42#define LOG_QUERIES BIT_U64(0)
43#define LOG_ANSWERS BIT_U64(1)
45#define LOG_A BIT_U64(2)
46#define LOG_NS BIT_U64(3)
47#define LOG_MD BIT_U64(4)
48#define LOG_MF BIT_U64(5)
49#define LOG_CNAME BIT_U64(6)
50#define LOG_SOA BIT_U64(7)
51#define LOG_MB BIT_U64(8)
52#define LOG_MG BIT_U64(9)
53#define LOG_MR BIT_U64(10)
54#define LOG_NULL BIT_U64(11)
55#define LOG_WKS BIT_U64(12)
56#define LOG_PTR BIT_U64(13)
57#define LOG_HINFO BIT_U64(14)
58#define LOG_MINFO BIT_U64(15)
59#define LOG_MX BIT_U64(16)
60#define LOG_TXT BIT_U64(17)
61#define LOG_RP BIT_U64(18)
62#define LOG_AFSDB BIT_U64(19)
63#define LOG_X25 BIT_U64(20)
64#define LOG_ISDN BIT_U64(21)
65#define LOG_RT BIT_U64(22)
66#define LOG_NSAP BIT_U64(23)
67#define LOG_NSAPPTR BIT_U64(24)
68#define LOG_SIG BIT_U64(25)
69#define LOG_KEY BIT_U64(26)
70#define LOG_PX BIT_U64(27)
71#define LOG_GPOS BIT_U64(28)
72#define LOG_AAAA BIT_U64(29)
73#define LOG_LOC BIT_U64(30)
74#define LOG_NXT BIT_U64(31)
75#define LOG_SRV BIT_U64(32)
76#define LOG_ATMA BIT_U64(33)
77#define LOG_NAPTR BIT_U64(34)
78#define LOG_KX BIT_U64(35)
79#define LOG_CERT BIT_U64(36)
80#define LOG_A6 BIT_U64(37)
81#define LOG_DNAME BIT_U64(38)
82#define LOG_OPT BIT_U64(39)
83#define LOG_APL BIT_U64(40)
84#define LOG_DS BIT_U64(41)
85#define LOG_SSHFP BIT_U64(42)
86#define LOG_IPSECKEY BIT_U64(43)
87#define LOG_RRSIG BIT_U64(44)
88#define LOG_NSEC BIT_U64(45)
89#define LOG_DNSKEY BIT_U64(46)
90#define LOG_DHCID BIT_U64(47)
91#define LOG_NSEC3 BIT_U64(48)
92#define LOG_NSEC3PARAM BIT_U64(49)
93#define LOG_TLSA BIT_U64(50)
94#define LOG_HIP BIT_U64(51)
95#define LOG_CDS BIT_U64(52)
96#define LOG_CDNSKEY BIT_U64(53)
97#define LOG_SPF BIT_U64(54)
98#define LOG_TKEY BIT_U64(55)
99#define LOG_TSIG BIT_U64(56)
100#define LOG_MAILA BIT_U64(57)
101#define LOG_ANY BIT_U64(58)
102#define LOG_URI BIT_U64(59)
104#define LOG_FORMAT_GROUPED BIT_U64(60)
105#define LOG_FORMAT_DETAILED BIT_U64(61)
106#define LOG_HTTPS BIT_U64(62)
108#define LOG_FORMAT_ALL (LOG_FORMAT_GROUPED|LOG_FORMAT_DETAILED)
109#define LOG_ALL_RRTYPES (~(uint64_t)(LOG_QUERIES|LOG_ANSWERS|LOG_FORMAT_DETAILED|LOG_FORMAT_GROUPED))
177} dns_rrtype_fields[] = {
260 SCJsonBuilderMark mark = { 0, 0, 0 };
262 SCJbGetMark(js, &mark);
264 bool r = SCHttp2LogJson(txptr, js);
266 SCJbRestoreMark(js, &mark);
270 if (tx_dns == NULL) {
275 SCJbGetMark(js, &mark);
278 SCJbRestoreMark(js, &mark);
285 void *alstate,
void *txptr, uint64_t tx_id)
298 SCJsonBuilderMark mark = { 0, 0, 0 };
300 SCJbGetMark(jb, &mark);
302 bool r = SCHttp2LogJson(txptr, jb);
304 SCJbRestoreMark(jb, &mark);
308 if (tx_dns == NULL) {
314 if (SCDnsTxIsRequest(tx_dns)) {
318 }
else if (SCDnsTxIsResponse(tx_dns)) {
328 SCJbGetMark(jb, &mark);
332 SCJbRestoreMark(jb, &mark);
343static int JsonDnsLoggerToServer(
ThreadVars *
tv,
void *thread_data,
344 const Packet *p,
Flow *f,
void *alstate,
void *txptr, uint64_t tx_id)
355 for (uint16_t i = 0; i < 0xffff; i++) {
361 SCJbOpenObject(jb,
"dns");
362 SCJbSetInt(jb,
"version", 2);
376static int JsonDnsLoggerToClient(
ThreadVars *
tv,
void *thread_data,
377 const Packet *p,
Flow *f,
void *alstate,
void *txptr, uint64_t tx_id)
394 SCJbOpenObject(jb,
"dns");
395 SCJbSetInt(jb,
"version", 2);
406 void *txptr, uint64_t tx_id)
411 if (dnslog_ctx->
version == DNS_LOG_VERSION_2) {
412 if (SCDnsTxIsRequest(txptr)) {
413 return JsonDnsLoggerToServer(
tv, thread_data, p, f, alstate, txptr, tx_id);
414 }
else if (SCDnsTxIsResponse(txptr)) {
415 return JsonDnsLoggerToClient(
tv, thread_data, p, f, alstate, txptr, tx_id);
418 if (SCDnsTxIsRequest(txptr)) {
422 }
else if (SCDnsTxIsResponse(txptr)) {
437 if (PacketIsTCP(p)) {
438 if (SCDnsTxIsRequest(txptr)) {
458static TmEcode LogDnsLogThreadInit(
ThreadVars *t,
const void *initdata,
void **data)
466 SCLogDebug(
"Error getting context for EveLogDNS. \"initdata\" argument NULL");
500static void LogDnsLogDeInitCtxSub(
OutputCtx *output_ctx)
502 SCLogDebug(
"cleaning up sub output_ctx %p", output_ctx);
509 const char *query_key,
const char *answer_key,
const char *answer_types_key)
516 dnslog_ctx->
flags &= ~LOG_QUERIES;
523 if (response != NULL) {
527 dnslog_ctx->
flags &= ~LOG_ANSWERS;
535 dnslog_ctx->
flags &= ~LOG_ALL_RRTYPES;
541 dnslog_ctx->
flags |= dns_rrtype_fields[f].flags;
551static uint8_t GetDnsLogVersion(
SCConfNode *conf)
554 return DNS_LOG_VERSION_DEFAULT;
557 char *version_string = NULL;
559 if (version_node != NULL) {
560 version_string = version_node->
val;
563 if (version_string == NULL) {
564 version_string = getenv(
"SURICATA_EVE_DNS_VERSION");
567 if (version_string == NULL) {
568 return DNS_LOG_VERSION_DEFAULT;
575 SCLogWarning(
"Failed to parse EVE DNS log version of \"%s\"", version_string);
576 return DNS_LOG_VERSION_DEFAULT;
579static uint8_t JsonDnsCheckVersion(
SCConfNode *conf)
581 const uint8_t default_version = DNS_LOG_VERSION_DEFAULT;
582 const uint8_t
version = GetDnsLogVersion(conf);
583 static bool v1_deprecation_warned =
false;
584 static bool v2_deprecation_warned =
false;
588 return DNS_LOG_VERSION_3;
590 if (!v2_deprecation_warned) {
591 SCLogNotice(
"DNS EVE v2 logging has been deprecated and will be removed in "
593 v2_deprecation_warned =
true;
595 return DNS_LOG_VERSION_2;
597 if (!v1_deprecation_warned) {
598 SCLogWarning(
"DNS EVE v1 logging has been removed, will use v2");
599 v1_deprecation_warned =
true;
601 return default_version;
604 "Invalid EVE DNS version %d, will use v%d",
version, DNS_LOG_VERSION_DEFAULT);
605 return default_version;
608 return default_version;
613 dnslog_ctx->
flags = ~0ULL;
616 JsonDnsLogParseConfig(dnslog_ctx, conf,
"requests",
"responses",
"types");
623 if (strcasecmp(field->
val,
"detailed") == 0) {
625 }
else if (strcasecmp(field->
val,
"grouped") == 0) {
632 dnslog_ctx->
flags &= ~LOG_FORMAT_ALL;
635 SCLogWarning(
"Empty EVE DNS format array, using defaults");
661 dnslog_ctx->
version = JsonDnsCheckVersion(conf);
669 output_ctx->
data = dnslog_ctx;
670 output_ctx->
DeInit = LogDnsLogDeInitCtxSub;
672 JsonDnsLogInitFilters(dnslog_ctx, conf);
679 result.
ctx = output_ctx;
685#define MODULE_NAME "JsonDnsLog"
689 JsonDnsLogInitCtxSub,
ALPROTO_DNS, JsonDnsLogger, LogDnsLogThreadInit,
690 LogDnsLogThreadDeinit);
696 JsonDnsLogInitCtxSub,
ALPROTO_DOH2, JsonDoh2Logger, LogDnsLogThreadInit,
697 LogDnsLogThreadDeinit);
struct HtpBodyChunk_ * next
void SCAppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
int SCConfValIsTrue(const char *val)
Check if a value is true.
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
void * DetectGetInnerTx(void *tx_ptr, AppProto alproto, AppProto engine_alproto, uint8_t flow_flags)
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
void JsonDnsLogRegister(void)
const char * config_rrtype
void JsonDoh2LogRegister(void)
struct LogDnsLogThread_ LogDnsLogThread
bool AlertJsonDoh2(void *txptr, SCJsonBuilder *js)
#define LOG_FORMAT_DETAILED
bool AlertJsonDns(void *txptr, SCJsonBuilder *js)
#define LOG_FORMAT_GROUPED
struct LogDnsFileCtx_ LogDnsFileCtx
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
void OutputRegisterTxSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit)
#define TAILQ_FOREACH(var, head, field)
LogDnsFileCtx * dnslog_ctx
OutputJsonThreadCtx * ctx
void(* DeInit)(struct OutputCtx_ *)
Per thread variable structure.
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
#define SCLogNotice(...)
Macro used to log NOTICE messages.
#define SCLogWarning(...)
Macro used to log WARNING messages.
1.9.8