suricata
output-json-anomaly.c
Go to the documentation of this file.
1/* Copyright (C) 2019-2021 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Jeff Lucovsky <jeff@lucovsky.org>
22 *
23 * Logs anomalies in JSON format.
24 *
25 */
26
27#include "suricata-common.h"
28#include "detect.h"
29#include "flow.h"
30#include "conf.h"
31#include "app-layer.h"
32#include "app-layer-events.h"
33#include "app-layer-parser.h"
34
35#include "threads.h"
36#include "tm-threads.h"
37#include "threadvars.h"
38#include "util-debug.h"
39
40#include "util-misc.h"
41
42#include "detect-parse.h"
43#include "detect-engine.h"
44#include "util-logopenfile.h"
45
46#include "output.h"
47#include "output-json.h"
48#include "output-json-anomaly.h"
49
50#include "util-byte.h"
51#include "util-enum.h"
52#include "util-privs.h"
53#include "util-print.h"
54#include "util-proto-name.h"
55#include "util-optimize.h"
56#include "util-buffer.h"
57#include "util-validate.h"
58
59#define MODULE_NAME "JsonAnomalyLog"
60
61#define ANOMALY_EVENT_TYPE "anomaly"
62#define LOG_JSON_DECODE_TYPE BIT_U16(0)
63#define LOG_JSON_STREAM_TYPE BIT_U16(1)
64#define LOG_JSON_APPLAYER_TYPE BIT_U16(2)
65#define LOG_JSON_PACKETHDR BIT_U16(3)
66
67#define LOG_JSON_PACKET_TYPE (LOG_JSON_DECODE_TYPE | LOG_JSON_STREAM_TYPE)
68#define ANOMALY_DEFAULTS LOG_JSON_APPLAYER_TYPE
69
70#define TX_ID_UNUSED UINT64_MAX
71
76
81
82/*
83 * Restrict the anomaly logger count due to decoder state maintenance issues
84 */
85
86#define MAX_ANOMALY_LOGGERS 1
87static int anomaly_loggers = 0;
88static bool OutputAnomalyLoggerEnable(void)
89{
90 if (anomaly_loggers < MAX_ANOMALY_LOGGERS) {
91 anomaly_loggers++;
92 return true;
93 }
94 return false;
95}
96
97static void OutputAnomalyLoggerDisable(void)
98{
99 if (anomaly_loggers)
100 anomaly_loggers--;
101}
102
103static int AnomalyDecodeEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft,
104 const Packet *p)
105{
106 const uint16_t log_type = aft->json_output_ctx->flags;
107 const bool log_stream = log_type & LOG_JSON_STREAM_TYPE;
108 const bool log_decode = log_type & LOG_JSON_DECODE_TYPE;
109
110 for (int i = 0; i < p->events.cnt; i++) {
111 uint8_t event_code = p->events.events[i];
112 bool is_decode = EVENT_IS_DECODER_PACKET_ERROR(event_code);
113 if (is_decode && !log_decode)
114 continue;
115 if (!is_decode && !log_stream)
116 continue;
117
118 SCJsonBuilder *js = CreateEveHeader(
120 if (unlikely(js == NULL)) {
121 return TM_ECODE_OK;
122 }
123
124 SCJbOpenObject(js, ANOMALY_EVENT_TYPE);
125
126 if (event_code < DECODE_EVENT_MAX) {
127 const char *event = DEvents[event_code].event_name;
128 if (EVENT_IS_DECODER_PACKET_ERROR(event_code)) {
129 JB_SET_STRING(js, "type", "decode");
130 } else {
131 JB_SET_STRING(js, "type", "stream");
132 }
133 SCJbSetString(js, "event", event);
134 } else {
135 JB_SET_STRING(js, "type", "unknown");
136 SCJbSetUint(js, "code", event_code);
137 }
138
139 /* Close anomaly object. */
140 SCJbClose(js);
141
143 EvePacket(p, js, GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
144 }
145
146 OutputJsonBuilderBuffer(tv, p, p->flow, js, aft->ctx);
147 SCJbFree(js);
148 }
149
150 return TM_ECODE_OK;
151}
152
153static int AnomalyAppLayerDecoderEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft,
154 const Packet *p, AppLayerDecoderEvents *decoder_events, bool is_pktlayer, const char *layer,
155 uint64_t tx_id)
156{
157 const char *alprotoname = AppLayerGetProtoName(p->flow->alproto);
158
159 SCLogDebug("decoder_events %p event_count %d (last logged %d) %s",
160 decoder_events, decoder_events->cnt,
161 decoder_events->event_last_logged,
162 tx_id != TX_ID_UNUSED ? "tx" : "no-tx");
163
164 for (int i = decoder_events->event_last_logged; i < decoder_events->cnt; i++) {
165 SCJsonBuilder *js;
166 if (tx_id != TX_ID_UNUSED) {
169 } else {
170 js = CreateEveHeader(
172 }
173 if (unlikely(js == NULL)) {
174 return TM_ECODE_OK;
175 }
176
177 SCJbOpenObject(js, ANOMALY_EVENT_TYPE);
178
179 SCJbSetString(js, "app_proto", alprotoname);
180
181 const char *event_name = NULL;
182 uint8_t event_code = decoder_events->events[i];
183 AppLayerEventType event_type;
184 int r;
185 if (is_pktlayer) {
186 r = AppLayerGetEventInfoById(event_code, &event_name, &event_type);
187 } else {
189 event_code, &event_name, &event_type);
190 }
191 if (r == 0) {
192 JB_SET_STRING(js, "type", "applayer");
193 SCJbSetString(js, "event", event_name);
194 } else {
195 JB_SET_STRING(js, "type", "unknown");
196 SCJbSetUint(js, "code", event_code);
197 }
198
199 SCJbSetString(js, "layer", layer);
200
201 /* anomaly */
202 SCJbClose(js);
203 OutputJsonBuilderBuffer(tv, p, p->flow, js, aft->ctx);
204 SCJbFree(js);
205
206 /* Current implementation assumes a single owner for this value */
207 decoder_events->event_last_logged++;
208 }
209
210 return TM_ECODE_OK;
211}
212
213static int JsonAnomalyTxLogger(ThreadVars *tv, void *thread_data, const Packet *p,
214 Flow *f, void *state, void *tx, uint64_t tx_id)
215{
216 JsonAnomalyLogThread *aft = thread_data;
218 return TM_ECODE_OK;
219 }
220
221 AppLayerDecoderEvents *decoder_events;
222 decoder_events = AppLayerParserGetEventsByTx(f->proto, f->alproto, tx);
223 if (decoder_events && decoder_events->event_last_logged < decoder_events->cnt) {
224 SCLogDebug("state %p, tx: %p, tx_id: %"PRIu64, state, tx, tx_id);
225 AnomalyAppLayerDecoderEventJson(tv, aft, p, decoder_events, false, "proto_parser", tx_id);
226 }
227 return TM_ECODE_OK;
228}
229
230static inline bool AnomalyHasParserEvents(const Packet *p)
231{
232 return (p->flow && p->flow->alparser &&
234}
235
236static inline bool AnomalyHasPacketAppLayerEvents(const Packet *p)
237{
238 return p->app_layer_events && p->app_layer_events->cnt;
239}
240
241static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *p)
242{
243 int rc = TM_ECODE_OK;
244
245 /* decode or stream */
247 if (p->events.cnt) {
248 rc = AnomalyDecodeEventJson(tv, aft, p);
249 }
250 }
251
252 /* applayer */
254 /* app layer proto detect events */
255 if (rc == TM_ECODE_OK && AnomalyHasPacketAppLayerEvents(p)) {
256 rc = AnomalyAppLayerDecoderEventJson(
257 tv, aft, p, p->app_layer_events, true, "proto_detect", TX_ID_UNUSED);
258 }
259
260 /* parser state events */
261 if (rc == TM_ECODE_OK && AnomalyHasParserEvents(p)) {
262 SCLogDebug("Checking for anomaly events; alproto %d", p->flow->alproto);
264 if (parser_events && (parser_events->event_last_logged < parser_events->cnt)) {
265 rc = AnomalyAppLayerDecoderEventJson(
266 tv, aft, p, parser_events, false, "parser", TX_ID_UNUSED);
267 }
268 }
269 }
270
271 return rc;
272}
273
274static int JsonAnomalyFlush(ThreadVars *tv, void *thread_data, const Packet *p)
275{
276 JsonAnomalyLogThread *aft = thread_data;
277 SCLogDebug("%s flushing %s", tv->name, ((LogFileCtx *)(aft->ctx->file_ctx))->filename);
278 OutputJsonFlush(aft->ctx);
279 return 0;
280}
281
282static int JsonAnomalyLogger(ThreadVars *tv, void *thread_data, const Packet *p)
283{
284 JsonAnomalyLogThread *aft = thread_data;
285 return AnomalyJson(tv, aft, p);
286}
287
288static bool JsonAnomalyLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
289{
290 return p->events.cnt > 0 ||
291 (p->app_layer_events && p->app_layer_events->cnt > 0) ||
292 AnomalyHasParserEvents(p);
293}
294
295static TmEcode JsonAnomalyLogThreadInit(ThreadVars *t, const void *initdata, void **data)
296{
298 if (unlikely(aft == NULL)) {
299 return TM_ECODE_FAILED;
300 }
301
302 if (initdata == NULL) {
303 SCLogDebug("Error getting context for EveLogAnomaly. \"initdata\" argument NULL");
304 goto error_exit;
305 }
306
307 /** Use the Output Context (file pointer and mutex) */
308 AnomalyJsonOutputCtx *json_output_ctx = ((OutputCtx *)initdata)->data;
309
310 aft->ctx = CreateEveThreadCtx(t, json_output_ctx->eve_ctx);
311 if (!aft->ctx) {
312 goto error_exit;
313 }
314 aft->json_output_ctx = json_output_ctx;
315
316 *data = (void *)aft;
317 return TM_ECODE_OK;
318
319error_exit:
320 SCFree(aft);
321 return TM_ECODE_FAILED;
322}
323
324static TmEcode JsonAnomalyLogThreadDeinit(ThreadVars *t, void *data)
325{
327 if (aft == NULL) {
328 return TM_ECODE_OK;
329 }
330
331 FreeEveThreadCtx(aft->ctx);
332
333 /* clear memory */
334 memset(aft, 0, sizeof(JsonAnomalyLogThread));
335
336 SCFree(aft);
337 return TM_ECODE_OK;
338}
339
340static void JsonAnomalyLogDeInitCtxSubHelper(OutputCtx *output_ctx)
341{
342 SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
343
344 AnomalyJsonOutputCtx *json_output_ctx = (AnomalyJsonOutputCtx *) output_ctx->data;
345
346 if (json_output_ctx != NULL) {
347 SCFree(json_output_ctx);
348 }
349 SCFree(output_ctx);
350}
351
352static void JsonAnomalyLogDeInitCtxSub(OutputCtx *output_ctx)
353{
354 OutputAnomalyLoggerDisable();
355
356 JsonAnomalyLogDeInitCtxSubHelper(output_ctx);
357}
358
359static void SetFlag(const SCConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
360{
361 DEBUG_VALIDATE_BUG_ON(conf == NULL);
362 const char *setting = SCConfNodeLookupChildValue(conf, name);
363 if (setting != NULL) {
364 if (SCConfValIsTrue(setting)) {
365 *out_flags |= flag;
366 } else {
367 *out_flags &= ~flag;
368 }
369 }
370}
371
372static void JsonAnomalyLogConf(AnomalyJsonOutputCtx *json_output_ctx, SCConfNode *conf)
373{
374 static bool warn_no_flags = false;
375 static bool warn_no_packet = false;
376 uint16_t flags = ANOMALY_DEFAULTS;
377 if (conf != NULL) {
378 /* Check for metadata to enable/disable. */
379 SCConfNode *typeconf = SCConfNodeLookupChild(conf, "types");
380 if (typeconf != NULL) {
381 SetFlag(typeconf, "applayer", LOG_JSON_APPLAYER_TYPE, &flags);
382 SetFlag(typeconf, "stream", LOG_JSON_STREAM_TYPE, &flags);
383 SetFlag(typeconf, "decode", LOG_JSON_DECODE_TYPE, &flags);
384 }
385 SetFlag(conf, "packethdr", LOG_JSON_PACKETHDR, &flags);
386 }
387 if (((flags & (LOG_JSON_DECODE_TYPE | LOG_JSON_PACKETHDR)) == LOG_JSON_PACKETHDR) && !warn_no_packet) {
388 SCLogWarning("Anomaly logging configured to include packet headers, however decode "
389 "type logging has not been selected. Packet headers will not be logged.");
390 warn_no_packet = true;
391 flags &= ~LOG_JSON_PACKETHDR;
392 }
393
394 if (flags == 0 && !warn_no_flags) {
395 SCLogWarning("Anomaly logging has been configured; however, no logging types "
396 "have been selected. Select one or more logging types.");
397 warn_no_flags = true;
398 }
399 json_output_ctx->flags |= flags;
400}
401
402static OutputInitResult JsonAnomalyLogInitCtxHelper(SCConfNode *conf, OutputCtx *parent_ctx)
403{
404 OutputInitResult result = { NULL, false };
405 OutputJsonCtx *ajt = parent_ctx->data;
406 AnomalyJsonOutputCtx *json_output_ctx = NULL;
407
408 OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
409 if (unlikely(output_ctx == NULL))
410 return result;
411
412 json_output_ctx = SCCalloc(1, sizeof(AnomalyJsonOutputCtx));
413 if (unlikely(json_output_ctx == NULL)) {
414 goto error;
415 }
416
417 JsonAnomalyLogConf(json_output_ctx, conf);
418 json_output_ctx->eve_ctx = ajt;
419
420 output_ctx->data = json_output_ctx;
421 output_ctx->DeInit = JsonAnomalyLogDeInitCtxSubHelper;
422
423 result.ctx = output_ctx;
424 result.ok = true;
425 return result;
426
427error:
428 SCFree(output_ctx);
429
430 return result;
431}
432
433/**
434 * \brief Create a new LogFileCtx for "fast" output style.
435 * \param conf The configuration node for this output.
436 * \return A LogFileCtx pointer on success, NULL on failure.
437 */
438static OutputInitResult JsonAnomalyLogInitCtxSub(SCConfNode *conf, OutputCtx *parent_ctx)
439{
440
441 if (!OutputAnomalyLoggerEnable()) {
442 OutputInitResult result = { NULL, false };
443 SCLogError("only one 'anomaly' logger "
444 "can be enabled");
445 return result;
446 }
447
448 OutputInitResult result = JsonAnomalyLogInitCtxHelper(conf, parent_ctx);
449 if (result.ok) {
450 result.ctx->DeInit = JsonAnomalyLogDeInitCtxSub;
451 }
452
453 return result;
454}
455
457{
458 OutputPacketLoggerFunctions output_logger_functions = {
459 .LogFunc = JsonAnomalyLogger,
460 .FlushFunc = JsonAnomalyFlush,
461 .ConditionFunc = JsonAnomalyLogCondition,
462 .ThreadInitFunc = JsonAnomalyLogThreadInit,
463 .ThreadDeinitFunc = JsonAnomalyLogThreadDeinit,
464 .ThreadExitPrintStatsFunc = NULL,
465 };
466
468 JsonAnomalyLogInitCtxSub, &output_logger_functions);
469
470 OutputRegisterTxSubModule(LOGGER_JSON_ANOMALY, "eve-log", MODULE_NAME, "eve-log.anomaly",
471 JsonAnomalyLogInitCtxHelper, ALPROTO_UNKNOWN, JsonAnomalyTxLogger,
472 JsonAnomalyLogThreadInit, JsonAnomalyLogThreadDeinit);
473}
int AppLayerGetEventInfoById(uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate)
AppLayerDecoderEvents * AppLayerParserGetDecoderEvents(AppLayerParserState *pstate)
int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, uint8_t event_id, const char **event_name, AppLayerEventType *event_type)
AppLayerDecoderEvents * AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx)
enum AppLayerEventType AppLayerEventType
@ ALPROTO_UNKNOWN
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition app-layer.c:1009
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition conf.c:796
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition conf.c:551
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition conf.c:824
const struct DecodeEvents_ DEvents[]
#define EVENT_IS_DECODER_PACKET_ERROR(e)
@ DECODE_EVENT_MAX
uint8_t flags
Definition decode-gre.h:0
#define GET_PKT_LEN(p)
Definition decode.h:208
ThreadVars * tv
@ LOG_DIR_PACKET
#define LOG_JSON_DECODE_TYPE
struct JsonAnomalyLogThread_ JsonAnomalyLogThread
#define MODULE_NAME
struct AnomalyJsonOutputCtx_ AnomalyJsonOutputCtx
#define LOG_JSON_PACKETHDR
#define LOG_JSON_STREAM_TYPE
#define ANOMALY_DEFAULTS
#define LOG_JSON_PACKET_TYPE
#define MAX_ANOMALY_LOGGERS
void JsonAnomalyLogRegister(void)
#define ANOMALY_EVENT_TYPE
#define TX_ID_UNUSED
#define LOG_JSON_APPLAYER_TYPE
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
Jsonify a packet.
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
SCJsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, OutputPacketLoggerFunctions *output_logger_functions)
Register a packet output sub-module.
Definition output.c:234
void OutputRegisterTxSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
Definition output.c:406
#define JB_SET_STRING(jb, key, val)
Definition rust.h:26
Data structure to store app layer decoder events.
const char * event_name
Flow data structure.
Definition flow.h:356
uint8_t proto
Definition flow.h:378
AppProto alproto
application level protocol
Definition flow.h:450
AppLayerParserState * alparser
Definition flow.h:478
OutputJsonThreadCtx * ctx
AnomalyJsonOutputCtx * json_output_ctx
void * data
Definition tm-modules.h:91
void(* DeInit)(struct OutputCtx_ *)
Definition tm-modules.h:94
OutputCtx * ctx
Definition output.h:47
LogFileCtx * file_ctx
Definition output-json.h:85
uint8_t events[PACKET_ENGINE_EVENT_MAX]
Definition decode.h:308
struct Flow_ * flow
Definition decode.h:546
AppLayerDecoderEvents * app_layer_events
Definition decode.h:632
PacketEngineEvents events
Definition decode.h:630
Per thread variable structure.
Definition threadvars.h:58
char name[16]
Definition threadvars.h:65
@ LOGGER_JSON_ANOMALY
@ TM_ECODE_FAILED
@ TM_ECODE_OK
const char * name
#define SCLogDebug(...)
Definition util-debug.h:275
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition util-debug.h:255
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267
#define SCFree(p)
Definition util-mem.h:61
#define SCCalloc(nm, sz)
Definition util-mem.h:53
#define unlikely(expr)
#define DEBUG_VALIDATE_BUG_ON(exp)