suricata.8.0.0/output-json_8h_source.html

/* Copyright (C) 2007-2021 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */


/**

 * \file

 *

 * \author Tom DeCanio <td@npulsetech.com>

 */


#ifndef SURICATA_OUTPUT_JSON_H

#define SURICATA_OUTPUT_JSON_H


#include "suricata-common.h"

#include "util-buffer.h"

#include "util-logopenfile.h"

#include "output.h"

#include "output-eve-bindgen.h"


#include "app-layer-htp-xff.h"


void OutputJsonRegister(void);


#define JSON_ADDR_LEN 46

#define JSON_PROTO_LEN 16


/* A struct to contain address info for rendering to JSON. */


typedef struct JsonAddrInfo_ {

    char src_ip[JSON_ADDR_LEN];

    char dst_ip[JSON_ADDR_LEN];

    Port sp;

    Port dp;

    char proto[JSON_PROTO_LEN];

    // Ports are logged only when provided by the transport protocol.

    bool log_port;

} JsonAddrInfo;


extern const JsonAddrInfo json_addr_info_zero;


void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr);


/* Suggested output buffer size */

#define JSON_OUTPUT_BUFFER_SIZE 65535


/* helper struct for OutputJSONMemBufferCallback */


typedef struct OutputJSONMemBufferWrapper_ {

    MemBuffer **buffer; /**< buffer to use & expand as needed */

    uint32_t expand_by; /**< expand by this size */

} OutputJSONMemBufferWrapper;


typedef struct OutputJsonCommonSettings_ {

    bool include_metadata;

    bool include_community_id;

    bool include_ethernet;

    bool include_suricata_version;

    uint16_t community_id_seed;

} OutputJsonCommonSettings;


/*

 * Global configuration context data

 */


typedef struct OutputJsonCtx_ {

    LogFileCtx *file_ctx;

    enum LogFileType json_out;

    OutputJsonCommonSettings cfg;

    HttpXFFCfg *xff_cfg;

    SCEveFileType *filetype;

} OutputJsonCtx;


typedef struct OutputJsonThreadCtx_ {

    OutputJsonCtx *ctx;

    LogFileCtx *file_ctx;

    MemBuffer *buffer;

    bool too_large_warning;

} OutputJsonThreadCtx;


json_t *SCJsonString(const char *val);


void CreateEveFlowId(SCJsonBuilder *js, const Flow *f);

void EveFileInfo(SCJsonBuilder *js, const File *file, const uint64_t tx_id, const uint16_t flags);

void EveTcpFlags(uint8_t flags, SCJsonBuilder *js);

void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length);

SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir,

        const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx);

SCJsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir,

        const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx);

int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer);

void OutputJsonBuilderBuffer(

        ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx);

OutputInitResult OutputJsonInitCtx(SCConfNode *);


OutputInitResult OutputJsonLogInitSub(SCConfNode *conf, OutputCtx *parent_ctx);

TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data);

TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data);


void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f,

        SCJsonBuilder *js, enum SCOutputJsonLogDirection dir);

int OutputJsonLogFlush(ThreadVars *tv, void *thread_data, const Packet *p);

void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js);


int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);


OutputJsonThreadCtx *CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx);

void FreeEveThreadCtx(OutputJsonThreadCtx *ctx);

void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array);

void OutputJsonFlush(OutputJsonThreadCtx *ctx);


#endif /* SURICATA_OUTPUT_JSON_H */

app-layer-htp-xff.h

flags
uint8_t flags
Definition decode-gre.h:0

Port
uint16_t Port
Definition decode.h:218

tv
ThreadVars * tv
Definition fuzz_decodepcapfile.c:32

ctx
struct Thresholds ctx

output-eve-bindgen.h

SCOutputJsonLogDirection
SCOutputJsonLogDirection
Definition output-eve-bindgen.h:31

OutputJsonFlush
void OutputJsonFlush(OutputJsonThreadCtx *ctx)
Definition output-json.c:1009

JSON_ADDR_LEN
#define JSON_ADDR_LEN
Definition output-json.h:37

OutputJsonInitCtx
OutputInitResult OutputJsonInitCtx(SCConfNode *)
Create a new LogFileCtx for "fast" output style.
Definition output-json.c:1141

CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition output-json.c:850

EveTcpFlags
void EveTcpFlags(uint8_t flags, SCJsonBuilder *js)
jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.
Definition output-json.c:466

OutputJsonLogFlush
int OutputJsonLogFlush(ThreadVars *tv, void *thread_data, const Packet *p)
Definition output-json-common.c:73

JsonAddrInfoInit
void JsonAddrInfoInit(const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr)
Definition output-json.c:486

CreateEveThreadCtx
OutputJsonThreadCtx * CreateEveThreadCtx(ThreadVars *t, OutputJsonCtx *ctx)
Definition output-json-common.c:29

EvePacket
void EvePacket(const Packet *p, SCJsonBuilder *js, uint32_t max_length)
Jsonify a packet.
Definition output-json.c:441

OutputJsonThreadCtx
struct OutputJsonThreadCtx_ OutputJsonThreadCtx

OutputJsonCtx
struct OutputJsonCtx_ OutputJsonCtx

OutputJsonLogInitSub
OutputInitResult OutputJsonLogInitSub(SCConfNode *conf, OutputCtx *parent_ctx)
Definition output-json-common.c:82

OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition output-json.c:966

JSON_PROTO_LEN
#define JSON_PROTO_LEN
Definition output-json.h:38

OutputJSONMemBufferWrapper
struct OutputJSONMemBufferWrapper_ OutputJSONMemBufferWrapper

json_addr_info_zero
const JsonAddrInfo json_addr_info_zero
Definition output-json.c:81

OutputJsonRegister
void OutputJsonRegister(void)
Definition output-json.c:83

EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
Definition output-json.c:391

OutputJSONBuffer
int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
Definition output-json.c:980

EveFileInfo
void EveFileInfo(SCJsonBuilder *js, const File *file, const uint64_t tx_id, const uint16_t flags)
Definition output-json.c:124

JsonLogThreadInit
TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data)
Definition output-json-common.c:99

JSONFormatAndAddMACAddr
void JSONFormatAndAddMACAddr(SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
Definition output-json.c:728

SCJsonString
json_t * SCJsonString(const char *val)
Definition output-json.c:96

JsonLogThreadDeinit
TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data)
Definition output-json-common.c:132

JsonAddrInfo
struct JsonAddrInfo_ JsonAddrInfo

FreeEveThreadCtx
void FreeEveThreadCtx(OutputJsonThreadCtx *ctx)
Definition output-json-common.c:58

OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition output-json.c:1015

CreateEveFlowId
void CreateEveFlowId(SCJsonBuilder *js, const Flow *f)
Definition output-json.c:716

OutputJsonCommonSettings
struct OutputJsonCommonSettings_ OutputJsonCommonSettings

CreateEveHeaderWithTxId
SCJsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
Definition output-json.c:953

EveAddCommonOptions
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
Definition output-json.c:414

output.h

File_
Definition util-file.h:79

Flow_
Flow data structure.
Definition flow.h:356

HttpXFFCfg_
Definition app-layer-htp-xff.h:41

JsonAddrInfo_
Definition output-json.h:41

JsonAddrInfo_::proto
char proto[JSON_PROTO_LEN]
Definition output-json.h:46

JsonAddrInfo_::dp
Port dp
Definition output-json.h:45

JsonAddrInfo_::src_ip
char src_ip[JSON_ADDR_LEN]
Definition output-json.h:42

JsonAddrInfo_::dst_ip
char dst_ip[JSON_ADDR_LEN]
Definition output-json.h:43

JsonAddrInfo_::sp
Port sp
Definition output-json.h:44

JsonAddrInfo_::log_port
bool log_port
Definition output-json.h:48

LogFileCtx_
Definition util-logopenfile.h:72

MemBuffer_
Definition util-buffer.h:27

OutputCtx_
Definition tm-modules.h:88

OutputInitResult_
Definition output.h:46

OutputJSONMemBufferWrapper_
Definition output-json.h:59

OutputJSONMemBufferWrapper_::expand_by
uint32_t expand_by
Definition output-json.h:61

OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition output-json.h:60

OutputJsonCommonSettings_
Definition output-json.h:64

OutputJsonCommonSettings_::include_suricata_version
bool include_suricata_version
Definition output-json.h:68

OutputJsonCommonSettings_::include_ethernet
bool include_ethernet
Definition output-json.h:67

OutputJsonCommonSettings_::include_community_id
bool include_community_id
Definition output-json.h:66

OutputJsonCommonSettings_::community_id_seed
uint16_t community_id_seed
Definition output-json.h:69

OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition output-json.h:65

OutputJsonCtx_
Definition output-json.h:75

OutputJsonCtx_::filetype
SCEveFileType * filetype
Definition output-json.h:80

OutputJsonCtx_::json_out
enum LogFileType json_out
Definition output-json.h:77

OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition output-json.h:78

OutputJsonCtx_::xff_cfg
HttpXFFCfg * xff_cfg
Definition output-json.h:79

OutputJsonCtx_::file_ctx
LogFileCtx * file_ctx
Definition output-json.h:76

OutputJsonThreadCtx_
Definition output-json.h:83

OutputJsonThreadCtx_::buffer
MemBuffer * buffer
Definition output-json.h:86

OutputJsonThreadCtx_::file_ctx
LogFileCtx * file_ctx
Definition output-json.h:85

OutputJsonThreadCtx_::too_large_warning
bool too_large_warning
Definition output-json.h:87

OutputJsonThreadCtx_::ctx
OutputJsonCtx * ctx
Definition output-json.h:84

Packet_
Definition decode.h:501

SCConfNode_
Definition conf.h:37

SCEveFileType_
Structure used to define an EVE output file type plugin.
Definition output-eve.h:74

ThreadVars_
Per thread variable structure.
Definition threadvars.h:58

suricata-common.h

str
#define str(s)
Definition suricata-common.h:308

TmEcode
TmEcode
Definition tm-threads-common.h:80

util-buffer.h

util-logopenfile.h

LogFileType
LogFileType
Definition util-logopenfile.h:38