_
Definition output.h:46

OutputInitResult_::ok
bool ok
Definition output.h:48

OutputInitResult_::ctx
OutputCtx * ctx
Definition output.h:47

OutputJsonCtx_
Definition output-json.h:75

OutputJsonThreadCtx_
Definition output-json.h:83

OutputPacketLoggerFunctions_
Definition output.h:87

OutputPacketLoggerFunctions_::LogFunc
PacketLogger LogFunc
Definition output.h:88

PacketEngineEvents_::events
uint8_t events[PACKET_ENGINE_EVENT_MAX]
Definition decode.h:308

PacketEngineEvents_::cnt
uint8_t cnt
Definition decode.h:307

PacketL4::vars
union PacketL4::L4Vars vars

Packet_
Definition decode.h:501

Packet_::l4
struct PacketL4 l4
Definition decode.h:601

Packet_::flowflags
uint8_t flowflags
Definition decode.h:532

Packet_::drop_reason
uint8_t drop_reason
Definition decode.h:647

Packet_::flow
struct Flow_ * flow
Definition decode.h:546

Packet_::events
PacketEngineEvents events
Definition decode.h:630

Packet_::proto
uint8_t proto
Definition decode.h:523

SCConfNode_
Definition conf.h:37

StreamingBufferRegion_::buf_size
uint32_t buf_size
Definition util-streaming-buffer.h:86

StreamingBuffer_
Definition util-streaming-buffer.h:108

StreamingBuffer_::region
StreamingBufferRegion region
Definition util-streaming-buffer.h:109

TCPHdr_
Definition decode-tcp.h:149

TCPVars_::stream_pkt_flags
uint16_t stream_pkt_flags
Definition decode-tcp.h:175

TcpSegment
Definition stream-tcp-private.h:72

TcpSession_
Definition stream-tcp-private.h:283

TcpSession_::state
uint8_t state
Definition stream-tcp-private.h:285

TcpSession_::server
TcpStream server
Definition stream-tcp-private.h:296

TcpSession_::client
TcpStream client
Definition stream-tcp-private.h:297

TcpSession_::flags
uint32_t flags
Definition stream-tcp-private.h:294

TcpSession_::pstate
uint8_t pstate
Definition stream-tcp-private.h:286

TcpStream_
Definition stream-tcp-private.h:106

TcpStream_::base_seq
uint32_t base_seq
Definition stream-tcp-private.h:124

TcpStream_::wscale
uint16_t wscale
Definition stream-tcp-private.h:109

TcpStream_::window
uint32_t window
Definition stream-tcp-private.h:117

TcpStream_::sb
StreamingBuffer sb
Definition stream-tcp-private.h:135

TcpStream_::next_seq
uint32_t next_seq
Definition stream-tcp-private.h:114

TcpStream_::seg_tree
struct TCPSEG seg_tree
Definition stream-tcp-private.h:136

TcpStream_::segs_right_edge
uint32_t segs_right_edge
Definition stream-tcp-private.h:137

TcpStream_::next_win
uint32_t next_win
Definition stream-tcp-private.h:116

TcpStream_::isn
uint32_t isn
Definition stream-tcp-private.h:113

TcpStream_::flags
uint16_t flags
Definition stream-tcp-private.h:107

TcpStream_::last_ack
uint32_t last_ack
Definition stream-tcp-private.h:115

ThreadVars_
Per thread variable structure.
Definition threadvars.h:58

suricata-common.h

LOGGER_JSON_STREAM
@ LOGGER_JSON_STREAM
Definition suricata-common.h:510

str
#define str(s)
Definition suricata-common.h:308

threads.h

threadvars.h

TmEcode
TmEcode
Definition tm-threads-common.h:80

TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition tm-threads-common.h:82

TM_ECODE_OK
@ TM_ECODE_OK
Definition tm-threads-common.h:81

name
const char * name
Definition tm-threads.c:2163

tm-threads.h

RB_FOREACH
#define RB_FOREACH(x, name, head)
Definition tree.h:781

PacketL4::L4Vars::tcp
TCPVars tcp
Definition decode.h:478

util-buffer.h

util-classification-config.h

util-debug.h

SCLogDebug
#define SCLogDebug(...)
Definition util-debug.h:275

SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition util-debug.h:255

util-logopenfile.h

SCFree
#define SCFree(p)
Definition util-mem.h:61

SCCalloc
#define SCCalloc(nm, sz)
Definition util-mem.h:53

unlikely
#define unlikely(expr)
Definition util-optimize.h:35

util-print.h

util-privs.h

util-proto-name.h

util-time.h

util-unittest-helper.h

util-unittest.h