mirror of https://github.com/OISF/suricata
Philippe Antoine
3 years ago
committed by
Victor Julien
parent
688efe79f0
commit
3643b6ed4b
@ -1,163 +0,0 @@
|
||||
/* Copyright (C) 2021 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* Implement JSON/eve logging app-layer BitTorrent DHT.
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
#include "detect.h"
|
||||
#include "pkt-var.h"
|
||||
#include "conf.h"
|
||||
|
||||
#include "threads.h"
|
||||
#include "threadvars.h"
|
||||
#include "tm-threads.h"
|
||||
|
||||
#include "util-unittest.h"
|
||||
#include "util-buffer.h"
|
||||
#include "util-debug.h"
|
||||
#include "util-byte.h"
|
||||
|
||||
#include "output.h"
|
||||
#include "output-json.h"
|
||||
|
||||
#include "app-layer.h"
|
||||
#include "app-layer-parser.h"
|
||||
|
||||
#include "output-json-bittorrent-dht.h"
|
||||
#include "rust.h"
|
||||
|
||||
typedef struct LogBitTorrentDHTFileCtx_ {
|
||||
uint32_t flags;
|
||||
OutputJsonCtx *eve_ctx;
|
||||
} LogBitTorrentDHTFileCtx;
|
||||
|
||||
typedef struct LogBitTorrentDHTLogThread_ {
|
||||
LogBitTorrentDHTFileCtx *bittorrent_dht_log_ctx;
|
||||
OutputJsonThreadCtx *ctx;
|
||||
} LogBitTorrentDHTLogThread;
|
||||
|
||||
static int JsonBitTorrentDHTLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f,
|
||||
void *state, void *tx, uint64_t tx_id)
|
||||
{
|
||||
LogBitTorrentDHTLogThread *thread = thread_data;
|
||||
|
||||
JsonBuilder *js = CreateEveHeader(
|
||||
p, LOG_DIR_PACKET, "bittorrent_dht", NULL, thread->bittorrent_dht_log_ctx->eve_ctx);
|
||||
if (unlikely(js == NULL)) {
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
if (!rs_bittorrent_dht_logger_log(tx, js)) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
OutputJsonBuilderBuffer(js, thread->ctx);
|
||||
jb_free(js);
|
||||
|
||||
return TM_ECODE_OK;
|
||||
|
||||
error:
|
||||
jb_free(js);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
static void OutputBitTorrentDHTLogDeInitCtxSub(OutputCtx *output_ctx)
|
||||
{
|
||||
LogBitTorrentDHTFileCtx *bittorrent_dht_log_ctx = (LogBitTorrentDHTFileCtx *)output_ctx->data;
|
||||
SCFree(bittorrent_dht_log_ctx);
|
||||
SCFree(output_ctx);
|
||||
}
|
||||
|
||||
static OutputInitResult OutputBitTorrentDHTLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
|
||||
{
|
||||
OutputInitResult result = { NULL, false };
|
||||
OutputJsonCtx *ajt = parent_ctx->data;
|
||||
|
||||
LogBitTorrentDHTFileCtx *bittorrent_dht_log_ctx = SCCalloc(1, sizeof(*bittorrent_dht_log_ctx));
|
||||
if (unlikely(bittorrent_dht_log_ctx == NULL)) {
|
||||
return result;
|
||||
}
|
||||
bittorrent_dht_log_ctx->eve_ctx = ajt;
|
||||
|
||||
OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx));
|
||||
if (unlikely(output_ctx == NULL)) {
|
||||
SCFree(bittorrent_dht_log_ctx);
|
||||
return result;
|
||||
}
|
||||
output_ctx->data = bittorrent_dht_log_ctx;
|
||||
output_ctx->DeInit = OutputBitTorrentDHTLogDeInitCtxSub;
|
||||
|
||||
AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_BITTORRENT_DHT);
|
||||
|
||||
result.ctx = output_ctx;
|
||||
result.ok = true;
|
||||
return result;
|
||||
}
|
||||
|
||||
static TmEcode JsonBitTorrentDHTLogThreadInit(ThreadVars *t, const void *initdata, void **data)
|
||||
{
|
||||
LogBitTorrentDHTLogThread *thread = SCCalloc(1, sizeof(*thread));
|
||||
if (unlikely(thread == NULL)) {
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
if (initdata == NULL) {
|
||||
SCLogDebug("Error getting context for EveLogBitTorrentDHT. \"initdata\" is NULL.");
|
||||
goto error_exit;
|
||||
}
|
||||
|
||||
thread->bittorrent_dht_log_ctx = ((OutputCtx *)initdata)->data;
|
||||
thread->ctx = CreateEveThreadCtx(t, thread->bittorrent_dht_log_ctx->eve_ctx);
|
||||
if (!thread->ctx) {
|
||||
goto error_exit;
|
||||
}
|
||||
*data = (void *)thread;
|
||||
|
||||
return TM_ECODE_OK;
|
||||
|
||||
error_exit:
|
||||
SCFree(thread);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
static TmEcode JsonBitTorrentDHTLogThreadDeinit(ThreadVars *t, void *data)
|
||||
{
|
||||
LogBitTorrentDHTLogThread *thread = (LogBitTorrentDHTLogThread *)data;
|
||||
if (thread == NULL) {
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
FreeEveThreadCtx(thread->ctx);
|
||||
SCFree(thread);
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
|
||||
void JsonBitTorrentDHTLogRegister(void)
|
||||
{
|
||||
if (ConfGetNode("app-layer.protocols.bittorrent-dht") == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
/* Register as an eve sub-module. */
|
||||
OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonBitTorrentDHTLog",
|
||||
"eve-log.bittorrent-dht", OutputBitTorrentDHTLogInitSub, ALPROTO_BITTORRENT_DHT,
|
||||
JsonBitTorrentDHTLogger, JsonBitTorrentDHTLogThreadInit,
|
||||
JsonBitTorrentDHTLogThreadDeinit, NULL);
|
||||
}
|
||||
@ -1,27 +0,0 @@
|
||||
/* Copyright (C) 2021 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*/
|
||||
|
||||
#ifndef SURICATA_OUTPUT_JSON_BITTORRENT_DHT_H
|
||||
#define SURICATA_OUTPUT_JSON_BITTORRENT_DHT_H
|
||||
|
||||
void JsonBitTorrentDHTLogRegister(void);
|
||||
|
||||
#endif /* SURICATA_OUTPUT_JSON_BITTORRENT_DHT_H */
|
||||
@ -1,169 +0,0 @@
|
||||
/* Copyright (C) 2020-2021 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Philippe Antoine <p.antoine@catenacyber.fr>
|
||||
*
|
||||
* Implements HTTP2 JSON logging portion of the engine.
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
#include "detect.h"
|
||||
#include "pkt-var.h"
|
||||
#include "conf.h"
|
||||
|
||||
#include "threads.h"
|
||||
#include "threadvars.h"
|
||||
#include "tm-threads.h"
|
||||
|
||||
#include "util-print.h"
|
||||
#include "util-unittest.h"
|
||||
|
||||
#include "util-debug.h"
|
||||
#include "app-layer-parser.h"
|
||||
#include "output.h"
|
||||
#include "app-layer-http2.h"
|
||||
#include "app-layer.h"
|
||||
#include "util-privs.h"
|
||||
#include "util-buffer.h"
|
||||
|
||||
#include "util-logopenfile.h"
|
||||
|
||||
#include "output-json.h"
|
||||
#include "output-json-http2.h"
|
||||
#include "rust.h"
|
||||
|
||||
#define MODULE_NAME "LogHttp2Log"
|
||||
|
||||
typedef struct OutputHttp2Ctx_ {
|
||||
OutputJsonCtx *eve_ctx;
|
||||
} OutputHttp2Ctx;
|
||||
|
||||
|
||||
typedef struct JsonHttp2LogThread_ {
|
||||
OutputHttp2Ctx *http2log_ctx;
|
||||
OutputJsonThreadCtx *ctx;
|
||||
} JsonHttp2LogThread;
|
||||
|
||||
static int JsonHttp2Logger(ThreadVars *tv, void *thread_data, const Packet *p,
|
||||
Flow *f, void *state, void *txptr, uint64_t tx_id)
|
||||
{
|
||||
JsonHttp2LogThread *aft = (JsonHttp2LogThread *)thread_data;
|
||||
|
||||
if (unlikely(state == NULL)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
JsonBuilder *js = CreateEveHeaderWithTxId(
|
||||
p, LOG_DIR_FLOW, "http", NULL, tx_id, aft->http2log_ctx->eve_ctx);
|
||||
if (unlikely(js == NULL))
|
||||
return 0;
|
||||
|
||||
if (!rs_http2_log_json(txptr, js)) {
|
||||
goto end;
|
||||
}
|
||||
OutputJsonBuilderBuffer(js, aft->ctx);
|
||||
end:
|
||||
jb_free(js);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static TmEcode JsonHttp2LogThreadInit(ThreadVars *t, const void *initdata, void **data)
|
||||
{
|
||||
JsonHttp2LogThread *aft = SCCalloc(1, sizeof(JsonHttp2LogThread));
|
||||
if (unlikely(aft == NULL))
|
||||
return TM_ECODE_FAILED;
|
||||
|
||||
if(initdata == NULL)
|
||||
{
|
||||
SCLogDebug("Error getting context for EveLogHTTP2. \"initdata\" argument NULL");
|
||||
goto error_exit;
|
||||
}
|
||||
|
||||
/* Use the Output Context (file pointer and mutex) */
|
||||
aft->http2log_ctx = ((OutputCtx *)initdata)->data;
|
||||
aft->ctx = CreateEveThreadCtx(t, aft->http2log_ctx->eve_ctx);
|
||||
if (!aft->ctx) {
|
||||
goto error_exit;
|
||||
}
|
||||
|
||||
*data = (void *)aft;
|
||||
return TM_ECODE_OK;
|
||||
|
||||
error_exit:
|
||||
SCFree(aft);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
static TmEcode JsonHttp2LogThreadDeinit(ThreadVars *t, void *data)
|
||||
{
|
||||
JsonHttp2LogThread *aft = (JsonHttp2LogThread *)data;
|
||||
if (aft == NULL) {
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
|
||||
FreeEveThreadCtx(aft->ctx);
|
||||
/* clear memory */
|
||||
memset(aft, 0, sizeof(JsonHttp2LogThread));
|
||||
|
||||
SCFree(aft);
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
|
||||
static void OutputHttp2LogDeinitSub(OutputCtx *output_ctx)
|
||||
{
|
||||
OutputHttp2Ctx *http2_ctx = output_ctx->data;
|
||||
SCFree(http2_ctx);
|
||||
SCFree(output_ctx);
|
||||
}
|
||||
|
||||
static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
|
||||
{
|
||||
OutputInitResult result = { NULL, false };
|
||||
OutputJsonCtx *ojc = parent_ctx->data;
|
||||
|
||||
OutputHttp2Ctx *http2_ctx = SCCalloc(1, sizeof(OutputHttp2Ctx));
|
||||
if (unlikely(http2_ctx == NULL))
|
||||
return result;
|
||||
|
||||
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
|
||||
if (unlikely(output_ctx == NULL)) {
|
||||
SCFree(http2_ctx);
|
||||
return result;
|
||||
}
|
||||
|
||||
http2_ctx->eve_ctx = ojc;
|
||||
|
||||
output_ctx->data = http2_ctx;
|
||||
output_ctx->DeInit = OutputHttp2LogDeinitSub;
|
||||
|
||||
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP2);
|
||||
|
||||
result.ctx = output_ctx;
|
||||
result.ok = true;
|
||||
return result;
|
||||
}
|
||||
|
||||
void JsonHttp2LogRegister (void)
|
||||
{
|
||||
/* also register as child of eve-log */
|
||||
OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_TX, "eve-log", MODULE_NAME, "eve-log.http2",
|
||||
OutputHttp2LogInitSub, ALPROTO_HTTP2, JsonHttp2Logger, HTTP2StateClosed,
|
||||
HTTP2StateClosed, JsonHttp2LogThreadInit, JsonHttp2LogThreadDeinit, NULL);
|
||||
}
|
||||
@ -1,29 +0,0 @@
|
||||
/* Copyright (C) 2020 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Philippe Antoine <p.antoine@catenacyber.fr>
|
||||
*/
|
||||
|
||||
#ifndef SURICATA_OUTPUT_JSON_HTTP2_H
|
||||
#define SURICATA_OUTPUT_JSON_HTTP2_H
|
||||
|
||||
void JsonHttp2LogRegister(void);
|
||||
|
||||
#endif /* SURICATA_OUTPUT_JSON_HTTP2_H */
|
||||
@ -1,92 +0,0 @@
|
||||
/* Copyright (C) 2018-2021 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Pierre Chifflier <chifflier@wzdftpd.net>
|
||||
*
|
||||
* Implement JSON/eve logging app-layer KRB5.
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
#include "detect.h"
|
||||
#include "pkt-var.h"
|
||||
#include "conf.h"
|
||||
|
||||
#include "threads.h"
|
||||
#include "threadvars.h"
|
||||
#include "tm-threads.h"
|
||||
|
||||
#include "util-unittest.h"
|
||||
#include "util-buffer.h"
|
||||
#include "util-debug.h"
|
||||
#include "util-byte.h"
|
||||
|
||||
#include "output.h"
|
||||
#include "output-json.h"
|
||||
|
||||
#include "app-layer.h"
|
||||
#include "app-layer-parser.h"
|
||||
|
||||
#include "app-layer-krb5.h"
|
||||
#include "output-json-krb5.h"
|
||||
|
||||
#include "rust.h"
|
||||
|
||||
static int JsonKRB5Logger(ThreadVars *tv, void *thread_data,
|
||||
const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id)
|
||||
{
|
||||
KRB5Transaction *krb5tx = tx;
|
||||
OutputJsonThreadCtx *thread = thread_data;
|
||||
|
||||
JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "krb5", NULL, thread->ctx);
|
||||
if (unlikely(jb == NULL)) {
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
if (!rs_krb5_log_json_response(krb5tx, jb)) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
OutputJsonBuilderBuffer(jb, thread);
|
||||
|
||||
jb_free(jb);
|
||||
return TM_ECODE_OK;
|
||||
|
||||
error:
|
||||
jb_free(jb);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
static OutputInitResult OutputKRB5LogInitSub(ConfNode *conf,
|
||||
OutputCtx *parent_ctx)
|
||||
{
|
||||
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_KRB5);
|
||||
AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_KRB5);
|
||||
return OutputJsonLogInitSub(conf, parent_ctx);
|
||||
}
|
||||
|
||||
void JsonKRB5LogRegister(void)
|
||||
{
|
||||
/* Register as an eve sub-module. */
|
||||
OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonKRB5Log", "eve-log.krb5",
|
||||
OutputKRB5LogInitSub, ALPROTO_KRB5, JsonKRB5Logger, JsonLogThreadInit,
|
||||
JsonLogThreadDeinit, NULL);
|
||||
|
||||
SCLogDebug("KRB5 JSON logger registered.");
|
||||
}
|
||||
@ -1,29 +0,0 @@
|
||||
/* Copyright (C) 2015 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Pierre Chifflier <chifflier@wzdftpd.net>
|
||||
*/
|
||||
|
||||
#ifndef SURICATA_OUTPUT_JSON_KRB5_H
|
||||
#define SURICATA_OUTPUT_JSON_KRB5_H
|
||||
|
||||
void JsonKRB5LogRegister(void);
|
||||
|
||||
#endif /* SURICATA_OUTPUT_JSON_KRB5_H */
|
||||
@ -1,147 +0,0 @@
|
||||
/* Copyright (C) 2019-2020 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
#include "detect.h"
|
||||
#include "pkt-var.h"
|
||||
#include "conf.h"
|
||||
#include "threads.h"
|
||||
#include "threadvars.h"
|
||||
#include "tm-threads.h"
|
||||
#include "util-unittest.h"
|
||||
#include "util-buffer.h"
|
||||
#include "util-debug.h"
|
||||
#include "util-byte.h"
|
||||
#include "output.h"
|
||||
#include "output-json.h"
|
||||
#include "app-layer.h"
|
||||
#include "app-layer-parser.h"
|
||||
#include "output-json-modbus.h"
|
||||
#include "rust.h"
|
||||
|
||||
typedef struct LogModbusFileCtx_ {
|
||||
LogFileCtx *file_ctx;
|
||||
OutputJsonCtx *eve_ctx;
|
||||
} LogModbusFileCtx;
|
||||
|
||||
typedef struct JsonModbusLogThread_ {
|
||||
LogModbusFileCtx *modbuslog_ctx;
|
||||
OutputJsonThreadCtx *ctx;
|
||||
} JsonModbusLogThread;
|
||||
|
||||
static int JsonModbusLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f,
|
||||
void *state, void *tx, uint64_t tx_id)
|
||||
{
|
||||
JsonModbusLogThread *thread = thread_data;
|
||||
|
||||
JsonBuilder *js =
|
||||
CreateEveHeader(p, LOG_DIR_FLOW, "modbus", NULL, thread->modbuslog_ctx->eve_ctx);
|
||||
if (unlikely(js == NULL)) {
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
if (!rs_modbus_to_json(tx, js)) {
|
||||
jb_free(js);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
OutputJsonBuilderBuffer(js, thread->ctx);
|
||||
|
||||
jb_free(js);
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
|
||||
static void OutputModbusLogDeInitCtxSub(OutputCtx *output_ctx)
|
||||
{
|
||||
LogModbusFileCtx *modbuslog_ctx = (LogModbusFileCtx *)output_ctx->data;
|
||||
SCFree(modbuslog_ctx);
|
||||
SCFree(output_ctx);
|
||||
}
|
||||
|
||||
static OutputInitResult OutputModbusLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
|
||||
{
|
||||
OutputInitResult result = { NULL, false };
|
||||
OutputJsonCtx *ajt = parent_ctx->data;
|
||||
|
||||
LogModbusFileCtx *modbuslog_ctx = SCCalloc(1, sizeof(*modbuslog_ctx));
|
||||
if (unlikely(modbuslog_ctx == NULL)) {
|
||||
return result;
|
||||
}
|
||||
modbuslog_ctx->file_ctx = ajt->file_ctx;
|
||||
modbuslog_ctx->eve_ctx = ajt;
|
||||
|
||||
OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx));
|
||||
if (unlikely(output_ctx == NULL)) {
|
||||
SCFree(modbuslog_ctx);
|
||||
return result;
|
||||
}
|
||||
output_ctx->data = modbuslog_ctx;
|
||||
output_ctx->DeInit = OutputModbusLogDeInitCtxSub;
|
||||
|
||||
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_MODBUS);
|
||||
|
||||
SCLogDebug("modbus log sub-module initialized.");
|
||||
|
||||
result.ctx = output_ctx;
|
||||
result.ok = true;
|
||||
return result;
|
||||
}
|
||||
|
||||
static TmEcode JsonModbusLogThreadInit(ThreadVars *t, const void *initdata, void **data)
|
||||
{
|
||||
if (initdata == NULL) {
|
||||
SCLogDebug("Error getting context for EveLogModbus. \"initdata\" is NULL.");
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
JsonModbusLogThread *thread = SCCalloc(1, sizeof(*thread));
|
||||
if (unlikely(thread == NULL)) {
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
thread->modbuslog_ctx = ((OutputCtx *)initdata)->data;
|
||||
thread->ctx = CreateEveThreadCtx(t, thread->modbuslog_ctx->eve_ctx);
|
||||
if (thread->ctx == NULL) {
|
||||
goto error_exit;
|
||||
}
|
||||
|
||||
*data = (void *)thread;
|
||||
return TM_ECODE_OK;
|
||||
|
||||
error_exit:
|
||||
SCFree(thread);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
static TmEcode JsonModbusLogThreadDeinit(ThreadVars *t, void *data)
|
||||
{
|
||||
JsonModbusLogThread *thread = (JsonModbusLogThread *)data;
|
||||
if (thread == NULL) {
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
FreeEveThreadCtx(thread->ctx);
|
||||
SCFree(thread);
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
|
||||
void JsonModbusLogRegister(void)
|
||||
{
|
||||
/* Register as an eve sub-module. */
|
||||
OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonModbusLog", "eve-log.modbus",
|
||||
OutputModbusLogInitSub, ALPROTO_MODBUS, JsonModbusLogger, JsonModbusLogThreadInit,
|
||||
JsonModbusLogThreadDeinit, NULL);
|
||||
|
||||
SCLogDebug("modbus json logger registered.");
|
||||
}
|
||||
@ -1,23 +0,0 @@
|
||||
/* Copyright (C) 2019 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
#ifndef SURICATA_OUTPUT_JSON_MODBUS_H
|
||||
#define SURICATA_OUTPUT_JSON_MODBUS_H
|
||||
|
||||
void JsonModbusLogRegister(void);
|
||||
|
||||
#endif /* SURICATA_OUTPUT_JSON_MODBUS_H */
|
||||
@ -1,151 +0,0 @@
|
||||
/* Copyright (C) 2021 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* Implements JSON/eve logging for Quic app-layer.
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
#include "detect.h"
|
||||
#include "pkt-var.h"
|
||||
#include "conf.h"
|
||||
#include "threads.h"
|
||||
#include "threadvars.h"
|
||||
#include "tm-threads.h"
|
||||
#include "util-unittest.h"
|
||||
#include "util-buffer.h"
|
||||
#include "util-debug.h"
|
||||
#include "util-byte.h"
|
||||
#include "output.h"
|
||||
#include "output-json.h"
|
||||
#include "app-layer.h"
|
||||
#include "app-layer-parser.h"
|
||||
#include "output-json-quic.h"
|
||||
#include "rust.h"
|
||||
|
||||
typedef struct LogQuicFileCtx_ {
|
||||
LogFileCtx *file_ctx;
|
||||
OutputJsonCtx *eve_ctx;
|
||||
} LogQuicFileCtx;
|
||||
|
||||
typedef struct JsonQuicLogThread_ {
|
||||
LogQuicFileCtx *quiclog_ctx;
|
||||
OutputJsonThreadCtx *ctx;
|
||||
} JsonQuicLogThread;
|
||||
|
||||
static int JsonQuicLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state,
|
||||
void *tx, uint64_t tx_id)
|
||||
{
|
||||
JsonQuicLogThread *thread = thread_data;
|
||||
|
||||
JsonBuilder *js =
|
||||
CreateEveHeader(p, LOG_DIR_PACKET, "quic", NULL, thread->quiclog_ctx->eve_ctx);
|
||||
if (unlikely(js == NULL)) {
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
if (!rs_quic_to_json(tx, js)) {
|
||||
jb_free(js);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
OutputJsonBuilderBuffer(js, thread->ctx);
|
||||
|
||||
jb_free(js);
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
|
||||
static void OutputQuicLogDeInitCtxSub(OutputCtx *output_ctx)
|
||||
{
|
||||
LogQuicFileCtx *quiclog_ctx = (LogQuicFileCtx *)output_ctx->data;
|
||||
SCFree(quiclog_ctx);
|
||||
SCFree(output_ctx);
|
||||
}
|
||||
|
||||
static OutputInitResult OutputQuicLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
|
||||
{
|
||||
OutputInitResult result = { NULL, false };
|
||||
OutputJsonCtx *ajt = parent_ctx->data;
|
||||
|
||||
LogQuicFileCtx *quiclog_ctx = SCCalloc(1, sizeof(*quiclog_ctx));
|
||||
if (unlikely(quiclog_ctx == NULL)) {
|
||||
return result;
|
||||
}
|
||||
quiclog_ctx->file_ctx = ajt->file_ctx;
|
||||
quiclog_ctx->eve_ctx = ajt;
|
||||
|
||||
OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx));
|
||||
if (unlikely(output_ctx == NULL)) {
|
||||
SCFree(quiclog_ctx);
|
||||
return result;
|
||||
}
|
||||
output_ctx->data = quiclog_ctx;
|
||||
output_ctx->DeInit = OutputQuicLogDeInitCtxSub;
|
||||
|
||||
AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_QUIC);
|
||||
|
||||
result.ctx = output_ctx;
|
||||
result.ok = true;
|
||||
return result;
|
||||
}
|
||||
|
||||
static TmEcode JsonQuicLogThreadInit(ThreadVars *t, const void *initdata, void **data)
|
||||
{
|
||||
if (initdata == NULL) {
|
||||
SCLogDebug("Error getting context for EveLogQuic. \"initdata\" is NULL.");
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
JsonQuicLogThread *thread = SCCalloc(1, sizeof(*thread));
|
||||
if (unlikely(thread == NULL)) {
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
thread->quiclog_ctx = ((OutputCtx *)initdata)->data;
|
||||
thread->ctx = CreateEveThreadCtx(t, thread->quiclog_ctx->eve_ctx);
|
||||
if (thread->ctx == NULL) {
|
||||
goto error_exit;
|
||||
}
|
||||
|
||||
*data = (void *)thread;
|
||||
return TM_ECODE_OK;
|
||||
|
||||
error_exit:
|
||||
SCFree(thread);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
static TmEcode JsonQuicLogThreadDeinit(ThreadVars *t, void *data)
|
||||
{
|
||||
JsonQuicLogThread *thread = (JsonQuicLogThread *)data;
|
||||
if (thread == NULL) {
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
FreeEveThreadCtx(thread->ctx);
|
||||
SCFree(thread);
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
|
||||
void JsonQuicLogRegister(void)
|
||||
{
|
||||
/* Register as an eve sub-module. */
|
||||
OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonQuicLog", "eve-log.quic",
|
||||
OutputQuicLogInitSub, ALPROTO_QUIC, JsonQuicLogger, JsonQuicLogThreadInit,
|
||||
JsonQuicLogThreadDeinit, NULL);
|
||||
|
||||
SCLogDebug("quic json logger registered.");
|
||||
}
|
||||
@ -1,27 +0,0 @@
|
||||
/* Copyright (C) 2021 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*/
|
||||
|
||||
#ifndef SURICATA_OUTPUT_JSON_QUIC_H
|
||||
#define SURICATA_OUTPUT_JSON_QUIC_H
|
||||
|
||||
void JsonQuicLogRegister(void);
|
||||
|
||||
#endif /* SURICATA_OUTPUT_JSON_QUIC_H */
|
||||
@ -1,79 +0,0 @@
|
||||
/* Copyright (C) 2019-2021 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Zach Kelly <zach.kelly@lmco.com>
|
||||
*
|
||||
* Application layer logger for RDP
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
#include "detect.h"
|
||||
#include "pkt-var.h"
|
||||
#include "conf.h"
|
||||
#include "threads.h"
|
||||
#include "threadvars.h"
|
||||
#include "tm-threads.h"
|
||||
#include "util-unittest.h"
|
||||
#include "util-buffer.h"
|
||||
#include "util-debug.h"
|
||||
#include "util-byte.h"
|
||||
#include "output.h"
|
||||
#include "output-json.h"
|
||||
#include "app-layer.h"
|
||||
#include "app-layer-parser.h"
|
||||
#include "app-layer-rdp.h"
|
||||
#include "output-json-rdp.h"
|
||||
#include "rust.h"
|
||||
|
||||
static int JsonRdpLogger(ThreadVars *tv, void *thread_data,
|
||||
const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id)
|
||||
{
|
||||
OutputJsonThreadCtx *thread = thread_data;
|
||||
|
||||
JsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, "rdp", NULL, thread->ctx);
|
||||
if (unlikely(js == NULL)) {
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
if (!rs_rdp_to_json(tx, js)) {
|
||||
jb_free(js);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
OutputJsonBuilderBuffer(js, thread);
|
||||
|
||||
jb_free(js);
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
|
||||
static OutputInitResult OutputRdpLogInitSub(ConfNode *conf,
|
||||
OutputCtx *parent_ctx)
|
||||
{
|
||||
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_RDP);
|
||||
return OutputJsonLogInitSub(conf, parent_ctx);
|
||||
}
|
||||
|
||||
void JsonRdpLogRegister(void)
|
||||
{
|
||||
/* Register as an eve sub-module. */
|
||||
OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRdpLog", "eve-log.rdp",
|
||||
OutputRdpLogInitSub, ALPROTO_RDP, JsonRdpLogger, JsonLogThreadInit, JsonLogThreadDeinit,
|
||||
NULL);
|
||||
|
||||
SCLogDebug("rdp json logger registered.");
|
||||
}
|
||||
@ -1,29 +0,0 @@
|
||||
/* Copyright (C) 2019 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Zach Kelly <zach.kelly@lmco.com>
|
||||
*/
|
||||
|
||||
#ifndef SURICATA_OUTPUT_JSON_RDP_H
|
||||
#define SURICATA_OUTPUT_JSON_RDP_H
|
||||
|
||||
void JsonRdpLogRegister(void);
|
||||
|
||||
#endif /* SURICATA_OUTPUT_JSON_RDP_H */
|
||||
@ -1,86 +0,0 @@
|
||||
/* Copyright (C) 2020-2021 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Frank Honza <frank.honza@dcso.de>
|
||||
*
|
||||
* Implement JSON/eve logging app-layer RFB.
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
#include "conf.h"
|
||||
|
||||
#include "threads.h"
|
||||
#include "threadvars.h"
|
||||
#include "tm-threads.h"
|
||||
|
||||
#include "util-unittest.h"
|
||||
#include "util-buffer.h"
|
||||
#include "util-debug.h"
|
||||
#include "util-byte.h"
|
||||
|
||||
#include "output.h"
|
||||
#include "output-json.h"
|
||||
|
||||
#include "app-layer.h"
|
||||
#include "app-layer-parser.h"
|
||||
|
||||
#include "app-layer-rfb.h"
|
||||
#include "output-json-rfb.h"
|
||||
|
||||
#include "rust-bindings.h"
|
||||
|
||||
static int JsonRFBLogger(ThreadVars *tv, void *thread_data,
|
||||
const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id)
|
||||
{
|
||||
OutputJsonThreadCtx *thread = thread_data;
|
||||
|
||||
JsonBuilder *js = CreateEveHeader(p, LOG_DIR_FLOW, "rfb", NULL, thread->ctx);
|
||||
if (unlikely(js == NULL)) {
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
if (!rs_rfb_logger_log(tx, js)) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
OutputJsonBuilderBuffer(js, thread);
|
||||
jb_free(js);
|
||||
|
||||
return TM_ECODE_OK;
|
||||
|
||||
error:
|
||||
jb_free(js);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
static OutputInitResult OutputRFBLogInitSub(ConfNode *conf,
|
||||
OutputCtx *parent_ctx)
|
||||
{
|
||||
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_RFB);
|
||||
return OutputJsonLogInitSub(conf, parent_ctx);
|
||||
}
|
||||
|
||||
void JsonRFBLogRegister(void)
|
||||
{
|
||||
/* Register as an eve sub-module. */
|
||||
OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRFBLog", "eve-log.rfb",
|
||||
OutputRFBLogInitSub, ALPROTO_RFB, JsonRFBLogger, JsonLogThreadInit, JsonLogThreadDeinit,
|
||||
NULL);
|
||||
}
|
||||
@ -1,29 +0,0 @@
|
||||
/* Copyright (C) 2020 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Frank Honza <frank.honza@dcso.de>
|
||||
*/
|
||||
|
||||
#ifndef SURICATA_OUTPUT_JSON_RFB_H
|
||||
#define SURICATA_OUTPUT_JSON_RFB_H
|
||||
|
||||
void JsonRFBLogRegister(void);
|
||||
|
||||
#endif /* SURICATA_OUTPUT_JSON_RFB_H */
|
||||
@ -1,92 +0,0 @@
|
||||
/* Copyright (C) 2018-2021 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Giuseppe Longo <giuseppe@glongo.it>
|
||||
*
|
||||
* Implement JSON/eve logging app-layer SIP.
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
#include "detect.h"
|
||||
#include "pkt-var.h"
|
||||
#include "conf.h"
|
||||
|
||||
#include "threads.h"
|
||||
#include "threadvars.h"
|
||||
#include "tm-threads.h"
|
||||
|
||||
#include "util-unittest.h"
|
||||
#include "util-buffer.h"
|
||||
#include "util-debug.h"
|
||||
#include "util-byte.h"
|
||||
|
||||
#include "output.h"
|
||||
#include "output-json.h"
|
||||
|
||||
#include "app-layer.h"
|
||||
#include "app-layer-parser.h"
|
||||
|
||||
#include "app-layer-sip.h"
|
||||
#include "output-json-sip.h"
|
||||
|
||||
#include "rust.h"
|
||||
|
||||
static int JsonSIPLogger(ThreadVars *tv, void *thread_data,
|
||||
const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id)
|
||||
{
|
||||
SIPTransaction *siptx = tx;
|
||||
OutputJsonThreadCtx *thread = thread_data;
|
||||
|
||||
JsonBuilder *js = CreateEveHeader((Packet *)p, LOG_DIR_PACKET, "sip", NULL, thread->ctx);
|
||||
if (unlikely(js == NULL)) {
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
|
||||
if (!rs_sip_log_json(siptx, js)) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
OutputJsonBuilderBuffer(js, thread);
|
||||
jb_free(js);
|
||||
|
||||
return TM_ECODE_OK;
|
||||
|
||||
error:
|
||||
jb_free(js);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
static OutputInitResult OutputSIPLogInitSub(ConfNode *conf,
|
||||
OutputCtx *parent_ctx)
|
||||
{
|
||||
AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_SIP);
|
||||
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_SIP);
|
||||
return OutputJsonLogInitSub(conf, parent_ctx);
|
||||
}
|
||||
|
||||
void JsonSIPLogRegister(void)
|
||||
{
|
||||
/* Register as an eve sub-module. */
|
||||
OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSIPLog", "eve-log.sip",
|
||||
OutputSIPLogInitSub, ALPROTO_SIP, JsonSIPLogger, JsonLogThreadInit, JsonLogThreadDeinit,
|
||||
NULL);
|
||||
|
||||
SCLogDebug("SIP JSON logger registered.");
|
||||
}
|
||||
@ -1,29 +0,0 @@
|
||||
/* Copyright (C) 2015 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Giuseppe Longo <giuseppe@glongo.it>
|
||||
*/
|
||||
|
||||
#ifndef SURICATA_OUTPUT_JSON_SIP_H
|
||||
#define SURICATA_OUTPUT_JSON_SIP_H
|
||||
|
||||
void JsonSIPLogRegister(void);
|
||||
|
||||
#endif /* SURICATA_OUTPUT_JSON_SIP_H */
|
||||
@ -1,91 +0,0 @@
|
||||
/* Copyright (C) 2018-2021 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Pierre Chifflier <chifflier@wzdftpd.net>
|
||||
*
|
||||
* Implement JSON/eve logging app-layer SNMP.
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
#include "detect.h"
|
||||
#include "pkt-var.h"
|
||||
#include "conf.h"
|
||||
|
||||
#include "threads.h"
|
||||
#include "threadvars.h"
|
||||
#include "tm-threads.h"
|
||||
|
||||
#include "util-unittest.h"
|
||||
#include "util-buffer.h"
|
||||
#include "util-debug.h"
|
||||
#include "util-byte.h"
|
||||
|
||||
#include "output.h"
|
||||
#include "output-json.h"
|
||||
|
||||
#include "app-layer.h"
|
||||
#include "app-layer-parser.h"
|
||||
|
||||
#include "app-layer-snmp.h"
|
||||
#include "output-json-snmp.h"
|
||||
|
||||
#include "rust.h"
|
||||
|
||||
static int JsonSNMPLogger(ThreadVars *tv, void *thread_data,
|
||||
const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id)
|
||||
{
|
||||
SNMPTransaction *snmptx = tx;
|
||||
OutputJsonThreadCtx *thread = thread_data;
|
||||
|
||||
JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "snmp", NULL, thread->ctx);
|
||||
if (unlikely(jb == NULL)) {
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
if (!rs_snmp_log_json_response(snmptx, jb)) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
OutputJsonBuilderBuffer(jb, thread);
|
||||
|
||||
jb_free(jb);
|
||||
return TM_ECODE_OK;
|
||||
|
||||
error:
|
||||
jb_free(jb);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
static OutputInitResult OutputSNMPLogInitSub(ConfNode *conf,
|
||||
OutputCtx *parent_ctx)
|
||||
{
|
||||
AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_SNMP);
|
||||
return OutputJsonLogInitSub(conf, parent_ctx);
|
||||
}
|
||||
|
||||
void JsonSNMPLogRegister(void)
|
||||
{
|
||||
/* Register as an eve sub-module. */
|
||||
OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSNMPLog", "eve-log.snmp",
|
||||
OutputSNMPLogInitSub, ALPROTO_SNMP, JsonSNMPLogger, JsonLogThreadInit,
|
||||
JsonLogThreadDeinit, NULL);
|
||||
|
||||
SCLogDebug("SNMP JSON logger registered.");
|
||||
}
|
||||
@ -1,29 +0,0 @@
|
||||
/* Copyright (C) 2015-2019 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Pierre Chifflier <chifflier@wzdftpd.net>
|
||||
*/
|
||||
|
||||
#ifndef SURICATA_OUTPUT_JSON_SNMP_H
|
||||
#define SURICATA_OUTPUT_JSON_SNMP_H
|
||||
|
||||
void JsonSNMPLogRegister(void);
|
||||
|
||||
#endif /* SURICATA_OUTPUT_JSON_SNMP_H */
|
||||
@ -1,89 +0,0 @@
|
||||
/* Copyright (C) 2014-2021 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Victor Julien <victor@inliniac.net>
|
||||
*
|
||||
* Implements SSH JSON logging portion of the engine.
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
#include "detect.h"
|
||||
#include "pkt-var.h"
|
||||
#include "conf.h"
|
||||
|
||||
#include "threads.h"
|
||||
#include "threadvars.h"
|
||||
#include "tm-threads.h"
|
||||
|
||||
#include "util-print.h"
|
||||
#include "util-unittest.h"
|
||||
|
||||
#include "util-debug.h"
|
||||
#include "app-layer-parser.h"
|
||||
#include "output.h"
|
||||
#include "app-layer-ssh.h"
|
||||
#include "app-layer.h"
|
||||
#include "util-privs.h"
|
||||
#include "util-buffer.h"
|
||||
|
||||
#include "util-logopenfile.h"
|
||||
|
||||
#include "output-json.h"
|
||||
#include "output-json-ssh.h"
|
||||
#include "rust.h"
|
||||
|
||||
#define MODULE_NAME "LogSshLog"
|
||||
|
||||
static int JsonSshLogger(ThreadVars *tv, void *thread_data, const Packet *p,
|
||||
Flow *f, void *state, void *txptr, uint64_t tx_id)
|
||||
{
|
||||
OutputJsonThreadCtx *thread = thread_data;
|
||||
|
||||
if (unlikely(state == NULL)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
JsonBuilder *js = CreateEveHeaderWithTxId(p, LOG_DIR_FLOW, "ssh", NULL, tx_id, thread->ctx);
|
||||
if (unlikely(js == NULL))
|
||||
return 0;
|
||||
|
||||
if (!rs_ssh_log_json(txptr, js)) {
|
||||
goto end;
|
||||
}
|
||||
OutputJsonBuilderBuffer(js, thread);
|
||||
|
||||
end:
|
||||
jb_free(js);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static OutputInitResult OutputSshLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
|
||||
{
|
||||
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_SSH);
|
||||
return OutputJsonLogInitSub(conf, parent_ctx);
|
||||
}
|
||||
|
||||
void JsonSshLogRegister (void)
|
||||
{
|
||||
/* register as child of eve-log */
|
||||
OutputRegisterTxSubModuleWithCondition(LOGGER_JSON_TX, "eve-log", "JsonSshLog", "eve-log.ssh",
|
||||
OutputSshLogInitSub, ALPROTO_SSH, JsonSshLogger, SSHTxLogCondition, JsonLogThreadInit,
|
||||
JsonLogThreadDeinit, NULL);
|
||||
}
|
||||
@ -1,29 +0,0 @@
|
||||
/* Copyright (C) 2014 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Victor Julien <victor@inliniac.net>
|
||||
*/
|
||||
|
||||
#ifndef SURICATA_OUTPUT_JSON_SSH_H
|
||||
#define SURICATA_OUTPUT_JSON_SSH_H
|
||||
|
||||
void JsonSshLogRegister(void);
|
||||
|
||||
#endif /* SURICATA_OUTPUT_JSON_SSH_H */
|
||||
@ -1,176 +0,0 @@
|
||||
/* Copyright (C) 2018-2022 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/*
|
||||
* TODO: Update \author in this file and in output-json-template.h.
|
||||
* TODO: Remove SCLogNotice statements, or convert to debug.
|
||||
* TODO: Implement your app-layers logging.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author FirstName LastName <yourname@domain>
|
||||
*
|
||||
* Implement JSON/eve logging app-layer Template.
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
#include "detect.h"
|
||||
#include "pkt-var.h"
|
||||
#include "conf.h"
|
||||
|
||||
#include "threads.h"
|
||||
#include "threadvars.h"
|
||||
#include "tm-threads.h"
|
||||
|
||||
#include "util-unittest.h"
|
||||
#include "util-buffer.h"
|
||||
#include "util-debug.h"
|
||||
#include "util-byte.h"
|
||||
|
||||
#include "output.h"
|
||||
#include "output-json.h"
|
||||
|
||||
#include "app-layer.h"
|
||||
#include "app-layer-parser.h"
|
||||
|
||||
#include "output-json-template.h"
|
||||
#include "rust.h"
|
||||
|
||||
typedef struct LogTemplateFileCtx_ {
|
||||
uint32_t flags;
|
||||
OutputJsonCtx *eve_ctx;
|
||||
} LogTemplateFileCtx;
|
||||
|
||||
typedef struct LogTemplateLogThread_ {
|
||||
LogTemplateFileCtx *templatelog_ctx;
|
||||
OutputJsonThreadCtx *ctx;
|
||||
} LogTemplateLogThread;
|
||||
|
||||
static int JsonTemplateLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f,
|
||||
void *state, void *tx, uint64_t tx_id)
|
||||
{
|
||||
SCLogNotice("JsonTemplateLogger");
|
||||
LogTemplateLogThread *thread = thread_data;
|
||||
|
||||
JsonBuilder *js =
|
||||
CreateEveHeader(p, LOG_DIR_PACKET, "template", NULL, thread->templatelog_ctx->eve_ctx);
|
||||
if (unlikely(js == NULL)) {
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
if (!rs_template_logger_log(tx, js)) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
OutputJsonBuilderBuffer(js, thread->ctx);
|
||||
jb_free(js);
|
||||
|
||||
return TM_ECODE_OK;
|
||||
|
||||
error:
|
||||
jb_free(js);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
static void OutputTemplateLogDeInitCtxSub(OutputCtx *output_ctx)
|
||||
{
|
||||
LogTemplateFileCtx *templatelog_ctx = (LogTemplateFileCtx *)output_ctx->data;
|
||||
SCFree(templatelog_ctx);
|
||||
SCFree(output_ctx);
|
||||
}
|
||||
|
||||
static OutputInitResult OutputTemplateLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
|
||||
{
|
||||
OutputInitResult result = { NULL, false };
|
||||
OutputJsonCtx *ajt = parent_ctx->data;
|
||||
|
||||
LogTemplateFileCtx *templatelog_ctx = SCCalloc(1, sizeof(*templatelog_ctx));
|
||||
if (unlikely(templatelog_ctx == NULL)) {
|
||||
return result;
|
||||
}
|
||||
templatelog_ctx->eve_ctx = ajt;
|
||||
|
||||
OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx));
|
||||
if (unlikely(output_ctx == NULL)) {
|
||||
SCFree(templatelog_ctx);
|
||||
return result;
|
||||
}
|
||||
output_ctx->data = templatelog_ctx;
|
||||
output_ctx->DeInit = OutputTemplateLogDeInitCtxSub;
|
||||
|
||||
SCLogNotice("Template log sub-module initialized.");
|
||||
|
||||
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TEMPLATE);
|
||||
|
||||
result.ctx = output_ctx;
|
||||
result.ok = true;
|
||||
return result;
|
||||
}
|
||||
|
||||
static TmEcode JsonTemplateLogThreadInit(ThreadVars *t, const void *initdata, void **data)
|
||||
{
|
||||
LogTemplateLogThread *thread = SCCalloc(1, sizeof(*thread));
|
||||
if (unlikely(thread == NULL)) {
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
if (initdata == NULL) {
|
||||
SCLogDebug("Error getting context for EveLogTemplate. \"initdata\" is NULL.");
|
||||
goto error_exit;
|
||||
}
|
||||
|
||||
thread->templatelog_ctx = ((OutputCtx *)initdata)->data;
|
||||
thread->ctx = CreateEveThreadCtx(t, thread->templatelog_ctx->eve_ctx);
|
||||
if (!thread->ctx) {
|
||||
goto error_exit;
|
||||
}
|
||||
*data = (void *)thread;
|
||||
|
||||
return TM_ECODE_OK;
|
||||
|
||||
error_exit:
|
||||
SCFree(thread);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
static TmEcode JsonTemplateLogThreadDeinit(ThreadVars *t, void *data)
|
||||
{
|
||||
LogTemplateLogThread *thread = (LogTemplateLogThread *)data;
|
||||
if (thread == NULL) {
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
FreeEveThreadCtx(thread->ctx);
|
||||
SCFree(thread);
|
||||
return TM_ECODE_OK;
|
||||
}
|
||||
|
||||
void JsonTemplateLogRegister(void)
|
||||
{
|
||||
/* TEMPLATE_START_REMOVE */
|
||||
if (ConfGetNode("app-layer.protocols.template") == NULL) {
|
||||
return;
|
||||
}
|
||||
/* TEMPLATE_END_REMOVE */
|
||||
/* Register as an eve sub-module. */
|
||||
OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonTemplateLog", "eve-log.template",
|
||||
OutputTemplateLogInitSub, ALPROTO_TEMPLATE, JsonTemplateLogger,
|
||||
JsonTemplateLogThreadInit, JsonTemplateLogThreadDeinit, NULL);
|
||||
|
||||
SCLogNotice("Template JSON logger registered.");
|
||||
}
|
||||
@ -1,29 +0,0 @@
|
||||
/* Copyright (C) 2018 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author FirstName LastName <name@domain>
|
||||
*/
|
||||
|
||||
#ifndef SURICATA_OUTPUT_JSON_TEMPLATE_RUST_H
|
||||
#define SURICATA_OUTPUT_JSON_TEMPLATE_RUST_H
|
||||
|
||||
void JsonTemplateLogRegister(void);
|
||||
|
||||
#endif /* SURICATA_OUTPUT_JSON_TEMPLATE_RUST_H */
|
||||
@ -1,90 +0,0 @@
|
||||
/* Copyright (C) 2020-2021 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Clément Galland <clement.galland@epita.fr>
|
||||
*
|
||||
* Implement JSON/eve logging app-layer TFTP.
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
#include "detect.h"
|
||||
#include "pkt-var.h"
|
||||
#include "conf.h"
|
||||
|
||||
#include "threads.h"
|
||||
#include "threadvars.h"
|
||||
#include "tm-threads.h"
|
||||
|
||||
#include "util-unittest.h"
|
||||
#include "util-buffer.h"
|
||||
#include "util-debug.h"
|
||||
#include "util-byte.h"
|
||||
|
||||
#include "output.h"
|
||||
#include "output-json.h"
|
||||
|
||||
#include "app-layer.h"
|
||||
#include "app-layer-parser.h"
|
||||
|
||||
#include "app-layer-tftp.h"
|
||||
#include "output-json-tftp.h"
|
||||
|
||||
#include "rust.h"
|
||||
|
||||
static int JsonTFTPLogger(ThreadVars *tv, void *thread_data,
|
||||
const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id)
|
||||
{
|
||||
OutputJsonThreadCtx *thread = thread_data;
|
||||
|
||||
JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "tftp", NULL, thread->ctx);
|
||||
if (unlikely(jb == NULL)) {
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
if (unlikely(!rs_tftp_log_json_request(tx, jb))) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
OutputJsonBuilderBuffer(jb, thread);
|
||||
|
||||
jb_free(jb);
|
||||
return TM_ECODE_OK;
|
||||
|
||||
error:
|
||||
jb_free(jb);
|
||||
return TM_ECODE_FAILED;
|
||||
}
|
||||
|
||||
static OutputInitResult OutputTFTPLogInitSub(ConfNode *conf,
|
||||
OutputCtx *parent_ctx)
|
||||
{
|
||||
AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_TFTP);
|
||||
return OutputJsonLogInitSub(conf, parent_ctx);
|
||||
}
|
||||
|
||||
void JsonTFTPLogRegister(void)
|
||||
{
|
||||
/* Register as an eve sub-module. */
|
||||
OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonTFTPLog", "eve-log.tftp",
|
||||
OutputTFTPLogInitSub, ALPROTO_TFTP, JsonTFTPLogger, JsonLogThreadInit,
|
||||
JsonLogThreadDeinit, NULL);
|
||||
|
||||
SCLogDebug("TFTP JSON logger registered.");
|
||||
}
|
||||
@ -1,29 +0,0 @@
|
||||
/* Copyright (C) 2017 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Clément Galland <clement.galland@epita.fr>
|
||||
*/
|
||||
|
||||
#ifndef SURICATA_OUTPUT_JSON_TFTP_H
|
||||
#define SURICATA_OUTPUT_JSON_TFTP_H
|
||||
|
||||
void JsonTFTPLogRegister(void);
|
||||
|
||||
#endif /* SURICATA_OUTPUT_JSON_TFTP_H */
|
||||
Loading…
Reference in New Issue