suricata
output-json-arp.c
Go to the documentation of this file.
1/* Copyright (C) 2024 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Giuseppe Longo <giuseppe@glongo.it>
22 *
23 * Implement JSON/eve logging for ARP Protocol.
24 */
25
26#include "suricata-common.h"
27#include "detect.h"
28#include "flow.h"
29#include "conf.h"
30
31#include "threads.h"
32#include "tm-threads.h"
33#include "threadvars.h"
34#include "util-debug.h"
35
36#include "decode-ipv4.h"
37#include "detect-parse.h"
38#include "detect-engine.h"
39#include "detect-reference.h"
40
41#include "output.h"
42#include "output-json.h"
43#include "output-json-arp.h"
44
45#include "util-classification-config.h"
46#include "util-privs.h"
47#include "util-print.h"
48#include "util-proto-name.h"
49#include "util-logopenfile.h"
50#include "util-time.h"
51#include "util-buffer.h"
52
53static const char *OpcodeToString(uint16_t opcode)
54{
55 switch (opcode) {
56 case 1:
57 return "request";
58 case 2:
59 return "reply";
60 case 3:
61 return "request_reverse";
62 case 4:
63 return "reply_reverse";
64 default:
65 return "unknown";
66 }
67}
68
69static int JsonArpLogger(ThreadVars *tv, void *thread_data, const Packet *p)
70{
71 OutputJsonThreadCtx *thread = thread_data;
72 char srcip[JSON_ADDR_LEN] = "";
73 char dstip[JSON_ADDR_LEN] = "";
74 const ARPHdr *arph = PacketGetARP(p);
75
76 SCJsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "arp", NULL, thread->ctx);
77 if (unlikely(jb == NULL)) {
78 return TM_ECODE_OK;
79 }
80
81 PrintInet(AF_INET, arph->source_ip, srcip, sizeof(srcip));
82 PrintInet(AF_INET, arph->dest_ip, dstip, sizeof(dstip));
83
84 SCJbOpenObject(jb, "arp");
85 JB_SET_STRING(jb, "hw_type", "ethernet");
86 JB_SET_STRING(jb, "proto_type", "ipv4");
87 SCJbSetString(jb, "opcode", OpcodeToString(ntohs(arph->opcode)));
88 JSONFormatAndAddMACAddr(jb, "src_mac", arph->source_mac, false);
89 SCJbSetString(jb, "src_ip", srcip);
90 JSONFormatAndAddMACAddr(jb, "dest_mac", arph->dest_mac, false);
91 SCJbSetString(jb, "dest_ip", dstip);
92 SCJbClose(jb); /* arp */
93 OutputJsonBuilderBuffer(tv, p, p->flow, jb, thread);
94 SCJbFree(jb);
95
96 return TM_ECODE_OK;
97}
98
99static bool JsonArpLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
100{
101 return PacketIsARP(p);
102}
103
104void JsonArpLogRegister(void)
105{
106 OutputPacketLoggerFunctions output_logger_functions = {
107 .LogFunc = JsonArpLogger,
108 .FlushFunc = NULL,
109 .ConditionFunc = JsonArpLogCondition,
110 .ThreadInitFunc = JsonLogThreadInit,
111 .ThreadDeinitFunc = JsonLogThreadDeinit,
112 .ThreadExitPrintStatsFunc = NULL,
113 };
114
115 OutputRegisterPacketSubModule(LOGGER_JSON_ARP, "eve-log", "JsonArpLog", "eve-log.arp",
116 OutputJsonLogInitSub, &output_logger_functions);
117
118 SCLogDebug("ARP JSON logger registered.");
119}
opcode
uint16_t opcode
Definition decode-arp.h:4
tv
ThreadVars * tv
Definition fuzz_decodepcapfile.c:32
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition output-eve-bindgen.h:32
JsonArpLogRegister
void JsonArpLogRegister(void)
Definition output-json-arp.c:104
OutputJsonLogInitSub
OutputInitResult OutputJsonLogInitSub(SCConfNode *conf, OutputCtx *parent_ctx)
Definition output-json-common.c:82
JsonLogThreadInit
TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data)
Definition output-json-common.c:99
JsonLogThreadDeinit
TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data)
Definition output-json-common.c:132
CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition output-json.c:850
JSONFormatAndAddMACAddr
void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
Definition output-json.c:728
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition output-json.c:1015
JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition output-json.h:37
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, OutputPacketLoggerFunctions *output_logger_functions)
Register a packet output sub-module.
Definition output.c:234
JB_SET_STRING
#define JB_SET_STRING(jb, key, val)
Definition rust.h:26
OutputJsonThreadCtx_
Definition output-json.h:83
OutputJsonThreadCtx_::ctx
OutputJsonCtx * ctx
Definition output-json.h:84
OutputPacketLoggerFunctions_
Definition output.h:87
OutputPacketLoggerFunctions_::LogFunc
PacketLogger LogFunc
Definition output.h:88
Packet_
Definition decode.h:501
Packet_::flow
struct Flow_ * flow
Definition decode.h:546
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
LOGGER_JSON_ARP
@ LOGGER_JSON_ARP
Definition suricata-common.h:511
TM_ECODE_OK
@ TM_ECODE_OK
Definition tm-threads-common.h:81
SCLogDebug
#define SCLogDebug(...)
Definition util-debug.h:275
unlikely
#define unlikely(expr)
Definition util-optimize.h:35
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition util-print.c:231