From d4327cf7150600bc8737c16eb2838a6abb120c41 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 11 May 2023 10:04:48 +0200 Subject: [PATCH 01/28] output/smtp: remove unused function parameters --- src/output-json-smtp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/output-json-smtp.c b/src/output-json-smtp.c index 99771ec68fb4..cc3003907585 100644 --- a/src/output-json-smtp.c +++ b/src/output-json-smtp.c @@ -51,7 +51,7 @@ #include "output-json-smtp.h" #include "output-json-email-common.h" -static void EveSmtpDataLogger(const Flow *f, void *state, void *vtx, uint64_t tx_id, JsonBuilder *js) +static void EveSmtpDataLogger(void *state, void *vtx, JsonBuilder *js) { SMTPTransaction *tx = vtx; SMTPString *rcptto_str; @@ -81,7 +81,7 @@ static int JsonSmtpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl return TM_ECODE_OK; jb_open_object(jb, "smtp"); - EveSmtpDataLogger(f, state, tx, tx_id, jb); + EveSmtpDataLogger(state, tx, jb); jb_close(jb); EveEmailLogJson(jhl, jb, p, f, state, tx, tx_id); @@ -99,7 +99,7 @@ bool EveSMTPAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js) if (smtp_state) { SMTPTransaction *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_SMTP, smtp_state, tx_id); if (tx) { - EveSmtpDataLogger(f, smtp_state, tx, tx_id, js); + EveSmtpDataLogger(smtp_state, tx, js); return true; } } From 4cbbf38ef1344fab2b0cbc66e3e3c41a9a3be444 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 11 May 2023 10:30:28 +0200 Subject: [PATCH 02/28] output/dns: remove unused function parameters --- src/output-json-alert.c | 4 ++-- src/output-json-dns.c | 4 ++-- src/output-json-dns.h | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/output-json-alert.c b/src/output-json-alert.c index f7b67fa0c082..d7918e81ffaa 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -229,12 +229,12 @@ static void AlertJsonDns(const Flow *f, const uint64_t tx_id, JsonBuilder *js) dns_state, tx_id); if (txptr) { jb_open_object(js, "dns"); - JsonBuilder *qjs = JsonDNSLogQuery(txptr, tx_id); + JsonBuilder *qjs = JsonDNSLogQuery(txptr); if (qjs != NULL) { jb_set_object(js, "query", qjs); jb_free(qjs); } - JsonBuilder *ajs = JsonDNSLogAnswer(txptr, tx_id); + JsonBuilder *ajs = JsonDNSLogAnswer(txptr); if (ajs != NULL) { jb_set_object(js, "answer", ajs); jb_free(ajs); diff --git a/src/output-json-dns.c b/src/output-json-dns.c index d5729c85961c..0b6589d5c1bf 100644 --- a/src/output-json-dns.c +++ b/src/output-json-dns.c @@ -263,7 +263,7 @@ typedef struct LogDnsLogThread_ { OutputJsonThreadCtx *ctx; } LogDnsLogThread; -JsonBuilder *JsonDNSLogQuery(void *txptr, uint64_t tx_id) +JsonBuilder *JsonDNSLogQuery(void *txptr) { JsonBuilder *queryjb = jb_new_array(); if (queryjb == NULL) { @@ -292,7 +292,7 @@ JsonBuilder *JsonDNSLogQuery(void *txptr, uint64_t tx_id) return queryjb; } -JsonBuilder *JsonDNSLogAnswer(void *txptr, uint64_t tx_id) +JsonBuilder *JsonDNSLogAnswer(void *txptr) { if (!rs_dns_do_log_answer(txptr, LOG_ALL_RRTYPES)) { return NULL; diff --git a/src/output-json-dns.h b/src/output-json-dns.h index 9d0e451328e3..1e19427361b8 100644 --- a/src/output-json-dns.h +++ b/src/output-json-dns.h @@ -26,7 +26,7 @@ void JsonDnsLogRegister(void); -JsonBuilder *JsonDNSLogQuery(void *txptr, uint64_t tx_id) __attribute__((nonnull)); -JsonBuilder *JsonDNSLogAnswer(void *txptr, uint64_t tx_id) __attribute__((nonnull)); +JsonBuilder *JsonDNSLogQuery(void *txptr) __attribute__((nonnull)); +JsonBuilder *JsonDNSLogAnswer(void *txptr) __attribute__((nonnull)); #endif /* __OUTPUT_JSON_DNS_H__ */ From 0f0cd12b09141fb93a08f9412d7513335329c276 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 11 May 2023 10:51:59 +0200 Subject: [PATCH 03/28] output/ftp: remove unused function parameters --- src/output-json-ftp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/output-json-ftp.c b/src/output-json-ftp.c index 7177fb6a9dbc..ece9344bf409 100644 --- a/src/output-json-ftp.c +++ b/src/output-json-ftp.c @@ -46,7 +46,7 @@ #include "app-layer-ftp.h" #include "output-json-ftp.h" -static void EveFTPLogCommand(Flow *f, FTPTransaction *tx, JsonBuilder *jb) +static void EveFTPLogCommand(FTPTransaction *tx, JsonBuilder *jb) { /* Preallocate array objects to simplify failure case */ JsonBuilder *js_resplist = NULL; @@ -173,7 +173,7 @@ static int JsonFTPLogger(ThreadVars *tv, void *thread_data, if (f->alproto == ALPROTO_FTPDATA) { EveFTPDataAddMetadata(f, jb); } else { - EveFTPLogCommand(f, tx, jb); + EveFTPLogCommand(tx, jb); } if (!jb_close(jb)) { From 1bdbe97c04650eb46ab0a4868a4fd16839abbe1f Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 11 May 2023 10:02:32 +0200 Subject: [PATCH 04/28] output/alert: rewrite code for app-layer properties Especially fix setup-app-layer script to not forget this part --- rust/src/modbus/log.rs | 2 - rust/src/quic/logger.rs | 2 - rust/src/rdp/log.rs | 2 - rust/src/sip/log.rs | 6 +- scripts/setup-app-layer.py | 4 + src/output-json-alert.c | 180 ++++--------------------------------- src/output-json-dnp3.c | 19 ++++ src/output-json-dnp3.h | 1 + src/output-json-dns.c | 19 +++- src/output-json-dns.h | 3 +- src/output-json-modbus.c | 15 +--- src/output-json-modbus.h | 1 - src/output-json-quic.c | 15 +--- src/output-json-quic.h | 1 - src/output-json-rdp.c | 2 + src/output-json-sip.c | 13 +-- src/output-json-sip.h | 2 - src/output.c | 50 +++++++++++ src/output.h | 8 ++ 19 files changed, 126 insertions(+), 219 deletions(-) diff --git a/rust/src/modbus/log.rs b/rust/src/modbus/log.rs index 6724291de786..565297faf033 100644 --- a/rust/src/modbus/log.rs +++ b/rust/src/modbus/log.rs @@ -27,7 +27,6 @@ pub extern "C" fn rs_modbus_to_json(tx: &mut ModbusTransaction, js: &mut JsonBui /// populate a json object with transactional information, for logging fn log(tx: &ModbusTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> { - js.open_object("modbus")?; js.set_uint("id", tx.id)?; if let Some(req) = &tx.request { @@ -42,7 +41,6 @@ fn log(tx: &ModbusTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> { js.close()?; } - js.close()?; Ok(()) } diff --git a/rust/src/quic/logger.rs b/rust/src/quic/logger.rs index e03ebdd6bf21..ef7ce453a207 100644 --- a/rust/src/quic/logger.rs +++ b/rust/src/quic/logger.rs @@ -89,7 +89,6 @@ fn quic_tls_extension_name(e: u16) -> Option { } fn log_template(tx: &QuicTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> { - js.open_object("quic")?; if tx.header.ty != QuicType::Short { js.set_string("version", String::from(tx.header.version).as_str())?; @@ -144,7 +143,6 @@ fn log_template(tx: &QuicTransaction, js: &mut JsonBuilder) -> Result<(), JsonEr js.close()?; } - js.close()?; Ok(()) } diff --git a/rust/src/rdp/log.rs b/rust/src/rdp/log.rs index e0a71a839b8f..0b7c7608972d 100644 --- a/rust/src/rdp/log.rs +++ b/rust/src/rdp/log.rs @@ -30,7 +30,6 @@ pub extern "C" fn rs_rdp_to_json(tx: &mut RdpTransaction, js: &mut JsonBuilder) /// populate a json object with transactional information, for logging fn log(tx: &RdpTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> { - js.open_object("rdp")?; js.set_uint("tx_id", tx.id)?; match &tx.item { @@ -58,7 +57,6 @@ fn log(tx: &RdpTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> { } } - js.close()?; Ok(()) } diff --git a/rust/src/sip/log.rs b/rust/src/sip/log.rs index 792acfa49021..ef3aefb80fcc 100644 --- a/rust/src/sip/log.rs +++ b/rust/src/sip/log.rs @@ -21,8 +21,6 @@ use crate::jsonbuilder::{JsonBuilder, JsonError}; use crate::sip::sip::SIPTransaction; fn log(tx: &SIPTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> { - js.open_object("sip")?; - if let Some(req) = &tx.request { js.set_string("method", &req.method)? .set_string("uri", &req.path)? @@ -43,12 +41,10 @@ fn log(tx: &SIPTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> { js.set_string("response_line", resp_line)?; } - js.close()?; - Ok(()) } #[no_mangle] pub extern "C" fn rs_sip_log_json(tx: &mut SIPTransaction, js: &mut JsonBuilder) -> bool { log(tx, js).is_ok() -} \ No newline at end of file +} diff --git a/scripts/setup-app-layer.py b/scripts/setup-app-layer.py index 72f28c986c66..d8426634bca8 100755 --- a/scripts/setup-app-layer.py +++ b/scripts/setup-app-layer.py @@ -200,6 +200,10 @@ def logger_patch_output_c(proto): output = io.StringIO() inlines = open(filename).readlines() for i, line in enumerate(inlines): + if line.find("ALPROTO_TEMPLATE") > -1: + new_line = line.replace("TEMPLATE", proto.upper()).replace( + "template", proto.lower()) + output.write(new_line) if line.find("output-json-template.h") > -1: output.write(line.replace("template", proto.lower())) if line.find("/* Template JSON logger.") > -1: diff --git a/src/output-json-alert.c b/src/output-json-alert.c index d7918e81ffaa..19bf925126dc 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -150,101 +150,6 @@ static void AlertJsonTls(const Flow *f, JsonBuilder *js) return; } -static void AlertJsonSsh(const Flow *f, JsonBuilder *js) -{ - void *ssh_state = FlowGetAppState(f); - if (ssh_state) { - JsonBuilderMark mark = { 0, 0, 0 }; - void *tx_ptr = rs_ssh_state_get_tx(ssh_state, 0); - jb_get_mark(js, &mark); - jb_open_object(js, "ssh"); - if (rs_ssh_log_json(tx_ptr, js)) { - jb_close(js); - } else { - jb_restore_mark(js, &mark); - } - } - - return; -} - -static void AlertJsonHttp2(const Flow *f, const uint64_t tx_id, JsonBuilder *js) -{ - void *h2_state = FlowGetAppState(f); - if (h2_state) { - void *tx_ptr = rs_http2_state_get_tx(h2_state, tx_id); - if (tx_ptr) { - JsonBuilderMark mark = { 0, 0, 0 }; - jb_get_mark(js, &mark); - jb_open_object(js, "http"); - if (rs_http2_log_json(tx_ptr, js)) { - jb_close(js); - } else { - jb_restore_mark(js, &mark); - } - } - } - - return; -} - -static void AlertJsonDnp3(const Flow *f, const uint64_t tx_id, JsonBuilder *js) -{ - DNP3State *dnp3_state = (DNP3State *)FlowGetAppState(f); - if (dnp3_state) { - DNP3Transaction *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_DNP3, - dnp3_state, tx_id); - if (tx) { - JsonBuilderMark mark = { 0, 0, 0 }; - jb_get_mark(js, &mark); - bool logged = false; - jb_open_object(js, "dnp3"); - if (tx->is_request && tx->done) { - jb_open_object(js, "request"); - JsonDNP3LogRequest(js, tx); - jb_close(js); - logged = true; - } - if (!tx->is_request && tx->done) { - jb_open_object(js, "response"); - JsonDNP3LogResponse(js, tx); - jb_close(js); - logged = true; - } - if (logged) { - /* Close dnp3 object. */ - jb_close(js); - } else { - jb_restore_mark(js, &mark); - } - } - } -} - -static void AlertJsonDns(const Flow *f, const uint64_t tx_id, JsonBuilder *js) -{ - void *dns_state = (void *)FlowGetAppState(f); - if (dns_state) { - void *txptr = AppLayerParserGetTx(f->proto, ALPROTO_DNS, - dns_state, tx_id); - if (txptr) { - jb_open_object(js, "dns"); - JsonBuilder *qjs = JsonDNSLogQuery(txptr); - if (qjs != NULL) { - jb_set_object(js, "query", qjs); - jb_free(qjs); - } - JsonBuilder *ajs = JsonDNSLogAnswer(txptr); - if (ajs != NULL) { - jb_set_object(js, "answer", ajs); - jb_free(ajs); - } - jb_close(js); - } - } - return; -} - static void AlertJsonSNMP(const Flow *f, const uint64_t tx_id, JsonBuilder *js) { void *snmp_state = (void *)FlowGetAppState(f); @@ -259,41 +164,6 @@ static void AlertJsonSNMP(const Flow *f, const uint64_t tx_id, JsonBuilder *js) } } -static void AlertJsonRDP(const Flow *f, const uint64_t tx_id, JsonBuilder *js) -{ - void *rdp_state = (void *)FlowGetAppState(f); - if (rdp_state != NULL) { - void *tx = AppLayerParserGetTx(f->proto, ALPROTO_RDP, rdp_state, - tx_id); - if (tx != NULL) { - JsonBuilderMark mark = { 0, 0, 0 }; - jb_get_mark(js, &mark); - if (!rs_rdp_to_json(tx, js)) { - jb_restore_mark(js, &mark); - } - } - } -} - -static void AlertJsonBitTorrentDHT(const Flow *f, const uint64_t tx_id, JsonBuilder *js) -{ - void *bittorrent_dht_state = (void *)FlowGetAppState(f); - if (bittorrent_dht_state != NULL) { - void *tx = - AppLayerParserGetTx(f->proto, ALPROTO_BITTORRENT_DHT, bittorrent_dht_state, tx_id); - if (tx != NULL) { - JsonBuilderMark mark = { 0, 0, 0 }; - jb_get_mark(js, &mark); - jb_open_object(js, "bittorrent_dht"); - if (rs_bittorrent_dht_logger_log(tx, js)) { - jb_close(js); - } else { - jb_restore_mark(js, &mark); - } - } - } -} - static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa, JsonBuilder *js, JsonAddrInfo *addr) { @@ -470,7 +340,24 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb, const uint64_t tx_id, const uint16_t option_flags) { const AppProto proto = FlowGetAppProtocol(p->flow); + AppLayerLogger *al = GetAppProtoLogger(proto); JsonBuilderMark mark = { 0, 0, 0 }; + if (al && al->name) { + void *state = FlowGetAppState(p->flow); + if (state) { + void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id); + if (tx) { + jb_get_mark(jb, &mark); + jb_open_object(jb, al->name); + if (al->log(tx, jb)) { + jb_close(jb); + } else { + jb_restore_mark(jb, &mark); + } + } + } + return; + } switch (proto) { case ALPROTO_HTTP1: // TODO: Could result in an empty http object being logged. @@ -488,9 +375,6 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb, case ALPROTO_TLS: AlertJsonTls(p->flow, jb); break; - case ALPROTO_SSH: - AlertJsonSsh(p->flow, jb); - break; case ALPROTO_SMTP: jb_get_mark(jb, &mark); jb_open_object(jb, "smtp"); @@ -534,9 +418,6 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb, jb_restore_mark(jb, &mark); } break; - case ALPROTO_SIP: - JsonSIPAddMetadata(jb, p->flow, tx_id); - break; case ALPROTO_RFB: jb_get_mark(jb, &mark); if (!JsonRFBAddMetadata(p->flow, tx_id, jb)) { @@ -549,15 +430,6 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb, EveFTPDataAddMetadata(p->flow, jb); jb_close(jb); break; - case ALPROTO_DNP3: - AlertJsonDnp3(p->flow, tx_id, jb); - break; - case ALPROTO_HTTP2: - AlertJsonHttp2(p->flow, tx_id, jb); - break; - case ALPROTO_DNS: - AlertJsonDns(p->flow, tx_id, jb); - break; case ALPROTO_IKE: jb_get_mark(jb, &mark); if (!EveIKEAddMetadata(p->flow, tx_id, jb)) { @@ -570,27 +442,9 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb, jb_restore_mark(jb, &mark); } break; - case ALPROTO_QUIC: - jb_get_mark(jb, &mark); - if (!JsonQuicAddMetadata(p->flow, tx_id, jb)) { - jb_restore_mark(jb, &mark); - } - break; case ALPROTO_SNMP: AlertJsonSNMP(p->flow, tx_id, jb); break; - case ALPROTO_RDP: - AlertJsonRDP(p->flow, tx_id, jb); - break; - case ALPROTO_MODBUS: - jb_get_mark(jb, &mark); - if (!JsonModbusAddMetadata(p->flow, tx_id, jb)) { - jb_restore_mark(jb, &mark); - } - break; - case ALPROTO_BITTORRENT_DHT: - AlertJsonBitTorrentDHT(p->flow, tx_id, jb); - break; default: break; } diff --git a/src/output-json-dnp3.c b/src/output-json-dnp3.c index 97b1e92e00ce..fcfd07d2d83f 100644 --- a/src/output-json-dnp3.c +++ b/src/output-json-dnp3.c @@ -210,6 +210,25 @@ void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *dnp3tx) jb_close(js); } +bool AlertJsonDnp3(void *vtx, JsonBuilder *js) +{ + DNP3Transaction *tx = (DNP3Transaction *)vtx; + bool logged = false; + if (tx->is_request && tx->done) { + jb_open_object(js, "request"); + JsonDNP3LogRequest(js, tx); + jb_close(js); + logged = true; + } + if (!tx->is_request && tx->done) { + jb_open_object(js, "response"); + JsonDNP3LogResponse(js, tx); + jb_close(js); + logged = true; + } + return logged; +} + static int JsonDNP3LoggerToServer(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *vtx, uint64_t tx_id) { diff --git a/src/output-json-dnp3.h b/src/output-json-dnp3.h index 85d02ff1011c..6f81026780d9 100644 --- a/src/output-json-dnp3.h +++ b/src/output-json-dnp3.h @@ -24,5 +24,6 @@ void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *); void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *); void JsonDNP3LogRegister(void); +bool AlertJsonDnp3(void *vtx, JsonBuilder *js); #endif /* __OUTPUT_JSON_DNP3_H__ */ diff --git a/src/output-json-dns.c b/src/output-json-dns.c index 0b6589d5c1bf..dded8e359195 100644 --- a/src/output-json-dns.c +++ b/src/output-json-dns.c @@ -263,7 +263,7 @@ typedef struct LogDnsLogThread_ { OutputJsonThreadCtx *ctx; } LogDnsLogThread; -JsonBuilder *JsonDNSLogQuery(void *txptr) +static JsonBuilder *JsonDNSLogQuery(void *txptr) { JsonBuilder *queryjb = jb_new_array(); if (queryjb == NULL) { @@ -292,7 +292,7 @@ JsonBuilder *JsonDNSLogQuery(void *txptr) return queryjb; } -JsonBuilder *JsonDNSLogAnswer(void *txptr) +static JsonBuilder *JsonDNSLogAnswer(void *txptr) { if (!rs_dns_do_log_answer(txptr, LOG_ALL_RRTYPES)) { return NULL; @@ -304,6 +304,21 @@ JsonBuilder *JsonDNSLogAnswer(void *txptr) } } +bool AlertJsonDns(void *txptr, JsonBuilder *js) +{ + JsonBuilder *qjs = JsonDNSLogQuery(txptr); + if (qjs != NULL) { + jb_set_object(js, "query", qjs); + jb_free(qjs); + } + JsonBuilder *ajs = JsonDNSLogAnswer(txptr); + if (ajs != NULL) { + jb_set_object(js, "answer", ajs); + jb_free(ajs); + } + return true; +} + static int JsonDnsLoggerToServer(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *alstate, void *txptr, uint64_t tx_id) { diff --git a/src/output-json-dns.h b/src/output-json-dns.h index 1e19427361b8..f46cad011089 100644 --- a/src/output-json-dns.h +++ b/src/output-json-dns.h @@ -26,7 +26,6 @@ void JsonDnsLogRegister(void); -JsonBuilder *JsonDNSLogQuery(void *txptr) __attribute__((nonnull)); -JsonBuilder *JsonDNSLogAnswer(void *txptr) __attribute__((nonnull)); +bool AlertJsonDns(void *vtx, JsonBuilder *js); #endif /* __OUTPUT_JSON_DNS_H__ */ diff --git a/src/output-json-modbus.c b/src/output-json-modbus.c index ace8c061f92d..d332cbb282a3 100644 --- a/src/output-json-modbus.c +++ b/src/output-json-modbus.c @@ -53,10 +53,12 @@ static int JsonModbusLogger(ThreadVars *tv, void *thread_data, const Packet *p, if (unlikely(js == NULL)) { return TM_ECODE_OK; } + jb_open_object(js, "modbus"); if (!rs_modbus_to_json(tx, js)) { jb_free(js); return TM_ECODE_FAILED; } + jb_close(js); OutputJsonBuilderBuffer(js, thread->ctx); jb_free(js); @@ -136,19 +138,6 @@ static TmEcode JsonModbusLogThreadDeinit(ThreadVars *t, void *data) return TM_ECODE_OK; } -bool JsonModbusAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js) -{ - void *state = FlowGetAppState(f); - if (state) { - void *tx = AppLayerParserGetTx(f->proto, ALPROTO_MODBUS, state, tx_id); - if (tx) { - return rs_modbus_to_json(tx, js); - } - } - - return false; -} - void JsonModbusLogRegister(void) { /* Register as an eve sub-module. */ diff --git a/src/output-json-modbus.h b/src/output-json-modbus.h index 9bde2dae57a3..2b07e4eb2d5c 100644 --- a/src/output-json-modbus.h +++ b/src/output-json-modbus.h @@ -19,6 +19,5 @@ #define __OUTPUT_JSON_MODBUS_H__ void JsonModbusLogRegister(void); -bool JsonModbusAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js); #endif /* __OUTPUT_JSON_MODBUS_H__ */ diff --git a/src/output-json-quic.c b/src/output-json-quic.c index fdf2d0f09340..bb3d516bb406 100644 --- a/src/output-json-quic.c +++ b/src/output-json-quic.c @@ -59,10 +59,12 @@ static int JsonQuicLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl if (unlikely(js == NULL)) { return TM_ECODE_OK; } + jb_open_object(js, "quic"); if (!rs_quic_to_json(tx, js)) { jb_free(js); return TM_ECODE_FAILED; } + jb_close(js); OutputJsonBuilderBuffer(js, thread->ctx); jb_free(js); @@ -140,19 +142,6 @@ static TmEcode JsonQuicLogThreadDeinit(ThreadVars *t, void *data) return TM_ECODE_OK; } -bool JsonQuicAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js) -{ - void *state = FlowGetAppState(f); - if (state) { - void *tx = AppLayerParserGetTx(f->proto, ALPROTO_QUIC, state, tx_id); - if (tx) { - return rs_quic_to_json(tx, js); - } - } - - return false; -} - void JsonQuicLogRegister(void) { /* Register as an eve sub-module. */ diff --git a/src/output-json-quic.h b/src/output-json-quic.h index 2448d5063a34..48e38185f2bd 100644 --- a/src/output-json-quic.h +++ b/src/output-json-quic.h @@ -22,7 +22,6 @@ #ifndef __OUTPUT_JSON_QUIC_H__ #define __OUTPUT_JSON_QUIC_H__ -bool JsonQuicAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js); void JsonQuicLogRegister(void); #endif /* __OUTPUT_JSON_QUIC_H__ */ diff --git a/src/output-json-rdp.c b/src/output-json-rdp.c index bc5d9ae9df89..e14c8391e561 100644 --- a/src/output-json-rdp.c +++ b/src/output-json-rdp.c @@ -51,10 +51,12 @@ static int JsonRdpLogger(ThreadVars *tv, void *thread_data, if (unlikely(js == NULL)) { return TM_ECODE_OK; } + jb_open_object(js, "rdp"); if (!rs_rdp_to_json(tx, js)) { jb_free(js); return TM_ECODE_FAILED; } + jb_close(js); OutputJsonBuilderBuffer(js, thread); jb_free(js); diff --git a/src/output-json-sip.c b/src/output-json-sip.c index 8297be1cc3eb..e3cee00b860f 100644 --- a/src/output-json-sip.c +++ b/src/output-json-sip.c @@ -48,17 +48,6 @@ #include "rust.h" -void JsonSIPAddMetadata(JsonBuilder *js, const Flow *f, uint64_t tx_id) -{ - SIPState *state = FlowGetAppState(f); - if (state) { - SIPTransaction *tx = AppLayerParserGetTx(f->proto, ALPROTO_SIP, state, tx_id); - if (tx) { - rs_sip_log_json(tx, js); - } - } -} - static int JsonSIPLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) { @@ -70,9 +59,11 @@ static int JsonSIPLogger(ThreadVars *tv, void *thread_data, return TM_ECODE_OK; } + jb_open_object(js, "sip"); if (!rs_sip_log_json(siptx, js)) { goto error; } + jb_close(js); OutputJsonBuilderBuffer(js, thread); jb_free(js); diff --git a/src/output-json-sip.h b/src/output-json-sip.h index 60145dab5b98..0d2c53fa50df 100644 --- a/src/output-json-sip.h +++ b/src/output-json-sip.h @@ -26,6 +26,4 @@ void JsonSIPLogRegister(void); -void JsonSIPAddMetadata(JsonBuilder *js, const Flow *f, uint64_t tx_id); - #endif /* __OUTPUT_JSON_SIP_H__ */ diff --git a/src/output.c b/src/output.c index c13ab4862eda..aa639473053e 100644 --- a/src/output.c +++ b/src/output.c @@ -1126,3 +1126,53 @@ void OutputRegisterLoggers(void) /* BitTorrent DHT JSON logger */ JsonBitTorrentDHTLogRegister(); } + +static AppLayerLogger alert_applayer_loggers[ALPROTO_MAX] = { + { ALPROTO_UNKNOWN, NULL, NULL }, + { ALPROTO_HTTP1, NULL, NULL }, // TODO empty http object and option_flags + { ALPROTO_FTP, NULL, NULL }, + { ALPROTO_SMTP, NULL, NULL }, // TODO state, + log email + { ALPROTO_TLS, NULL, NULL }, // TODO log state + { ALPROTO_SSH, "ssh", rs_ssh_log_json }, + { ALPROTO_IMAP, NULL, NULL }, // protocol detection only + { ALPROTO_JABBER, NULL, NULL }, // no parser, no logging + { ALPROTO_SMB, NULL, NULL }, // TODO state + { ALPROTO_DCERPC, NULL, NULL }, // TODO + { ALPROTO_IRC, NULL, NULL }, // no parser, no logging + { ALPROTO_DNS, "dns", AlertJsonDns }, + { ALPROTO_MODBUS, "modbus", (bool (*)(void *tx, struct JsonBuilder *jb))rs_modbus_to_json }, + { ALPROTO_ENIP, NULL, NULL }, // no logging + { ALPROTO_DNP3, "dnp3", AlertJsonDnp3 }, + { ALPROTO_NFS, NULL, NULL }, // TODO log rpc field + { ALPROTO_NTP, NULL, NULL }, // no logging + { ALPROTO_FTPDATA, NULL, NULL }, // TODO state + { ALPROTO_TFTP, NULL, NULL }, + { ALPROTO_IKE, NULL, NULL }, // TODO state + option + { ALPROTO_KRB5, NULL, NULL }, // TODO state + { ALPROTO_QUIC, "quic", rs_quic_to_json }, + { ALPROTO_DHCP, NULL, NULL }, // TODO logger with option + { ALPROTO_SNMP, NULL, NULL }, // TODO state + { ALPROTO_SIP, "sip", (bool (*)(void *tx, struct JsonBuilder *jb))rs_sip_log_json }, + { ALPROTO_RFB, NULL, NULL }, // TODO state + { ALPROTO_MQTT, NULL, NULL }, // TODO state + option + { ALPROTO_PGSQL, NULL, NULL }, // TODO flags + { ALPROTO_TELNET, NULL, NULL }, // no logging + { ALPROTO_TEMPLATE, "template", rs_template_logger_log }, + { ALPROTO_RDP, "rdp", (bool (*)(void *tx, struct JsonBuilder *jb))rs_rdp_to_json }, + { ALPROTO_HTTP2, "http", rs_http2_log_json }, + { ALPROTO_BITTORRENT_DHT, "bittorrent_dht", rs_bittorrent_dht_logger_log }, + { ALPROTO_HTTP, NULL, NULL }, // signature protocol, not for app-layer logging + { ALPROTO_FAILED, NULL, NULL }, +#ifdef UNITTESTS + { ALPROTO_TEST, NULL, NULL }, +#endif /* UNITESTS */ +}; + +AppLayerLogger *GetAppProtoLogger(AppProto alproto) +{ + if (alproto < ALPROTO_MAX) { + BUG_ON(alert_applayer_loggers[alproto].proto != alproto); + return &alert_applayer_loggers[alproto]; + } + return NULL; +} diff --git a/src/output.h b/src/output.h index 5c2d7bc90e62..11e791c7d0bd 100644 --- a/src/output.h +++ b/src/output.h @@ -208,4 +208,12 @@ void OutputLoggerExitPrintStats(ThreadVars *, void *); void OutputSetupActiveLoggers(void); void OutputClearActiveLoggers(void); +typedef struct AppLayerLogger { + AppProto proto; + const char *name; + bool (*log)(void *tx, struct JsonBuilder *jb); +} AppLayerLogger; + +AppLayerLogger *GetAppProtoLogger(AppProto alproto); + #endif /* ! __OUTPUT_H__ */ From bd3e47a5909975ba39fe7c299efb079edfb85e71 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 11 May 2023 10:57:09 +0200 Subject: [PATCH 05/28] output/ftp: have ftp properties in alerts --- src/output-json-ftp.c | 9 +++++---- src/output-json-ftp.h | 1 + src/output.c | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/output-json-ftp.c b/src/output-json-ftp.c index ece9344bf409..ccefa6bc05ce 100644 --- a/src/output-json-ftp.c +++ b/src/output-json-ftp.c @@ -46,15 +46,16 @@ #include "app-layer-ftp.h" #include "output-json-ftp.h" -static void EveFTPLogCommand(FTPTransaction *tx, JsonBuilder *jb) +bool EveFTPLogCommand(void *vtx, JsonBuilder *jb) { + FTPTransaction *tx = vtx; /* Preallocate array objects to simplify failure case */ JsonBuilder *js_resplist = NULL; if (!TAILQ_EMPTY(&tx->response_list)) { js_resplist = jb_new_array(); if (unlikely(js_resplist == NULL)) { - return; + return false; } } jb_set_string(jb, "command", tx->command_descriptor->command_name); @@ -149,6 +150,7 @@ static void EveFTPLogCommand(FTPTransaction *tx, JsonBuilder *jb) } else { JB_SET_FALSE(jb, "reply_truncated"); } + return true; } @@ -164,7 +166,6 @@ static int JsonFTPLogger(ThreadVars *tv, void *thread_data, } else { event_type = "ftp"; } - FTPTransaction *tx = vtx; JsonBuilder *jb = CreateEveHeaderWithTxId(p, LOG_DIR_FLOW, event_type, NULL, tx_id, thread->ctx); @@ -173,7 +174,7 @@ static int JsonFTPLogger(ThreadVars *tv, void *thread_data, if (f->alproto == ALPROTO_FTPDATA) { EveFTPDataAddMetadata(f, jb); } else { - EveFTPLogCommand(tx, jb); + EveFTPLogCommand(vtx, jb); } if (!jb_close(jb)) { diff --git a/src/output-json-ftp.h b/src/output-json-ftp.h index acba5539e1c6..704defd9585c 100644 --- a/src/output-json-ftp.h +++ b/src/output-json-ftp.h @@ -25,5 +25,6 @@ #define __OUTPUT_JSON_FTP_H__ void JsonFTPLogRegister(void); +bool EveFTPLogCommand(void *vtx, JsonBuilder *js); #endif /* __OUTPUT_JSON_FTP_H__ */ diff --git a/src/output.c b/src/output.c index aa639473053e..cf47ff1a445e 100644 --- a/src/output.c +++ b/src/output.c @@ -1130,7 +1130,7 @@ void OutputRegisterLoggers(void) static AppLayerLogger alert_applayer_loggers[ALPROTO_MAX] = { { ALPROTO_UNKNOWN, NULL, NULL }, { ALPROTO_HTTP1, NULL, NULL }, // TODO empty http object and option_flags - { ALPROTO_FTP, NULL, NULL }, + { ALPROTO_FTP, "ftp", EveFTPLogCommand }, { ALPROTO_SMTP, NULL, NULL }, // TODO state, + log email { ALPROTO_TLS, NULL, NULL }, // TODO log state { ALPROTO_SSH, "ssh", rs_ssh_log_json }, From 1fca44d3b86e83f43c9409bdb79664be5520a76c Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 11 May 2023 11:02:29 +0200 Subject: [PATCH 06/28] output/tftp: have tftp properties in alerts --- src/output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/output.c b/src/output.c index cf47ff1a445e..a565e05dd4e0 100644 --- a/src/output.c +++ b/src/output.c @@ -1146,7 +1146,7 @@ static AppLayerLogger alert_applayer_loggers[ALPROTO_MAX] = { { ALPROTO_NFS, NULL, NULL }, // TODO log rpc field { ALPROTO_NTP, NULL, NULL }, // no logging { ALPROTO_FTPDATA, NULL, NULL }, // TODO state - { ALPROTO_TFTP, NULL, NULL }, + { ALPROTO_TFTP, "tftp", (bool (*)(void *tx, struct JsonBuilder *jb))rs_tftp_log_json_request }, { ALPROTO_IKE, NULL, NULL }, // TODO state + option { ALPROTO_KRB5, NULL, NULL }, // TODO state { ALPROTO_QUIC, "quic", rs_quic_to_json }, From 75e096970a68dd0124e8ae4cdb69420a057583f6 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 12 May 2023 12:08:23 +0200 Subject: [PATCH 07/28] output/mqtt: reuse standard code --- rust/src/mqtt/logger.rs | 6 ++---- src/output-json-alert.c | 6 ------ src/output-json-mqtt.c | 16 +++++----------- src/output-json-mqtt.h | 2 +- src/output.c | 4 ++-- 5 files changed, 10 insertions(+), 24 deletions(-) diff --git a/rust/src/mqtt/logger.rs b/rust/src/mqtt/logger.rs index 09b14fe25d6f..14c24fc9bbcc 100644 --- a/rust/src/mqtt/logger.rs +++ b/rust/src/mqtt/logger.rs @@ -17,7 +17,7 @@ // written by Sascha Steinbiss -use super::mqtt::{MQTTState, MQTTTransaction}; +use super::mqtt::MQTTTransaction; use crate::jsonbuilder::{JsonBuilder, JsonError}; use crate::mqtt::mqtt_message::{MQTTOperation, MQTTSubscribeTopicData}; use crate::mqtt::parser::FixedHeader; @@ -43,7 +43,6 @@ fn log_mqtt_header(js: &mut JsonBuilder, hdr: &FixedHeader) -> Result<(), JsonEr } fn log_mqtt(tx: &MQTTTransaction, flags: u32, js: &mut JsonBuilder) -> Result<(), JsonError> { - js.open_object("mqtt")?; for msg in tx.msg.iter() { match msg.op { MQTTOperation::CONNECT(ref conn) => { @@ -291,14 +290,13 @@ fn log_mqtt(tx: &MQTTTransaction, flags: u32, js: &mut JsonBuilder) -> Result<() MQTTOperation::UNASSIGNED => {} } } - js.close()?; // mqtt return Ok(()); } #[no_mangle] pub unsafe extern "C" fn rs_mqtt_logger_log( - _state: &mut MQTTState, tx: *mut std::os::raw::c_void, flags: u32, js: &mut JsonBuilder, + tx: *mut std::os::raw::c_void, flags: u32, js: &mut JsonBuilder, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); log_mqtt(tx, flags, js).is_ok() diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 19bf925126dc..7d11a15fb744 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -436,12 +436,6 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb, jb_restore_mark(jb, &mark); } break; - case ALPROTO_MQTT: - jb_get_mark(jb, &mark); - if (!JsonMQTTAddMetadata(p->flow, tx_id, jb)) { - jb_restore_mark(jb, &mark); - } - break; case ALPROTO_SNMP: AlertJsonSNMP(p->flow, tx_id, jb); break; diff --git a/src/output-json-mqtt.c b/src/output-json-mqtt.c index 7b3ca62131ac..f491a525c6fe 100644 --- a/src/output-json-mqtt.c +++ b/src/output-json-mqtt.c @@ -59,17 +59,9 @@ typedef struct LogMQTTLogThread_ { OutputJsonThreadCtx *ctx; } LogMQTTLogThread; -bool JsonMQTTAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js) +bool JsonMQTTAddMetadata(void *vtx, JsonBuilder *js) { - MQTTState *state = FlowGetAppState(f); - if (state) { - MQTTTransaction *tx = AppLayerParserGetTx(f->proto, ALPROTO_MQTT, state, tx_id); - if (tx) { - return rs_mqtt_logger_log(state, tx, MQTT_DEFAULTS, js); - } - } - - return false; + return rs_mqtt_logger_log(vtx, MQTT_DEFAULTS, js); } static int JsonMQTTLogger(ThreadVars *tv, void *thread_data, @@ -89,8 +81,10 @@ static int JsonMQTTLogger(ThreadVars *tv, void *thread_data, return TM_ECODE_FAILED; } - if (!rs_mqtt_logger_log(state, tx, thread->mqttlog_ctx->flags, js)) + jb_open_object(js, "mqtt"); + if (!rs_mqtt_logger_log(tx, thread->mqttlog_ctx->flags, js)) goto error; + jb_close(js); OutputJsonBuilderBuffer(js, thread->ctx); jb_free(js); diff --git a/src/output-json-mqtt.h b/src/output-json-mqtt.h index 1acb4e107faf..42d66f48680d 100644 --- a/src/output-json-mqtt.h +++ b/src/output-json-mqtt.h @@ -25,6 +25,6 @@ #define __OUTPUT_JSON_MQTT_H__ void JsonMQTTLogRegister(void); -bool JsonMQTTAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js); +bool JsonMQTTAddMetadata(void *vtx, JsonBuilder *js); #endif /* __OUTPUT_JSON_MQTT_H__ */ diff --git a/src/output.c b/src/output.c index a565e05dd4e0..3ae67a5f9e3b 100644 --- a/src/output.c +++ b/src/output.c @@ -1153,8 +1153,8 @@ static AppLayerLogger alert_applayer_loggers[ALPROTO_MAX] = { { ALPROTO_DHCP, NULL, NULL }, // TODO logger with option { ALPROTO_SNMP, NULL, NULL }, // TODO state { ALPROTO_SIP, "sip", (bool (*)(void *tx, struct JsonBuilder *jb))rs_sip_log_json }, - { ALPROTO_RFB, NULL, NULL }, // TODO state - { ALPROTO_MQTT, NULL, NULL }, // TODO state + option + { ALPROTO_RFB, NULL, NULL }, // TODO state + { ALPROTO_MQTT, "mqtt", JsonMQTTAddMetadata }, { ALPROTO_PGSQL, NULL, NULL }, // TODO flags { ALPROTO_TELNET, NULL, NULL }, // no logging { ALPROTO_TEMPLATE, "template", rs_template_logger_log }, From 19aad9f86d11118f1a12826ca2ec72582d2c0b53 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 12 May 2023 12:14:26 +0200 Subject: [PATCH 08/28] output/rfb: reuse standard code --- rust/src/rfb/logger.rs | 9 ++------- src/output-json-alert.c | 6 ------ src/output-json-rfb.c | 17 +++-------------- src/output-json-rfb.h | 2 -- src/output.c | 2 +- 5 files changed, 6 insertions(+), 30 deletions(-) diff --git a/rust/src/rfb/logger.rs b/rust/src/rfb/logger.rs index e670e869cec3..798df37cf073 100644 --- a/rust/src/rfb/logger.rs +++ b/rust/src/rfb/logger.rs @@ -19,12 +19,10 @@ use std; use std::fmt::Write; -use super::rfb::{RFBState, RFBTransaction}; +use super::rfb::RFBTransaction; use crate::jsonbuilder::{JsonBuilder, JsonError}; fn log_rfb(tx: &RFBTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> { - js.open_object("rfb")?; - // Protocol version if let Some(tx_spv) = &tx.tc_server_protocol_version { js.open_object("server_protocol_version")?; @@ -107,14 +105,11 @@ fn log_rfb(tx: &RFBTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> { js.close()?; } - js.close()?; - return Ok(()); } #[no_mangle] -pub unsafe extern "C" fn rs_rfb_logger_log(_state: &mut RFBState, - tx: *mut std::os::raw::c_void, +pub unsafe extern "C" fn rs_rfb_logger_log(tx: *mut std::os::raw::c_void, js: &mut JsonBuilder) -> bool { let tx = cast_pointer!(tx, RFBTransaction); log_rfb(tx, js).is_ok() diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 7d11a15fb744..7074ad738406 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -418,12 +418,6 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb, jb_restore_mark(jb, &mark); } break; - case ALPROTO_RFB: - jb_get_mark(jb, &mark); - if (!JsonRFBAddMetadata(p->flow, tx_id, jb)) { - jb_restore_mark(jb, &mark); - } - break; case ALPROTO_FTPDATA: jb_get_mark(jb, &mark); jb_open_object(jb, "ftp_data"); diff --git a/src/output-json-rfb.c b/src/output-json-rfb.c index 285c22ab4482..af375e2dd8f0 100644 --- a/src/output-json-rfb.c +++ b/src/output-json-rfb.c @@ -46,19 +46,6 @@ #include "rust-bindings.h" -bool JsonRFBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js) -{ - RFBState *state = FlowGetAppState(f); - if (state) { - RFBTransaction *tx = AppLayerParserGetTx(f->proto, ALPROTO_RFB, state, tx_id); - if (tx) { - return rs_rfb_logger_log(state, tx, js); - } - } - - return false; -} - static int JsonRFBLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) { @@ -69,9 +56,11 @@ static int JsonRFBLogger(ThreadVars *tv, void *thread_data, return TM_ECODE_FAILED; } - if (!rs_rfb_logger_log(NULL, tx, js)) { + jb_open_object(js, "rfb"); + if (!rs_rfb_logger_log(tx, js)) { goto error; } + jb_close(js); OutputJsonBuilderBuffer(js, thread); jb_free(js); diff --git a/src/output-json-rfb.h b/src/output-json-rfb.h index 1264ee3f6b4b..7e4e48ebd4c8 100644 --- a/src/output-json-rfb.h +++ b/src/output-json-rfb.h @@ -26,6 +26,4 @@ void JsonRFBLogRegister(void); -bool JsonRFBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js); - #endif /* __OUTPUT_JSON_RFB_H__ */ diff --git a/src/output.c b/src/output.c index 3ae67a5f9e3b..1f89e9841718 100644 --- a/src/output.c +++ b/src/output.c @@ -1153,7 +1153,7 @@ static AppLayerLogger alert_applayer_loggers[ALPROTO_MAX] = { { ALPROTO_DHCP, NULL, NULL }, // TODO logger with option { ALPROTO_SNMP, NULL, NULL }, // TODO state { ALPROTO_SIP, "sip", (bool (*)(void *tx, struct JsonBuilder *jb))rs_sip_log_json }, - { ALPROTO_RFB, NULL, NULL }, // TODO state + { ALPROTO_RFB, "rfb", rs_rfb_logger_log }, { ALPROTO_MQTT, "mqtt", JsonMQTTAddMetadata }, { ALPROTO_PGSQL, NULL, NULL }, // TODO flags { ALPROTO_TELNET, NULL, NULL }, // no logging From 33d1c68c49b0e91da4ca8f2e3630c7c937259b55 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 12 May 2023 12:20:27 +0200 Subject: [PATCH 09/28] output/snmp: reuse standard code --- rust/src/snmp/log.rs | 10 +++++----- src/output-json-alert.c | 17 ----------------- src/output-json-snmp.c | 2 +- src/output.c | 2 +- 4 files changed, 7 insertions(+), 24 deletions(-) diff --git a/rust/src/snmp/log.rs b/rust/src/snmp/log.rs index e37bbba30c06..b371b2b0ac05 100644 --- a/rust/src/snmp/log.rs +++ b/rust/src/snmp/log.rs @@ -18,7 +18,7 @@ // written by Pierre Chifflier use crate::jsonbuilder::{JsonBuilder, JsonError}; -use crate::snmp::snmp::{SNMPState,SNMPTransaction}; +use crate::snmp::snmp::SNMPTransaction; use crate::snmp::snmp_parser::{NetworkAddress,PduType}; use std::borrow::Cow; @@ -37,9 +37,9 @@ fn str_of_pdu_type(t:&PduType) -> Cow { } } -fn snmp_log_response(jsb: &mut JsonBuilder, state: &mut SNMPState, tx: &mut SNMPTransaction) -> Result<(), JsonError> +fn snmp_log_response(jsb: &mut JsonBuilder, tx: &mut SNMPTransaction) -> Result<(), JsonError> { - jsb.set_uint("version", state.version as u64)?; + jsb.set_uint("version", tx.version as u64)?; if tx.encrypted { jsb.set_string("pdu_type", "encrypted")?; } else { @@ -75,7 +75,7 @@ fn snmp_log_response(jsb: &mut JsonBuilder, state: &mut SNMPState, tx: &mut SNMP } #[no_mangle] -pub extern "C" fn rs_snmp_log_json_response(jsb: &mut JsonBuilder, state: &mut SNMPState, tx: &mut SNMPTransaction) -> bool +pub extern "C" fn rs_snmp_log_json_response(tx: &mut SNMPTransaction, jsb: &mut JsonBuilder) -> bool { - snmp_log_response(jsb, state, tx).is_ok() + snmp_log_response(jsb, tx).is_ok() } diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 7074ad738406..c9def4251a7c 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -150,20 +150,6 @@ static void AlertJsonTls(const Flow *f, JsonBuilder *js) return; } -static void AlertJsonSNMP(const Flow *f, const uint64_t tx_id, JsonBuilder *js) -{ - void *snmp_state = (void *)FlowGetAppState(f); - if (snmp_state != NULL) { - void *tx = AppLayerParserGetTx(f->proto, ALPROTO_SNMP, snmp_state, - tx_id); - if (tx != NULL) { - jb_open_object(js, "snmp"); - rs_snmp_log_json_response(js, snmp_state, tx); - jb_close(js); - } - } -} - static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa, JsonBuilder *js, JsonAddrInfo *addr) { @@ -430,9 +416,6 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb, jb_restore_mark(jb, &mark); } break; - case ALPROTO_SNMP: - AlertJsonSNMP(p->flow, tx_id, jb); - break; default: break; } diff --git a/src/output-json-snmp.c b/src/output-json-snmp.c index facf50770ac8..4b390acc8f02 100644 --- a/src/output-json-snmp.c +++ b/src/output-json-snmp.c @@ -60,7 +60,7 @@ static int JsonSNMPLogger(ThreadVars *tv, void *thread_data, } jb_open_object(jb, "snmp"); - if (!rs_snmp_log_json_response(jb, state, snmptx)) { + if (!rs_snmp_log_json_response(snmptx, jb)) { goto error; } jb_close(jb); diff --git a/src/output.c b/src/output.c index 1f89e9841718..9ad062fe1ea6 100644 --- a/src/output.c +++ b/src/output.c @@ -1151,7 +1151,7 @@ static AppLayerLogger alert_applayer_loggers[ALPROTO_MAX] = { { ALPROTO_KRB5, NULL, NULL }, // TODO state { ALPROTO_QUIC, "quic", rs_quic_to_json }, { ALPROTO_DHCP, NULL, NULL }, // TODO logger with option - { ALPROTO_SNMP, NULL, NULL }, // TODO state + { ALPROTO_SNMP, "snmp", (bool (*)(void *tx, struct JsonBuilder *jb))rs_snmp_log_json_response }, { ALPROTO_SIP, "sip", (bool (*)(void *tx, struct JsonBuilder *jb))rs_sip_log_json }, { ALPROTO_RFB, "rfb", rs_rfb_logger_log }, { ALPROTO_MQTT, "mqtt", JsonMQTTAddMetadata }, From 672f5800885dc908d5d60c2426de274e894cbdab Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 12 May 2023 12:24:43 +0200 Subject: [PATCH 10/28] output/krb5: have krb5 properties in alerts --- rust/src/krb/log.rs | 4 ++-- src/output-json-krb5.c | 2 +- src/output.c | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rust/src/krb/log.rs b/rust/src/krb/log.rs index 427876ad7e3c..3b8930f3361f 100644 --- a/rust/src/krb/log.rs +++ b/rust/src/krb/log.rs @@ -18,7 +18,7 @@ // written by Pierre Chifflier use crate::jsonbuilder::{JsonBuilder, JsonError}; -use crate::krb::krb5::{KRB5State,KRB5Transaction,test_weak_encryption}; +use crate::krb::krb5::{KRB5Transaction,test_weak_encryption}; fn krb5_log_response(jsb: &mut JsonBuilder, tx: &mut KRB5Transaction) -> Result<(), JsonError> { @@ -68,7 +68,7 @@ fn krb5_log_response(jsb: &mut JsonBuilder, tx: &mut KRB5Transaction) -> Result< } #[no_mangle] -pub extern "C" fn rs_krb5_log_json_response(jsb: &mut JsonBuilder, _state: &mut KRB5State, tx: &mut KRB5Transaction) -> bool +pub extern "C" fn rs_krb5_log_json_response(tx: &mut KRB5Transaction, jsb: &mut JsonBuilder) -> bool { krb5_log_response(jsb, tx).is_ok() } diff --git a/src/output-json-krb5.c b/src/output-json-krb5.c index 8381cfd6132f..46e85e046bea 100644 --- a/src/output-json-krb5.c +++ b/src/output-json-krb5.c @@ -60,7 +60,7 @@ static int JsonKRB5Logger(ThreadVars *tv, void *thread_data, } jb_open_object(jb, "krb5"); - if (!rs_krb5_log_json_response(jb, state, krb5tx)) { + if (!rs_krb5_log_json_response(krb5tx, jb)) { goto error; } jb_close(jb); diff --git a/src/output.c b/src/output.c index 9ad062fe1ea6..b7a316b68b2c 100644 --- a/src/output.c +++ b/src/output.c @@ -1147,8 +1147,8 @@ static AppLayerLogger alert_applayer_loggers[ALPROTO_MAX] = { { ALPROTO_NTP, NULL, NULL }, // no logging { ALPROTO_FTPDATA, NULL, NULL }, // TODO state { ALPROTO_TFTP, "tftp", (bool (*)(void *tx, struct JsonBuilder *jb))rs_tftp_log_json_request }, - { ALPROTO_IKE, NULL, NULL }, // TODO state + option - { ALPROTO_KRB5, NULL, NULL }, // TODO state + { ALPROTO_IKE, NULL, NULL }, // TODO state + option + { ALPROTO_KRB5, "krb5", (bool (*)(void *tx, struct JsonBuilder *jb))rs_krb5_log_json_response }, { ALPROTO_QUIC, "quic", rs_quic_to_json }, { ALPROTO_DHCP, NULL, NULL }, // TODO logger with option { ALPROTO_SNMP, "snmp", (bool (*)(void *tx, struct JsonBuilder *jb))rs_snmp_log_json_response }, From 7d2f31256e552bba34b7ed7a8f37bb071fccb834 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Sun, 14 May 2023 19:32:14 +0200 Subject: [PATCH 11/28] output/ftp-data: reuse standard code --- src/app-layer-ftp.c | 9 +++------ src/app-layer-ftp.h | 2 +- src/output-json-alert.c | 6 ------ src/output-json-ftp.c | 2 +- src/output.c | 8 +++++--- 5 files changed, 10 insertions(+), 17 deletions(-) diff --git a/src/app-layer-ftp.c b/src/app-layer-ftp.c index 7f0accadc149..aad69eb0d658 100644 --- a/src/app-layer-ftp.c +++ b/src/app-layer-ftp.c @@ -1408,13 +1408,9 @@ uint16_t JsonGetNextLineFromBuffer(const char *buffer, const uint16_t len) return c == NULL ? len : (uint16_t)(c - buffer + 1); } -void EveFTPDataAddMetadata(const Flow *f, JsonBuilder *jb) +bool EveFTPDataAddMetadata(void *vtx, JsonBuilder *jb) { - const FtpDataState *ftp_state = NULL; - if (f->alstate == NULL) - return; - - ftp_state = (FtpDataState *)f->alstate; + const FtpDataState *ftp_state = (FtpDataState *)vtx; if (ftp_state->file_name) { jb_set_string_from_bytes(jb, "filename", ftp_state->file_name, ftp_state->file_len); @@ -1429,6 +1425,7 @@ void EveFTPDataAddMetadata(const Flow *f, JsonBuilder *jb) default: break; } + return true; } /** diff --git a/src/app-layer-ftp.h b/src/app-layer-ftp.h index 39b53b6bf8bb..eae4feb5977d 100644 --- a/src/app-layer-ftp.h +++ b/src/app-layer-ftp.h @@ -188,7 +188,7 @@ uint64_t FTPMemuseGlobalCounter(void); uint64_t FTPMemcapGlobalCounter(void); uint16_t JsonGetNextLineFromBuffer(const char *buffer, const uint16_t len); -void EveFTPDataAddMetadata(const Flow *f, JsonBuilder *jb); +bool EveFTPDataAddMetadata(void *vtx, JsonBuilder *jb); #endif /* __APP_LAYER_FTP_H__ */ diff --git a/src/output-json-alert.c b/src/output-json-alert.c index c9def4251a7c..bf6a1ea63c29 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -404,12 +404,6 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb, jb_restore_mark(jb, &mark); } break; - case ALPROTO_FTPDATA: - jb_get_mark(jb, &mark); - jb_open_object(jb, "ftp_data"); - EveFTPDataAddMetadata(p->flow, jb); - jb_close(jb); - break; case ALPROTO_IKE: jb_get_mark(jb, &mark); if (!EveIKEAddMetadata(p->flow, tx_id, jb)) { diff --git a/src/output-json-ftp.c b/src/output-json-ftp.c index ccefa6bc05ce..72c1262d5497 100644 --- a/src/output-json-ftp.c +++ b/src/output-json-ftp.c @@ -172,7 +172,7 @@ static int JsonFTPLogger(ThreadVars *tv, void *thread_data, if (likely(jb)) { jb_open_object(jb, event_type); if (f->alproto == ALPROTO_FTPDATA) { - EveFTPDataAddMetadata(f, jb); + EveFTPDataAddMetadata(vtx, jb); } else { EveFTPLogCommand(vtx, jb); } diff --git a/src/output.c b/src/output.c index b7a316b68b2c..97887411b513 100644 --- a/src/output.c +++ b/src/output.c @@ -67,6 +67,8 @@ #include "log-stats.h" #include "output-json-nfs.h" #include "output-json-ftp.h" +// for misplaced EveFTPDataAddMetadata +#include "app-layer-ftp.h" #include "output-json-tftp.h" #include "output-json-smb.h" #include "output-json-ike.h" @@ -1143,9 +1145,9 @@ static AppLayerLogger alert_applayer_loggers[ALPROTO_MAX] = { { ALPROTO_MODBUS, "modbus", (bool (*)(void *tx, struct JsonBuilder *jb))rs_modbus_to_json }, { ALPROTO_ENIP, NULL, NULL }, // no logging { ALPROTO_DNP3, "dnp3", AlertJsonDnp3 }, - { ALPROTO_NFS, NULL, NULL }, // TODO log rpc field - { ALPROTO_NTP, NULL, NULL }, // no logging - { ALPROTO_FTPDATA, NULL, NULL }, // TODO state + { ALPROTO_NFS, NULL, NULL }, // TODO log rpc field + { ALPROTO_NTP, NULL, NULL }, // no logging + { ALPROTO_FTPDATA, "ftp_data", EveFTPDataAddMetadata }, { ALPROTO_TFTP, "tftp", (bool (*)(void *tx, struct JsonBuilder *jb))rs_tftp_log_json_request }, { ALPROTO_IKE, NULL, NULL }, // TODO state + option { ALPROTO_KRB5, "krb5", (bool (*)(void *tx, struct JsonBuilder *jb))rs_krb5_log_json_response }, From 2aa1e88e4ce1d3442e90f76d6baa6eae3e7b08f7 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Sun, 14 May 2023 19:39:59 +0200 Subject: [PATCH 12/28] output/tls: reuse standard code --- src/output-json-alert.c | 17 ----------------- src/output-json-tls.c | 6 ++++-- src/output-json-tls.h | 2 +- src/output.c | 2 +- 4 files changed, 6 insertions(+), 21 deletions(-) diff --git a/src/output-json-alert.c b/src/output-json-alert.c index bf6a1ea63c29..527cb3f30108 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -136,20 +136,6 @@ static int AlertJsonDumpStreamSegmentCallback( return 1; } -static void AlertJsonTls(const Flow *f, JsonBuilder *js) -{ - SSLState *ssl_state = (SSLState *)FlowGetAppState(f); - if (ssl_state) { - jb_open_object(js, "tls"); - - JsonTlsLogJSONExtended(js, ssl_state); - - jb_close(js); - } - - return; -} - static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa, JsonBuilder *js, JsonAddrInfo *addr) { @@ -358,9 +344,6 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb, } jb_close(jb); break; - case ALPROTO_TLS: - AlertJsonTls(p->flow, jb); - break; case ALPROTO_SMTP: jb_get_mark(jb, &mark); jb_open_object(jb, "smtp"); diff --git a/src/output-json-tls.c b/src/output-json-tls.c index 9771f4d1cd7c..b5ba735f8967 100644 --- a/src/output-json-tls.c +++ b/src/output-json-tls.c @@ -392,8 +392,9 @@ static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, JsonBuilder *js, } } -void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState * state) +bool JsonTlsLogJSONExtended(void *vtx, JsonBuilder *tjs) { + SSLState *state = (SSLState *)vtx; JsonTlsLogJSONBasic(tjs, state); /* tls serial */ @@ -425,6 +426,7 @@ void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState * state) JsonTlsLogClientCert(tjs, &state->client_connp, false, false); jb_close(tjs); } + return true; } static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p, @@ -459,7 +461,7 @@ static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p, } /* log extended */ else if (tls_ctx->flags & LOG_TLS_EXTENDED) { - JsonTlsLogJSONExtended(js, ssl_state); + JsonTlsLogJSONExtended(ssl_state, js); } /* log basic */ else { diff --git a/src/output-json-tls.h b/src/output-json-tls.h index 737e6233ef10..42f706b91d3f 100644 --- a/src/output-json-tls.h +++ b/src/output-json-tls.h @@ -29,6 +29,6 @@ void JsonTlsLogRegister(void); #include "app-layer-ssl.h" void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state); -void JsonTlsLogJSONExtended(JsonBuilder *js, SSLState *ssl_state); +bool JsonTlsLogJSONExtended(void *vtx, JsonBuilder *js); #endif /* __OUTPUT_JSON_TLS_H__ */ diff --git a/src/output.c b/src/output.c index 97887411b513..80db1919b14d 100644 --- a/src/output.c +++ b/src/output.c @@ -1134,7 +1134,7 @@ static AppLayerLogger alert_applayer_loggers[ALPROTO_MAX] = { { ALPROTO_HTTP1, NULL, NULL }, // TODO empty http object and option_flags { ALPROTO_FTP, "ftp", EveFTPLogCommand }, { ALPROTO_SMTP, NULL, NULL }, // TODO state, + log email - { ALPROTO_TLS, NULL, NULL }, // TODO log state + { ALPROTO_TLS, "tls", JsonTlsLogJSONExtended }, { ALPROTO_SSH, "ssh", rs_ssh_log_json }, { ALPROTO_IMAP, NULL, NULL }, // protocol detection only { ALPROTO_JABBER, NULL, NULL }, // no parser, no logging From 171c7c5da80394fbb015b10df8d1857c5e47c76b Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Sun, 14 May 2023 19:42:55 +0200 Subject: [PATCH 13/28] output: comments for non-generic app-layers --- src/output.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/output.c b/src/output.c index 80db1919b14d..67de423db324 100644 --- a/src/output.c +++ b/src/output.c @@ -1131,33 +1131,33 @@ void OutputRegisterLoggers(void) static AppLayerLogger alert_applayer_loggers[ALPROTO_MAX] = { { ALPROTO_UNKNOWN, NULL, NULL }, - { ALPROTO_HTTP1, NULL, NULL }, // TODO empty http object and option_flags + { ALPROTO_HTTP1, NULL, NULL }, // special: uses some options flags { ALPROTO_FTP, "ftp", EveFTPLogCommand }, - { ALPROTO_SMTP, NULL, NULL }, // TODO state, + log email + { ALPROTO_SMTP, NULL, NULL }, // special: logs both smtp and email fields { ALPROTO_TLS, "tls", JsonTlsLogJSONExtended }, { ALPROTO_SSH, "ssh", rs_ssh_log_json }, { ALPROTO_IMAP, NULL, NULL }, // protocol detection only { ALPROTO_JABBER, NULL, NULL }, // no parser, no logging - { ALPROTO_SMB, NULL, NULL }, // TODO state - { ALPROTO_DCERPC, NULL, NULL }, // TODO + { ALPROTO_SMB, NULL, NULL }, // special: uses state + { ALPROTO_DCERPC, NULL, NULL }, // TODO missing { ALPROTO_IRC, NULL, NULL }, // no parser, no logging { ALPROTO_DNS, "dns", AlertJsonDns }, { ALPROTO_MODBUS, "modbus", (bool (*)(void *tx, struct JsonBuilder *jb))rs_modbus_to_json }, { ALPROTO_ENIP, NULL, NULL }, // no logging { ALPROTO_DNP3, "dnp3", AlertJsonDnp3 }, - { ALPROTO_NFS, NULL, NULL }, // TODO log rpc field + { ALPROTO_NFS, NULL, NULL }, // special: logs both nfs and rpc fields { ALPROTO_NTP, NULL, NULL }, // no logging { ALPROTO_FTPDATA, "ftp_data", EveFTPDataAddMetadata }, { ALPROTO_TFTP, "tftp", (bool (*)(void *tx, struct JsonBuilder *jb))rs_tftp_log_json_request }, - { ALPROTO_IKE, NULL, NULL }, // TODO state + option + { ALPROTO_IKE, NULL, NULL }, // special: uses state { ALPROTO_KRB5, "krb5", (bool (*)(void *tx, struct JsonBuilder *jb))rs_krb5_log_json_response }, { ALPROTO_QUIC, "quic", rs_quic_to_json }, - { ALPROTO_DHCP, NULL, NULL }, // TODO logger with option + { ALPROTO_DHCP, NULL, NULL }, // TODO missing { ALPROTO_SNMP, "snmp", (bool (*)(void *tx, struct JsonBuilder *jb))rs_snmp_log_json_response }, { ALPROTO_SIP, "sip", (bool (*)(void *tx, struct JsonBuilder *jb))rs_sip_log_json }, { ALPROTO_RFB, "rfb", rs_rfb_logger_log }, { ALPROTO_MQTT, "mqtt", JsonMQTTAddMetadata }, - { ALPROTO_PGSQL, NULL, NULL }, // TODO flags + { ALPROTO_PGSQL, NULL, NULL }, // TODO missing { ALPROTO_TELNET, NULL, NULL }, // no logging { ALPROTO_TEMPLATE, "template", rs_template_logger_log }, { ALPROTO_RDP, "rdp", (bool (*)(void *tx, struct JsonBuilder *jb))rs_rdp_to_json }, From 634568ccf298723772b821a53a46cdbe93b90efa Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Sun, 14 May 2023 20:03:02 +0200 Subject: [PATCH 14/28] output: generic tx json logger and used by bittorrent --- src/Makefile.am | 2 - src/output-json-bittorrent-dht.c | 165 ------------------------------- src/output-json-bittorrent-dht.h | 27 ----- src/output.c | 108 +++++++++++++++++++- 4 files changed, 106 insertions(+), 196 deletions(-) delete mode 100644 src/output-json-bittorrent-dht.c delete mode 100644 src/output-json-bittorrent-dht.h diff --git a/src/Makefile.am b/src/Makefile.am index 737b6a6a71fa..2715bcba4b7f 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -393,7 +393,6 @@ noinst_HEADERS = \ output.h \ output-json-alert.h \ output-json-anomaly.h \ - output-json-bittorrent-dht.h \ output-json-dcerpc.h \ output-json-dhcp.h \ output-json-dnp3.h \ @@ -1001,7 +1000,6 @@ libsuricata_c_a_SOURCES = \ output-flow.c \ output-json-alert.c \ output-json-anomaly.c \ - output-json-bittorrent-dht.c \ output-json.c \ output-json-common.c \ output-json-dcerpc.c \ diff --git a/src/output-json-bittorrent-dht.c b/src/output-json-bittorrent-dht.c deleted file mode 100644 index 08b7dc4d722c..000000000000 --- a/src/output-json-bittorrent-dht.c +++ /dev/null @@ -1,165 +0,0 @@ -/* Copyright (C) 2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * Implement JSON/eve logging app-layer BitTorrent DHT. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "output-json-bittorrent-dht.h" -#include "rust.h" - -typedef struct LogBitTorrentDHTFileCtx_ { - uint32_t flags; - OutputJsonCtx *eve_ctx; -} LogBitTorrentDHTFileCtx; - -typedef struct LogBitTorrentDHTLogThread_ { - LogBitTorrentDHTFileCtx *bittorrent_dht_log_ctx; - OutputJsonThreadCtx *ctx; -} LogBitTorrentDHTLogThread; - -static int JsonBitTorrentDHTLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, - void *state, void *tx, uint64_t tx_id) -{ - LogBitTorrentDHTLogThread *thread = thread_data; - - JsonBuilder *js = CreateEveHeader( - p, LOG_DIR_PACKET, "bittorrent_dht", NULL, thread->bittorrent_dht_log_ctx->eve_ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_FAILED; - } - - jb_open_object(js, "bittorrent_dht"); - if (!rs_bittorrent_dht_logger_log(tx, js)) { - goto error; - } - jb_close(js); - - OutputJsonBuilderBuffer(js, thread->ctx); - jb_free(js); - - return TM_ECODE_OK; - -error: - jb_free(js); - return TM_ECODE_FAILED; -} - -static void OutputBitTorrentDHTLogDeInitCtxSub(OutputCtx *output_ctx) -{ - LogBitTorrentDHTFileCtx *bittorrent_dht_log_ctx = (LogBitTorrentDHTFileCtx *)output_ctx->data; - SCFree(bittorrent_dht_log_ctx); - SCFree(output_ctx); -} - -static OutputInitResult OutputBitTorrentDHTLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) -{ - OutputInitResult result = { NULL, false }; - OutputJsonCtx *ajt = parent_ctx->data; - - LogBitTorrentDHTFileCtx *bittorrent_dht_log_ctx = SCCalloc(1, sizeof(*bittorrent_dht_log_ctx)); - if (unlikely(bittorrent_dht_log_ctx == NULL)) { - return result; - } - bittorrent_dht_log_ctx->eve_ctx = ajt; - - OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx)); - if (unlikely(output_ctx == NULL)) { - SCFree(bittorrent_dht_log_ctx); - return result; - } - output_ctx->data = bittorrent_dht_log_ctx; - output_ctx->DeInit = OutputBitTorrentDHTLogDeInitCtxSub; - - AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_BITTORRENT_DHT); - - result.ctx = output_ctx; - result.ok = true; - return result; -} - -static TmEcode JsonBitTorrentDHTLogThreadInit(ThreadVars *t, const void *initdata, void **data) -{ - LogBitTorrentDHTLogThread *thread = SCCalloc(1, sizeof(*thread)); - if (unlikely(thread == NULL)) { - return TM_ECODE_FAILED; - } - - if (initdata == NULL) { - SCLogDebug("Error getting context for EveLogBitTorrentDHT. \"initdata\" is NULL."); - goto error_exit; - } - - thread->bittorrent_dht_log_ctx = ((OutputCtx *)initdata)->data; - thread->ctx = CreateEveThreadCtx(t, thread->bittorrent_dht_log_ctx->eve_ctx); - if (!thread->ctx) { - goto error_exit; - } - *data = (void *)thread; - - return TM_ECODE_OK; - -error_exit: - SCFree(thread); - return TM_ECODE_FAILED; -} - -static TmEcode JsonBitTorrentDHTLogThreadDeinit(ThreadVars *t, void *data) -{ - LogBitTorrentDHTLogThread *thread = (LogBitTorrentDHTLogThread *)data; - if (thread == NULL) { - return TM_ECODE_OK; - } - FreeEveThreadCtx(thread->ctx); - SCFree(thread); - return TM_ECODE_OK; -} - -void JsonBitTorrentDHTLogRegister(void) -{ - if (ConfGetNode("app-layer.protocols.bittorrent-dht") == NULL) { - return; - } - - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonBitTorrentDHTLog", - "eve-log.bittorrent-dht", OutputBitTorrentDHTLogInitSub, ALPROTO_BITTORRENT_DHT, - JsonBitTorrentDHTLogger, JsonBitTorrentDHTLogThreadInit, - JsonBitTorrentDHTLogThreadDeinit, NULL); -} diff --git a/src/output-json-bittorrent-dht.h b/src/output-json-bittorrent-dht.h deleted file mode 100644 index 8927f4d15996..000000000000 --- a/src/output-json-bittorrent-dht.h +++ /dev/null @@ -1,27 +0,0 @@ -/* Copyright (C) 2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - */ - -#ifndef __OUTPUT_JSON_BITTORRENT_DHT_H__ -#define __OUTPUT_JSON_BITTORRENT_DHT_H__ - -void JsonBitTorrentDHTLogRegister(void); - -#endif /* __OUTPUT_JSON_BITTORRENT_DHT_H__ */ diff --git a/src/output.c b/src/output.c index 67de423db324..fb2f319601c3 100644 --- a/src/output.c +++ b/src/output.c @@ -88,7 +88,7 @@ #include "output-json-metadata.h" #include "output-json-dcerpc.h" #include "output-json-frame.h" -#include "output-json-bittorrent-dht.h" +#include "app-layer-parser.h" #include "output-filestore.h" typedef struct RootLogger_ { @@ -1034,6 +1034,104 @@ void OutputRegisterRootLoggers(void) OutputStreamingLoggerRegister(); } +typedef struct LogGenericLogThread_ { + OutputJsonCtx *eve_ctx; + OutputJsonThreadCtx *ctx; +} LogGenericLogThread; + +static void OutputGenericLogDeInitCtxSub(OutputCtx *output_ctx) +{ + SCFree(output_ctx); +} + +static OutputInitResult OutputGenericLogInitSub(ConfNode *conf, OutputCtx *parent_ctx, uint8_t ipproto, AppProto proto) +{ + OutputInitResult result = { NULL, false }; + + OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx)); + if (unlikely(output_ctx == NULL)) { + return result; + } + output_ctx->data = parent_ctx->data; + output_ctx->DeInit = OutputGenericLogDeInitCtxSub; + AppLayerParserRegisterLogger(ipproto, proto); + + result.ctx = output_ctx; + result.ok = true; + return result; +} + +static int JsonGenericLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, + void *state, void *tx, uint64_t tx_id) +{ + LogGenericLogThread *thread = thread_data; + AppLayerLogger *al = GetAppProtoLogger(f->alproto); + if (al == NULL) { + return TM_ECODE_FAILED; + } + + JsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, al->name, NULL, thread->eve_ctx); + if (unlikely(js == NULL)) { + return TM_ECODE_FAILED; + } + + jb_open_object(js, al->name); + if (!al->log(tx, js)) { + goto error; + } + jb_close(js); + + OutputJsonBuilderBuffer(js, thread->ctx); + jb_free(js); + + return TM_ECODE_OK; + +error: + jb_free(js); + return TM_ECODE_FAILED; +} + +static TmEcode JsonGenericLogThreadInit(ThreadVars *t, const void *initdata, void **data) +{ + LogGenericLogThread *thread = SCCalloc(1, sizeof(*thread)); + if (unlikely(thread == NULL)) { + return TM_ECODE_FAILED; + } + + if (initdata == NULL) { + SCLogDebug("Error getting context for EveLogGeneric. \"initdata\" is NULL."); + goto error_exit; + } + + thread->eve_ctx = ((OutputCtx *)initdata)->data; + thread->ctx = CreateEveThreadCtx(t, thread->eve_ctx); + if (!thread->ctx) { + goto error_exit; + } + *data = (void *)thread; + + return TM_ECODE_OK; + +error_exit: + SCFree(thread); + return TM_ECODE_FAILED; +} + +static TmEcode JsonGenericLogThreadDeinit(ThreadVars *t, void *data) +{ + LogGenericLogThread *thread = (LogGenericLogThread *)data; + if (thread == NULL) { + return TM_ECODE_OK; + } + FreeEveThreadCtx(thread->ctx); + SCFree(thread); + return TM_ECODE_OK; +} + +static OutputInitResult OutputBitTorrentDHTLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { + return OutputGenericLogInitSub(conf, parent_ctx, IPPROTO_UDP, ALPROTO_BITTORRENT_DHT); +} + /** * \brief Register all non-root logging modules. */ @@ -1126,7 +1224,13 @@ void OutputRegisterLoggers(void) /* app layer frames */ JsonFrameLogRegister(); /* BitTorrent DHT JSON logger */ - JsonBitTorrentDHTLogRegister(); + if (ConfGetNode("app-layer.protocols.bittorrent-dht") != NULL) { + /* Register as an eve sub-module. */ + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonBitTorrentDHTLog", + "eve-log.bittorrent-dht", OutputBitTorrentDHTLogInitSub, ALPROTO_BITTORRENT_DHT, + JsonGenericLogger, JsonGenericLogThreadInit, + JsonGenericLogThreadDeinit, NULL); + } } static AppLayerLogger alert_applayer_loggers[ALPROTO_MAX] = { From dd9a17b7709ff5888eaaacba3d0d52fb4bf7d52d Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 08:55:14 +0200 Subject: [PATCH 15/28] output/http2: generic tx json logger --- src/output-json-http2.c | 142 ---------------------------------------- src/output-json-http2.h | 1 - src/output.c | 8 ++- 3 files changed, 7 insertions(+), 144 deletions(-) diff --git a/src/output-json-http2.c b/src/output-json-http2.c index d762e76d0665..98622c5d9dd7 100644 --- a/src/output-json-http2.c +++ b/src/output-json-http2.c @@ -24,44 +24,11 @@ */ #include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-print.h" -#include "util-unittest.h" - -#include "util-debug.h" #include "app-layer-parser.h" -#include "output.h" -#include "app-layer-http2.h" -#include "app-layer.h" -#include "util-privs.h" -#include "util-buffer.h" - -#include "util-logopenfile.h" - #include "output-json.h" #include "output-json-http2.h" #include "rust.h" -#define MODULE_NAME "LogHttp2Log" - -typedef struct OutputHttp2Ctx_ { - OutputJsonCtx *eve_ctx; -} OutputHttp2Ctx; - - -typedef struct JsonHttp2LogThread_ { - OutputHttp2Ctx *http2log_ctx; - OutputJsonThreadCtx *ctx; -} JsonHttp2LogThread; - - bool EveHTTP2AddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb) { void *state = FlowGetAppState(f); @@ -73,112 +40,3 @@ bool EveHTTP2AddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb) } return false; } - -static int JsonHttp2Logger(ThreadVars *tv, void *thread_data, const Packet *p, - Flow *f, void *state, void *txptr, uint64_t tx_id) -{ - JsonHttp2LogThread *aft = (JsonHttp2LogThread *)thread_data; - - if (unlikely(state == NULL)) { - return 0; - } - - JsonBuilder *js = CreateEveHeaderWithTxId( - p, LOG_DIR_FLOW, "http", NULL, tx_id, aft->http2log_ctx->eve_ctx); - if (unlikely(js == NULL)) - return 0; - - jb_open_object(js, "http"); - if (!rs_http2_log_json(txptr, js)) { - goto end; - } - jb_close(js); - OutputJsonBuilderBuffer(js, aft->ctx); -end: - jb_free(js); - return 0; -} - -static TmEcode JsonHttp2LogThreadInit(ThreadVars *t, const void *initdata, void **data) -{ - JsonHttp2LogThread *aft = SCCalloc(1, sizeof(JsonHttp2LogThread)); - if (unlikely(aft == NULL)) - return TM_ECODE_FAILED; - - if(initdata == NULL) - { - SCLogDebug("Error getting context for EveLogHTTP2. \"initdata\" argument NULL"); - goto error_exit; - } - - /* Use the Output Context (file pointer and mutex) */ - aft->http2log_ctx = ((OutputCtx *)initdata)->data; - aft->ctx = CreateEveThreadCtx(t, aft->http2log_ctx->eve_ctx); - if (!aft->ctx) { - goto error_exit; - } - - *data = (void *)aft; - return TM_ECODE_OK; - -error_exit: - SCFree(aft); - return TM_ECODE_FAILED; -} - -static TmEcode JsonHttp2LogThreadDeinit(ThreadVars *t, void *data) -{ - JsonHttp2LogThread *aft = (JsonHttp2LogThread *)data; - if (aft == NULL) { - return TM_ECODE_OK; - } - - FreeEveThreadCtx(aft->ctx); - /* clear memory */ - memset(aft, 0, sizeof(JsonHttp2LogThread)); - - SCFree(aft); - return TM_ECODE_OK; -} - -static void OutputHttp2LogDeinitSub(OutputCtx *output_ctx) -{ - OutputHttp2Ctx *http2_ctx = output_ctx->data; - SCFree(http2_ctx); - SCFree(output_ctx); -} - -static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) -{ - OutputInitResult result = { NULL, false }; - OutputJsonCtx *ojc = parent_ctx->data; - - OutputHttp2Ctx *http2_ctx = SCMalloc(sizeof(OutputHttp2Ctx)); - if (unlikely(http2_ctx == NULL)) - return result; - - OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx)); - if (unlikely(output_ctx == NULL)) { - SCFree(http2_ctx); - return result; - } - - http2_ctx->eve_ctx = ojc; - - output_ctx->data = http2_ctx; - output_ctx->DeInit = OutputHttp2LogDeinitSub; - - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP2); - - result.ctx = output_ctx; - result.ok = true; - return result; -} - -void JsonHttp2LogRegister (void) -{ - /* also register as child of eve-log */ - OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_TX, "eve-log", MODULE_NAME, "eve-log.http2", - OutputHttp2LogInitSub, ALPROTO_HTTP2, JsonHttp2Logger, HTTP2StateClosed, - HTTP2StateClosed, JsonHttp2LogThreadInit, JsonHttp2LogThreadDeinit, NULL); -} diff --git a/src/output-json-http2.h b/src/output-json-http2.h index 66bf2ade968e..7e41dc7ea6ed 100644 --- a/src/output-json-http2.h +++ b/src/output-json-http2.h @@ -24,7 +24,6 @@ #ifndef __OUTPUT_JSON_HTTP2_H__ #define __OUTPUT_JSON_HTTP2_H__ -void JsonHttp2LogRegister(void); bool EveHTTP2AddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb); #endif /* __OUTPUT_JSON_HTTP2_H__ */ diff --git a/src/output.c b/src/output.c index fb2f319601c3..46c2ec4676d0 100644 --- a/src/output.c +++ b/src/output.c @@ -1132,6 +1132,10 @@ static OutputInitResult OutputBitTorrentDHTLogInitSub(ConfNode *conf, OutputCtx return OutputGenericLogInitSub(conf, parent_ctx, IPPROTO_UDP, ALPROTO_BITTORRENT_DHT); } +static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { + return OutputGenericLogInitSub(conf, parent_ctx, IPPROTO_TCP, ALPROTO_HTTP2); +} + /** * \brief Register all non-root logging modules. */ @@ -1156,7 +1160,9 @@ void OutputRegisterLoggers(void) /* http log */ LogHttpLogRegister(); JsonHttpLogRegister(); - JsonHttp2LogRegister(); + OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_TX, "eve-log", "LogHttp2Log", "eve-log.http2", + OutputHttp2LogInitSub, ALPROTO_HTTP2, JsonGenericLogger, HTTP2StateClosed, + HTTP2StateClosed, JsonGenericLogThreadInit, JsonGenericLogThreadDeinit, NULL); /* tls log */ LogTlsLogRegister(); JsonTlsLogRegister(); From 296793c4bbbab9b96966e836c3ecf67657317c25 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 08:59:34 +0200 Subject: [PATCH 16/28] output/rdp: generic tx json logger --- src/Makefile.am | 2 -- src/output-json-rdp.c | 81 ------------------------------------------- src/output-json-rdp.h | 29 ---------------- src/output.c | 10 ++++-- 4 files changed, 8 insertions(+), 114 deletions(-) delete mode 100644 src/output-json-rdp.c delete mode 100644 src/output-json-rdp.h diff --git a/src/Makefile.am b/src/Makefile.am index 2715bcba4b7f..230acc0e8c08 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -416,7 +416,6 @@ noinst_HEADERS = \ output-json-netflow.h \ output-json-nfs.h \ output-json-pgsql.h \ - output-json-rdp.h \ output-json-rfb.h \ output-json-sip.h \ output-json-smb.h \ @@ -1024,7 +1023,6 @@ libsuricata_c_a_SOURCES = \ output-json-netflow.c \ output-json-nfs.c \ output-json-pgsql.c \ - output-json-rdp.c \ output-json-rfb.c \ output-json-sip.c \ output-json-smb.c \ diff --git a/src/output-json-rdp.c b/src/output-json-rdp.c deleted file mode 100644 index e14c8391e561..000000000000 --- a/src/output-json-rdp.c +++ /dev/null @@ -1,81 +0,0 @@ -/* Copyright (C) 2019-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Zach Kelly - * - * Application layer logger for RDP - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" -#include "output.h" -#include "output-json.h" -#include "app-layer.h" -#include "app-layer-parser.h" -#include "app-layer-rdp.h" -#include "output-json-rdp.h" -#include "rust.h" - -static int JsonRdpLogger(ThreadVars *tv, void *thread_data, - const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) -{ - OutputJsonThreadCtx *thread = thread_data; - - JsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, "rdp", NULL, thread->ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_OK; - } - jb_open_object(js, "rdp"); - if (!rs_rdp_to_json(tx, js)) { - jb_free(js); - return TM_ECODE_FAILED; - } - jb_close(js); - OutputJsonBuilderBuffer(js, thread); - - jb_free(js); - return TM_ECODE_OK; -} - -static OutputInitResult OutputRdpLogInitSub(ConfNode *conf, - OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_RDP); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonRdpLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRdpLog", "eve-log.rdp", - OutputRdpLogInitSub, ALPROTO_RDP, JsonRdpLogger, JsonLogThreadInit, JsonLogThreadDeinit, - NULL); - - SCLogDebug("rdp json logger registered."); -} diff --git a/src/output-json-rdp.h b/src/output-json-rdp.h deleted file mode 100644 index 5dc9237691ea..000000000000 --- a/src/output-json-rdp.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Zach Kelly - */ - -#ifndef __OUTPUT_JSON_RDP_H__ -#define __OUTPUT_JSON_RDP_H__ - -void JsonRdpLogRegister(void); - -#endif /* __OUTPUT_JSON_RDP_H__ */ diff --git a/src/output.c b/src/output.c index 46c2ec4676d0..31c1c3b66cbf 100644 --- a/src/output.c +++ b/src/output.c @@ -81,7 +81,6 @@ #include "output-json-mqtt.h" #include "output-json-pgsql.h" #include "output-json-template.h" -#include "output-json-rdp.h" #include "output-json-http2.h" #include "output-lua.h" #include "output-json-dnp3.h" @@ -1132,6 +1131,10 @@ static OutputInitResult OutputBitTorrentDHTLogInitSub(ConfNode *conf, OutputCtx return OutputGenericLogInitSub(conf, parent_ctx, IPPROTO_UDP, ALPROTO_BITTORRENT_DHT); } +static OutputInitResult OutputRdpLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { + return OutputGenericLogInitSub(conf, parent_ctx, IPPROTO_TCP, ALPROTO_RDP); +} + static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { return OutputGenericLogInitSub(conf, parent_ctx, IPPROTO_TCP, ALPROTO_HTTP2); } @@ -1224,7 +1227,10 @@ void OutputRegisterLoggers(void) /* Template JSON logger. */ JsonTemplateLogRegister(); /* RDP JSON logger. */ - JsonRdpLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRdpLog", "eve-log.rdp", + OutputRdpLogInitSub, ALPROTO_RDP, JsonGenericLogger, JsonGenericLogThreadInit, JsonGenericLogThreadDeinit, + NULL); + SCLogDebug("rdp json logger registered."); /* DCERPC JSON logger. */ JsonDCERPCLogRegister(); /* app layer frames */ From ca27f88b1eb164df86e4a19e7701e05202dc66d5 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 09:06:53 +0200 Subject: [PATCH 17/28] output: code reuse for generic tx json logger --- src/output.c | 93 ++++++++++------------------------------------------ 1 file changed, 17 insertions(+), 76 deletions(-) diff --git a/src/output.c b/src/output.c index 31c1c3b66cbf..7345568dada3 100644 --- a/src/output.c +++ b/src/output.c @@ -1033,43 +1033,16 @@ void OutputRegisterRootLoggers(void) OutputStreamingLoggerRegister(); } -typedef struct LogGenericLogThread_ { - OutputJsonCtx *eve_ctx; - OutputJsonThreadCtx *ctx; -} LogGenericLogThread; - -static void OutputGenericLogDeInitCtxSub(OutputCtx *output_ctx) -{ - SCFree(output_ctx); -} - -static OutputInitResult OutputGenericLogInitSub(ConfNode *conf, OutputCtx *parent_ctx, uint8_t ipproto, AppProto proto) -{ - OutputInitResult result = { NULL, false }; - - OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx)); - if (unlikely(output_ctx == NULL)) { - return result; - } - output_ctx->data = parent_ctx->data; - output_ctx->DeInit = OutputGenericLogDeInitCtxSub; - AppLayerParserRegisterLogger(ipproto, proto); - - result.ctx = output_ctx; - result.ok = true; - return result; -} - static int JsonGenericLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) { - LogGenericLogThread *thread = thread_data; + OutputJsonThreadCtx *thread = thread_data; AppLayerLogger *al = GetAppProtoLogger(f->alproto); if (al == NULL) { return TM_ECODE_FAILED; } - JsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, al->name, NULL, thread->eve_ctx); + JsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, al->name, NULL, thread->ctx); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } @@ -1080,7 +1053,7 @@ static int JsonGenericLogger(ThreadVars *tv, void *thread_data, const Packet *p, } jb_close(js); - OutputJsonBuilderBuffer(js, thread->ctx); + OutputJsonBuilderBuffer(js, thread); jb_free(js); return TM_ECODE_OK; @@ -1090,53 +1063,22 @@ static int JsonGenericLogger(ThreadVars *tv, void *thread_data, const Packet *p, return TM_ECODE_FAILED; } -static TmEcode JsonGenericLogThreadInit(ThreadVars *t, const void *initdata, void **data) +static OutputInitResult OutputBitTorrentDHTLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { - LogGenericLogThread *thread = SCCalloc(1, sizeof(*thread)); - if (unlikely(thread == NULL)) { - return TM_ECODE_FAILED; - } - - if (initdata == NULL) { - SCLogDebug("Error getting context for EveLogGeneric. \"initdata\" is NULL."); - goto error_exit; - } - - thread->eve_ctx = ((OutputCtx *)initdata)->data; - thread->ctx = CreateEveThreadCtx(t, thread->eve_ctx); - if (!thread->ctx) { - goto error_exit; - } - *data = (void *)thread; - - return TM_ECODE_OK; - -error_exit: - SCFree(thread); - return TM_ECODE_FAILED; + AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_BITTORRENT_DHT); + return OutputJsonLogInitSub(conf, parent_ctx); } -static TmEcode JsonGenericLogThreadDeinit(ThreadVars *t, void *data) +static OutputInitResult OutputRdpLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { - LogGenericLogThread *thread = (LogGenericLogThread *)data; - if (thread == NULL) { - return TM_ECODE_OK; - } - FreeEveThreadCtx(thread->ctx); - SCFree(thread); - return TM_ECODE_OK; -} - -static OutputInitResult OutputBitTorrentDHTLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { - return OutputGenericLogInitSub(conf, parent_ctx, IPPROTO_UDP, ALPROTO_BITTORRENT_DHT); + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_RDP); + return OutputJsonLogInitSub(conf, parent_ctx); } -static OutputInitResult OutputRdpLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { - return OutputGenericLogInitSub(conf, parent_ctx, IPPROTO_TCP, ALPROTO_RDP); -} - -static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { - return OutputGenericLogInitSub(conf, parent_ctx, IPPROTO_TCP, ALPROTO_HTTP2); +static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP2); + return OutputJsonLogInitSub(conf, parent_ctx); } /** @@ -1165,7 +1107,7 @@ void OutputRegisterLoggers(void) JsonHttpLogRegister(); OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_TX, "eve-log", "LogHttp2Log", "eve-log.http2", OutputHttp2LogInitSub, ALPROTO_HTTP2, JsonGenericLogger, HTTP2StateClosed, - HTTP2StateClosed, JsonGenericLogThreadInit, JsonGenericLogThreadDeinit, NULL); + HTTP2StateClosed, JsonLogThreadInit, JsonLogThreadDeinit, NULL); /* tls log */ LogTlsLogRegister(); JsonTlsLogRegister(); @@ -1228,8 +1170,8 @@ void OutputRegisterLoggers(void) JsonTemplateLogRegister(); /* RDP JSON logger. */ OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRdpLog", "eve-log.rdp", - OutputRdpLogInitSub, ALPROTO_RDP, JsonGenericLogger, JsonGenericLogThreadInit, JsonGenericLogThreadDeinit, - NULL); + OutputRdpLogInitSub, ALPROTO_RDP, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); SCLogDebug("rdp json logger registered."); /* DCERPC JSON logger. */ JsonDCERPCLogRegister(); @@ -1240,8 +1182,7 @@ void OutputRegisterLoggers(void) /* Register as an eve sub-module. */ OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonBitTorrentDHTLog", "eve-log.bittorrent-dht", OutputBitTorrentDHTLogInitSub, ALPROTO_BITTORRENT_DHT, - JsonGenericLogger, JsonGenericLogThreadInit, - JsonGenericLogThreadDeinit, NULL); + JsonGenericLogger, JsonLogThreadInit, JsonLogThreadDeinit, NULL); } } From c347f7f4dda69979f1d21c891a12f05fb4a2ad1a Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 09:13:39 +0200 Subject: [PATCH 18/28] output/rfb: generic tx json logger --- src/Makefile.am | 2 - src/output-json-alert.c | 1 - src/output-json-rfb.c | 88 ----------------------------------------- src/output-json-rfb.h | 29 -------------- src/output.c | 11 +++++- 5 files changed, 9 insertions(+), 122 deletions(-) delete mode 100644 src/output-json-rfb.c delete mode 100644 src/output-json-rfb.h diff --git a/src/Makefile.am b/src/Makefile.am index 230acc0e8c08..5805cb0e3be4 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -416,7 +416,6 @@ noinst_HEADERS = \ output-json-netflow.h \ output-json-nfs.h \ output-json-pgsql.h \ - output-json-rfb.h \ output-json-sip.h \ output-json-smb.h \ output-json-smtp.h \ @@ -1023,7 +1022,6 @@ libsuricata_c_a_SOURCES = \ output-json-netflow.c \ output-json-nfs.c \ output-json-pgsql.c \ - output-json-rfb.c \ output-json-sip.c \ output-json-smb.c \ output-json-smtp.c \ diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 527cb3f30108..2288767683b3 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -72,7 +72,6 @@ #include "output-json-smb.h" #include "output-json-flow.h" #include "output-json-sip.h" -#include "output-json-rfb.h" #include "output-json-mqtt.h" #include "output-json-ike.h" #include "output-json-modbus.h" diff --git a/src/output-json-rfb.c b/src/output-json-rfb.c deleted file mode 100644 index af375e2dd8f0..000000000000 --- a/src/output-json-rfb.c +++ /dev/null @@ -1,88 +0,0 @@ -/* Copyright (C) 2020-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Frank Honza - * - * Implement JSON/eve logging app-layer RFB. - */ - -#include "suricata-common.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "app-layer-rfb.h" -#include "output-json-rfb.h" - -#include "rust-bindings.h" - -static int JsonRFBLogger(ThreadVars *tv, void *thread_data, - const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) -{ - OutputJsonThreadCtx *thread = thread_data; - - JsonBuilder *js = CreateEveHeader(p, LOG_DIR_FLOW, "rfb", NULL, thread->ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_FAILED; - } - - jb_open_object(js, "rfb"); - if (!rs_rfb_logger_log(tx, js)) { - goto error; - } - jb_close(js); - - OutputJsonBuilderBuffer(js, thread); - jb_free(js); - - return TM_ECODE_OK; - -error: - jb_free(js); - return TM_ECODE_FAILED; -} - -static OutputInitResult OutputRFBLogInitSub(ConfNode *conf, - OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_RFB); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonRFBLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRFBLog", "eve-log.rfb", - OutputRFBLogInitSub, ALPROTO_RFB, JsonRFBLogger, JsonLogThreadInit, JsonLogThreadDeinit, - NULL); -} diff --git a/src/output-json-rfb.h b/src/output-json-rfb.h deleted file mode 100644 index 7e4e48ebd4c8..000000000000 --- a/src/output-json-rfb.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Frank Honza - */ - -#ifndef __OUTPUT_JSON_RFB_H__ -#define __OUTPUT_JSON_RFB_H__ - -void JsonRFBLogRegister(void); - -#endif /* __OUTPUT_JSON_RFB_H__ */ diff --git a/src/output.c b/src/output.c index 7345568dada3..958320491244 100644 --- a/src/output.c +++ b/src/output.c @@ -77,7 +77,6 @@ #include "output-json-dhcp.h" #include "output-json-snmp.h" #include "output-json-sip.h" -#include "output-json-rfb.h" #include "output-json-mqtt.h" #include "output-json-pgsql.h" #include "output-json-template.h" @@ -1075,6 +1074,12 @@ static OutputInitResult OutputRdpLogInitSub(ConfNode *conf, OutputCtx *parent_ct return OutputJsonLogInitSub(conf, parent_ctx); } +static OutputInitResult OutputRFBLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_RFB); + return OutputJsonLogInitSub(conf, parent_ctx); +} + static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP2); @@ -1161,7 +1166,9 @@ void OutputRegisterLoggers(void) /* SIP JSON logger. */ JsonSIPLogRegister(); /* RFB JSON logger. */ - JsonRFBLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRFBLog", "eve-log.rfb", + OutputRFBLogInitSub, ALPROTO_RFB, JsonGenericLogger, JsonLogThreadInit, JsonLogThreadDeinit, + NULL); /* MQTT JSON logger. */ JsonMQTTLogRegister(); /* Pgsql JSON logger. */ From f16ad5fa1b776b1300c11bff95c32e0b2af061b4 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 09:17:35 +0200 Subject: [PATCH 19/28] output/sip: generic tx json logger --- src/Makefile.am | 2 - src/output-json-alert.c | 1 - src/output-json-sip.c | 93 ----------------------------------------- src/output-json-sip.h | 29 ------------- src/output.c | 14 ++++++- 5 files changed, 12 insertions(+), 127 deletions(-) delete mode 100644 src/output-json-sip.c delete mode 100644 src/output-json-sip.h diff --git a/src/Makefile.am b/src/Makefile.am index 5805cb0e3be4..825b814a80f0 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -416,7 +416,6 @@ noinst_HEADERS = \ output-json-netflow.h \ output-json-nfs.h \ output-json-pgsql.h \ - output-json-sip.h \ output-json-smb.h \ output-json-smtp.h \ output-json-snmp.h \ @@ -1022,7 +1021,6 @@ libsuricata_c_a_SOURCES = \ output-json-netflow.c \ output-json-nfs.c \ output-json-pgsql.c \ - output-json-sip.c \ output-json-smb.c \ output-json-smtp.c \ output-json-snmp.c \ diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 2288767683b3..4f7017837e1e 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -71,7 +71,6 @@ #include "output-json-nfs.h" #include "output-json-smb.h" #include "output-json-flow.h" -#include "output-json-sip.h" #include "output-json-mqtt.h" #include "output-json-ike.h" #include "output-json-modbus.h" diff --git a/src/output-json-sip.c b/src/output-json-sip.c deleted file mode 100644 index e3cee00b860f..000000000000 --- a/src/output-json-sip.c +++ /dev/null @@ -1,93 +0,0 @@ -/* Copyright (C) 2018-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Giuseppe Longo - * - * Implement JSON/eve logging app-layer SIP. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "app-layer-sip.h" -#include "output-json-sip.h" - -#include "rust.h" - -static int JsonSIPLogger(ThreadVars *tv, void *thread_data, - const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) -{ - SIPTransaction *siptx = tx; - OutputJsonThreadCtx *thread = thread_data; - - JsonBuilder *js = CreateEveHeader((Packet *)p, LOG_DIR_PACKET, "sip", NULL, thread->ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_OK; - } - - jb_open_object(js, "sip"); - if (!rs_sip_log_json(siptx, js)) { - goto error; - } - jb_close(js); - - OutputJsonBuilderBuffer(js, thread); - jb_free(js); - - return TM_ECODE_OK; - -error: - jb_free(js); - return TM_ECODE_FAILED; -} - -static OutputInitResult OutputSIPLogInitSub(ConfNode *conf, - OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_SIP); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonSIPLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSIPLog", "eve-log.sip", - OutputSIPLogInitSub, ALPROTO_SIP, JsonSIPLogger, JsonLogThreadInit, JsonLogThreadDeinit, - NULL); - - SCLogDebug("SIP JSON logger registered."); -} diff --git a/src/output-json-sip.h b/src/output-json-sip.h deleted file mode 100644 index 0d2c53fa50df..000000000000 --- a/src/output-json-sip.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2015 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Giuseppe Longo - */ - -#ifndef __OUTPUT_JSON_SIP_H__ -#define __OUTPUT_JSON_SIP_H__ - -void JsonSIPLogRegister(void); - -#endif /* __OUTPUT_JSON_SIP_H__ */ diff --git a/src/output.c b/src/output.c index 958320491244..5dde48cf168f 100644 --- a/src/output.c +++ b/src/output.c @@ -76,7 +76,6 @@ #include "output-json-quic.h" #include "output-json-dhcp.h" #include "output-json-snmp.h" -#include "output-json-sip.h" #include "output-json-mqtt.h" #include "output-json-pgsql.h" #include "output-json-template.h" @@ -1080,6 +1079,12 @@ static OutputInitResult OutputRFBLogInitSub(ConfNode *conf, OutputCtx *parent_ct return OutputJsonLogInitSub(conf, parent_ctx); } +static OutputInitResult OutputSIPLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_SIP); + return OutputJsonLogInitSub(conf, parent_ctx); +} + static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP2); @@ -1164,7 +1169,12 @@ void OutputRegisterLoggers(void) /* SNMP JSON logger. */ JsonSNMPLogRegister(); /* SIP JSON logger. */ - JsonSIPLogRegister(); + /* Register as an eve sub-module. */ + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSIPLog", "eve-log.sip", + OutputSIPLogInitSub, ALPROTO_SIP, JsonGenericLogger, JsonLogThreadInit, JsonLogThreadDeinit, + NULL); + + SCLogDebug("SIP JSON logger registered."); /* RFB JSON logger. */ OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRFBLog", "eve-log.rfb", OutputRFBLogInitSub, ALPROTO_RFB, JsonGenericLogger, JsonLogThreadInit, JsonLogThreadDeinit, From c084c4ee03c0cc586e4eedb648e9ab69cab43cbc Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 09:21:03 +0200 Subject: [PATCH 20/28] output/snmp: generic tx json logger --- src/Makefile.am | 2 - src/output-json-snmp.c | 93 ------------------------------------------ src/output-json-snmp.h | 29 ------------- src/output.c | 14 +++++-- 4 files changed, 11 insertions(+), 127 deletions(-) delete mode 100644 src/output-json-snmp.c delete mode 100644 src/output-json-snmp.h diff --git a/src/Makefile.am b/src/Makefile.am index 825b814a80f0..482c1a4a269b 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -418,7 +418,6 @@ noinst_HEADERS = \ output-json-pgsql.h \ output-json-smb.h \ output-json-smtp.h \ - output-json-snmp.h \ output-json-ssh.h \ output-json-stats.h \ output-json-template.h \ @@ -1023,7 +1022,6 @@ libsuricata_c_a_SOURCES = \ output-json-pgsql.c \ output-json-smb.c \ output-json-smtp.c \ - output-json-snmp.c \ output-json-ssh.c \ output-json-stats.c \ output-json-template.c \ diff --git a/src/output-json-snmp.c b/src/output-json-snmp.c deleted file mode 100644 index 4b390acc8f02..000000000000 --- a/src/output-json-snmp.c +++ /dev/null @@ -1,93 +0,0 @@ -/* Copyright (C) 2018-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Pierre Chifflier - * - * Implement JSON/eve logging app-layer SNMP. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "app-layer-snmp.h" -#include "output-json-snmp.h" - -#include "rust.h" - -static int JsonSNMPLogger(ThreadVars *tv, void *thread_data, - const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) -{ - SNMPTransaction *snmptx = tx; - OutputJsonThreadCtx *thread = thread_data; - - JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "snmp", NULL, thread->ctx); - if (unlikely(jb == NULL)) { - return TM_ECODE_FAILED; - } - - jb_open_object(jb, "snmp"); - if (!rs_snmp_log_json_response(snmptx, jb)) { - goto error; - } - jb_close(jb); - - OutputJsonBuilderBuffer(jb, thread); - - jb_free(jb); - return TM_ECODE_OK; - -error: - jb_free(jb); - return TM_ECODE_FAILED; -} - -static OutputInitResult OutputSNMPLogInitSub(ConfNode *conf, - OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_SNMP); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonSNMPLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSNMPLog", "eve-log.snmp", - OutputSNMPLogInitSub, ALPROTO_SNMP, JsonSNMPLogger, JsonLogThreadInit, - JsonLogThreadDeinit, NULL); - - SCLogDebug("SNMP JSON logger registered."); -} diff --git a/src/output-json-snmp.h b/src/output-json-snmp.h deleted file mode 100644 index 4c88db32317d..000000000000 --- a/src/output-json-snmp.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2015-2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Pierre Chifflier - */ - -#ifndef __OUTPUT_JSON_SNMP_H__ -#define __OUTPUT_JSON_SNMP_H__ - -void JsonSNMPLogRegister(void); - -#endif /* __OUTPUT_JSON_SNMP_H__ */ diff --git a/src/output.c b/src/output.c index 5dde48cf168f..69cc556d660e 100644 --- a/src/output.c +++ b/src/output.c @@ -75,7 +75,6 @@ #include "output-json-krb5.h" #include "output-json-quic.h" #include "output-json-dhcp.h" -#include "output-json-snmp.h" #include "output-json-mqtt.h" #include "output-json-pgsql.h" #include "output-json-template.h" @@ -1085,6 +1084,12 @@ static OutputInitResult OutputSIPLogInitSub(ConfNode *conf, OutputCtx *parent_ct return OutputJsonLogInitSub(conf, parent_ctx); } +static OutputInitResult OutputSNMPLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_SNMP); + return OutputJsonLogInitSub(conf, parent_ctx); +} + static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP2); @@ -1167,9 +1172,12 @@ void OutputRegisterLoggers(void) /* DHCP JSON logger. */ JsonDHCPLogRegister(); /* SNMP JSON logger. */ - JsonSNMPLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSNMPLog", "eve-log.snmp", + OutputSNMPLogInitSub, ALPROTO_SNMP, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + + SCLogDebug("SNMP JSON logger registered."); /* SIP JSON logger. */ - /* Register as an eve sub-module. */ OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSIPLog", "eve-log.sip", OutputSIPLogInitSub, ALPROTO_SIP, JsonGenericLogger, JsonLogThreadInit, JsonLogThreadDeinit, NULL); From 2264bf5497d0af005084b4cb7fbc99c446d41fe6 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 09:24:08 +0200 Subject: [PATCH 21/28] output/quic: generic tx json logger --- src/Makefile.am | 2 - src/output-json-alert.c | 1 - src/output-json-quic.c | 153 ---------------------------------------- src/output-json-quic.h | 27 ------- src/output.c | 13 +++- 5 files changed, 11 insertions(+), 185 deletions(-) delete mode 100644 src/output-json-quic.c delete mode 100644 src/output-json-quic.h diff --git a/src/Makefile.am b/src/Makefile.am index 482c1a4a269b..2f55c778c1f2 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -411,7 +411,6 @@ noinst_HEADERS = \ output-json-krb5.h \ output-json-metadata.h \ output-json-modbus.h \ - output-json-quic.h \ output-json-mqtt.h \ output-json-netflow.h \ output-json-nfs.h \ @@ -1015,7 +1014,6 @@ libsuricata_c_a_SOURCES = \ output-json-krb5.c \ output-json-metadata.c \ output-json-modbus.c \ - output-json-quic.c \ output-json-mqtt.c \ output-json-netflow.c \ output-json-nfs.c \ diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 4f7017837e1e..3bc62b7567a6 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -75,7 +75,6 @@ #include "output-json-ike.h" #include "output-json-modbus.h" #include "output-json-frame.h" -#include "output-json-quic.h" #include "util-byte.h" #include "util-privs.h" diff --git a/src/output-json-quic.c b/src/output-json-quic.c deleted file mode 100644 index bb3d516bb406..000000000000 --- a/src/output-json-quic.c +++ /dev/null @@ -1,153 +0,0 @@ -/* Copyright (C) 2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * Implements JSON/eve logging for Quic app-layer. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" -#include "output.h" -#include "output-json.h" -#include "app-layer.h" -#include "app-layer-parser.h" -#include "output-json-quic.h" -#include "rust.h" - -typedef struct LogQuicFileCtx_ { - LogFileCtx *file_ctx; - OutputJsonCtx *eve_ctx; -} LogQuicFileCtx; - -typedef struct JsonQuicLogThread_ { - LogQuicFileCtx *quiclog_ctx; - OutputJsonThreadCtx *ctx; -} JsonQuicLogThread; - -static int JsonQuicLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, - void *tx, uint64_t tx_id) -{ - JsonQuicLogThread *thread = thread_data; - - JsonBuilder *js = - CreateEveHeader(p, LOG_DIR_PACKET, "quic", NULL, thread->quiclog_ctx->eve_ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_OK; - } - jb_open_object(js, "quic"); - if (!rs_quic_to_json(tx, js)) { - jb_free(js); - return TM_ECODE_FAILED; - } - jb_close(js); - OutputJsonBuilderBuffer(js, thread->ctx); - - jb_free(js); - return TM_ECODE_OK; -} - -static void OutputQuicLogDeInitCtxSub(OutputCtx *output_ctx) -{ - LogQuicFileCtx *quiclog_ctx = (LogQuicFileCtx *)output_ctx->data; - SCFree(quiclog_ctx); - SCFree(output_ctx); -} - -static OutputInitResult OutputQuicLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) -{ - OutputInitResult result = { NULL, false }; - OutputJsonCtx *ajt = parent_ctx->data; - - LogQuicFileCtx *quiclog_ctx = SCCalloc(1, sizeof(*quiclog_ctx)); - if (unlikely(quiclog_ctx == NULL)) { - return result; - } - quiclog_ctx->file_ctx = ajt->file_ctx; - quiclog_ctx->eve_ctx = ajt; - - OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx)); - if (unlikely(output_ctx == NULL)) { - SCFree(quiclog_ctx); - return result; - } - output_ctx->data = quiclog_ctx; - output_ctx->DeInit = OutputQuicLogDeInitCtxSub; - - AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_QUIC); - - result.ctx = output_ctx; - result.ok = true; - return result; -} - -static TmEcode JsonQuicLogThreadInit(ThreadVars *t, const void *initdata, void **data) -{ - if (initdata == NULL) { - SCLogDebug("Error getting context for EveLogQuic. \"initdata\" is NULL."); - return TM_ECODE_FAILED; - } - - JsonQuicLogThread *thread = SCCalloc(1, sizeof(*thread)); - if (unlikely(thread == NULL)) { - return TM_ECODE_FAILED; - } - - thread->quiclog_ctx = ((OutputCtx *)initdata)->data; - thread->ctx = CreateEveThreadCtx(t, thread->quiclog_ctx->eve_ctx); - if (thread->ctx == NULL) { - goto error_exit; - } - - *data = (void *)thread; - return TM_ECODE_OK; - -error_exit: - SCFree(thread); - return TM_ECODE_FAILED; -} - -static TmEcode JsonQuicLogThreadDeinit(ThreadVars *t, void *data) -{ - JsonQuicLogThread *thread = (JsonQuicLogThread *)data; - if (thread == NULL) { - return TM_ECODE_OK; - } - FreeEveThreadCtx(thread->ctx); - SCFree(thread); - return TM_ECODE_OK; -} - -void JsonQuicLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonQuicLog", "eve-log.quic", - OutputQuicLogInitSub, ALPROTO_QUIC, JsonQuicLogger, JsonQuicLogThreadInit, - JsonQuicLogThreadDeinit, NULL); - - SCLogDebug("quic json logger registered."); -} diff --git a/src/output-json-quic.h b/src/output-json-quic.h deleted file mode 100644 index 48e38185f2bd..000000000000 --- a/src/output-json-quic.h +++ /dev/null @@ -1,27 +0,0 @@ -/* Copyright (C) 2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - */ - -#ifndef __OUTPUT_JSON_QUIC_H__ -#define __OUTPUT_JSON_QUIC_H__ - -void JsonQuicLogRegister(void); - -#endif /* __OUTPUT_JSON_QUIC_H__ */ diff --git a/src/output.c b/src/output.c index 69cc556d660e..c71390892b29 100644 --- a/src/output.c +++ b/src/output.c @@ -73,7 +73,6 @@ #include "output-json-smb.h" #include "output-json-ike.h" #include "output-json-krb5.h" -#include "output-json-quic.h" #include "output-json-dhcp.h" #include "output-json-mqtt.h" #include "output-json-pgsql.h" @@ -1090,6 +1089,12 @@ static OutputInitResult OutputSNMPLogInitSub(ConfNode *conf, OutputCtx *parent_c return OutputJsonLogInitSub(conf, parent_ctx); } +static OutputInitResult OutputQuicLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_QUIC); + return OutputJsonLogInitSub(conf, parent_ctx); +} + static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP2); @@ -1168,7 +1173,11 @@ void OutputRegisterLoggers(void) /* KRB5 JSON logger. */ JsonKRB5LogRegister(); /* QUIC JSON logger. */ - JsonQuicLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonQuicLog", "eve-log.quic", + OutputQuicLogInitSub, ALPROTO_QUIC, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + + SCLogDebug("quic json logger registered."); /* DHCP JSON logger. */ JsonDHCPLogRegister(); /* SNMP JSON logger. */ From 2ec8b53f2ef146f249d3e41f32cb24d71ab3bd45 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 09:26:57 +0200 Subject: [PATCH 22/28] output/krb5: generic tx json logger --- src/Makefile.am | 2 - src/output-json-krb5.c | 94 ------------------------------------------ src/output-json-krb5.h | 29 ------------- src/output.c | 14 ++++++- 4 files changed, 12 insertions(+), 127 deletions(-) delete mode 100644 src/output-json-krb5.c delete mode 100644 src/output-json-krb5.h diff --git a/src/Makefile.am b/src/Makefile.am index 2f55c778c1f2..cea7798db5eb 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -408,7 +408,6 @@ noinst_HEADERS = \ output-json-http2.h \ output-json-http.h \ output-json-ike.h \ - output-json-krb5.h \ output-json-metadata.h \ output-json-modbus.h \ output-json-mqtt.h \ @@ -1011,7 +1010,6 @@ libsuricata_c_a_SOURCES = \ output-json-http2.c \ output-json-http.c \ output-json-ike.c \ - output-json-krb5.c \ output-json-metadata.c \ output-json-modbus.c \ output-json-mqtt.c \ diff --git a/src/output-json-krb5.c b/src/output-json-krb5.c deleted file mode 100644 index 46e85e046bea..000000000000 --- a/src/output-json-krb5.c +++ /dev/null @@ -1,94 +0,0 @@ -/* Copyright (C) 2018-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Pierre Chifflier - * - * Implement JSON/eve logging app-layer KRB5. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "app-layer-krb5.h" -#include "output-json-krb5.h" - -#include "rust.h" - -static int JsonKRB5Logger(ThreadVars *tv, void *thread_data, - const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) -{ - KRB5Transaction *krb5tx = tx; - OutputJsonThreadCtx *thread = thread_data; - - JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "krb5", NULL, thread->ctx); - if (unlikely(jb == NULL)) { - return TM_ECODE_FAILED; - } - - jb_open_object(jb, "krb5"); - if (!rs_krb5_log_json_response(krb5tx, jb)) { - goto error; - } - jb_close(jb); - - OutputJsonBuilderBuffer(jb, thread); - - jb_free(jb); - return TM_ECODE_OK; - -error: - jb_free(jb); - return TM_ECODE_FAILED; -} - -static OutputInitResult OutputKRB5LogInitSub(ConfNode *conf, - OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_KRB5); - AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_KRB5); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonKRB5LogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonKRB5Log", "eve-log.krb5", - OutputKRB5LogInitSub, ALPROTO_KRB5, JsonKRB5Logger, JsonLogThreadInit, - JsonLogThreadDeinit, NULL); - - SCLogDebug("KRB5 JSON logger registered."); -} diff --git a/src/output-json-krb5.h b/src/output-json-krb5.h deleted file mode 100644 index 87f5b79136cb..000000000000 --- a/src/output-json-krb5.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2015 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Pierre Chifflier - */ - -#ifndef __OUTPUT_JSON_KRB5_H__ -#define __OUTPUT_JSON_KRB5_H__ - -void JsonKRB5LogRegister(void); - -#endif /* __OUTPUT_JSON_KRB5_H__ */ diff --git a/src/output.c b/src/output.c index c71390892b29..89abb62ff0f2 100644 --- a/src/output.c +++ b/src/output.c @@ -72,7 +72,6 @@ #include "output-json-tftp.h" #include "output-json-smb.h" #include "output-json-ike.h" -#include "output-json-krb5.h" #include "output-json-dhcp.h" #include "output-json-mqtt.h" #include "output-json-pgsql.h" @@ -1095,6 +1094,13 @@ static OutputInitResult OutputQuicLogInitSub(ConfNode *conf, OutputCtx *parent_c return OutputJsonLogInitSub(conf, parent_ctx); } +static OutputInitResult OutputKRB5LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_KRB5); + AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_KRB5); + return OutputJsonLogInitSub(conf, parent_ctx); +} + static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP2); @@ -1171,7 +1177,11 @@ void OutputRegisterLoggers(void) /* IKE JSON logger. */ JsonIKELogRegister(); /* KRB5 JSON logger. */ - JsonKRB5LogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonKRB5Log", "eve-log.krb5", + OutputKRB5LogInitSub, ALPROTO_KRB5, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + + SCLogDebug("KRB5 JSON logger registered."); /* QUIC JSON logger. */ OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonQuicLog", "eve-log.quic", OutputQuicLogInitSub, ALPROTO_QUIC, JsonGenericLogger, JsonLogThreadInit, From 97668a94f0eebd8cc299615247b9e2fa280c0303 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 09:29:50 +0200 Subject: [PATCH 23/28] output/tftp: generic tx json logger --- src/Makefile.am | 2 - src/output-json-tftp.c | 92 ------------------------------------------ src/output-json-tftp.h | 29 ------------- src/output.c | 23 +++++++---- 4 files changed, 16 insertions(+), 130 deletions(-) delete mode 100644 src/output-json-tftp.c delete mode 100644 src/output-json-tftp.h diff --git a/src/Makefile.am b/src/Makefile.am index cea7798db5eb..9d65c100cba3 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -419,7 +419,6 @@ noinst_HEADERS = \ output-json-ssh.h \ output-json-stats.h \ output-json-template.h \ - output-json-tftp.h \ output-json-tls.h \ output-eve-syslog.h \ output-lua.h \ @@ -1021,7 +1020,6 @@ libsuricata_c_a_SOURCES = \ output-json-ssh.c \ output-json-stats.c \ output-json-template.c \ - output-json-tftp.c \ output-json-tls.c \ output-eve-syslog.c \ output-lua.c \ diff --git a/src/output-json-tftp.c b/src/output-json-tftp.c deleted file mode 100644 index 4fff67a8b696..000000000000 --- a/src/output-json-tftp.c +++ /dev/null @@ -1,92 +0,0 @@ -/* Copyright (C) 2020-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Clément Galland - * - * Implement JSON/eve logging app-layer TFTP. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "app-layer-tftp.h" -#include "output-json-tftp.h" - -#include "rust.h" - -static int JsonTFTPLogger(ThreadVars *tv, void *thread_data, - const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) -{ - OutputJsonThreadCtx *thread = thread_data; - - JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "tftp", NULL, thread->ctx); - if (unlikely(jb == NULL)) { - return TM_ECODE_FAILED; - } - - jb_open_object(jb, "tftp"); - if (unlikely(!rs_tftp_log_json_request(tx, jb))) { - goto error; - } - jb_close(jb); - - OutputJsonBuilderBuffer(jb, thread); - - jb_free(jb); - return TM_ECODE_OK; - -error: - jb_free(jb); - return TM_ECODE_FAILED; -} - -static OutputInitResult OutputTFTPLogInitSub(ConfNode *conf, - OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_TFTP); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonTFTPLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonTFTPLog", "eve-log.tftp", - OutputTFTPLogInitSub, ALPROTO_TFTP, JsonTFTPLogger, JsonLogThreadInit, - JsonLogThreadDeinit, NULL); - - SCLogDebug("TFTP JSON logger registered."); -} diff --git a/src/output-json-tftp.h b/src/output-json-tftp.h deleted file mode 100644 index 3db4ba06cd55..000000000000 --- a/src/output-json-tftp.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2017 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Clément Galland - */ - -#ifndef __OUTPUT_JSON_TFTP_H__ -#define __OUTPUT_JSON_TFTP_H__ - -void JsonTFTPLogRegister(void); - -#endif /* __OUTPUT_JSON_TFTP_H__ */ diff --git a/src/output.c b/src/output.c index 89abb62ff0f2..130f4d11c8ce 100644 --- a/src/output.c +++ b/src/output.c @@ -69,7 +69,6 @@ #include "output-json-ftp.h" // for misplaced EveFTPDataAddMetadata #include "app-layer-ftp.h" -#include "output-json-tftp.h" #include "output-json-smb.h" #include "output-json-ike.h" #include "output-json-dhcp.h" @@ -1101,6 +1100,12 @@ static OutputInitResult OutputKRB5LogInitSub(ConfNode *conf, OutputCtx *parent_c return OutputJsonLogInitSub(conf, parent_ctx); } +static OutputInitResult OutputTFTPLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_TFTP); + return OutputJsonLogInitSub(conf, parent_ctx); +} + static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP2); @@ -1169,7 +1174,11 @@ void OutputRegisterLoggers(void) /* NFS JSON logger. */ JsonNFSLogRegister(); /* TFTP JSON logger. */ - JsonTFTPLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonTFTPLog", "eve-log.tftp", + OutputTFTPLogInitSub, ALPROTO_TFTP, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + + SCLogDebug("TFTP JSON logger registered."); /* FTP JSON logger. */ JsonFTPLogRegister(); /* SMB JSON logger. */ @@ -1185,7 +1194,7 @@ void OutputRegisterLoggers(void) /* QUIC JSON logger. */ OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonQuicLog", "eve-log.quic", OutputQuicLogInitSub, ALPROTO_QUIC, JsonGenericLogger, JsonLogThreadInit, - JsonLogThreadDeinit, NULL); + JsonLogThreadDeinit, NULL); SCLogDebug("quic json logger registered."); /* DHCP JSON logger. */ @@ -1198,14 +1207,14 @@ void OutputRegisterLoggers(void) SCLogDebug("SNMP JSON logger registered."); /* SIP JSON logger. */ OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSIPLog", "eve-log.sip", - OutputSIPLogInitSub, ALPROTO_SIP, JsonGenericLogger, JsonLogThreadInit, JsonLogThreadDeinit, - NULL); + OutputSIPLogInitSub, ALPROTO_SIP, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); SCLogDebug("SIP JSON logger registered."); /* RFB JSON logger. */ OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRFBLog", "eve-log.rfb", - OutputRFBLogInitSub, ALPROTO_RFB, JsonGenericLogger, JsonLogThreadInit, JsonLogThreadDeinit, - NULL); + OutputRFBLogInitSub, ALPROTO_RFB, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); /* MQTT JSON logger. */ JsonMQTTLogRegister(); /* Pgsql JSON logger. */ From cb56dddd100b27e85c94d94c8a884b63fdd11c53 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 09:43:14 +0200 Subject: [PATCH 24/28] output/dnp3: restrict function scope to one file --- src/output-json-dnp3.c | 4 ++-- src/output-json-dnp3.h | 3 --- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/src/output-json-dnp3.c b/src/output-json-dnp3.c index fcfd07d2d83f..7242ad149c4c 100644 --- a/src/output-json-dnp3.c +++ b/src/output-json-dnp3.c @@ -140,7 +140,7 @@ static void JsonDNP3LogObjects(JsonBuilder *js, DNP3ObjectList *objects) } } -void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *dnp3tx) +static void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *dnp3tx) { JB_SET_STRING(js, "type", "request"); @@ -171,7 +171,7 @@ void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *dnp3tx) jb_close(js); } -void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *dnp3tx) +static void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *dnp3tx) { if (dnp3tx->ah.function_code == DNP3_APP_FC_UNSOLICITED_RESP) { JB_SET_STRING(js, "type", "unsolicited_response"); diff --git a/src/output-json-dnp3.h b/src/output-json-dnp3.h index 6f81026780d9..5b5f56236abd 100644 --- a/src/output-json-dnp3.h +++ b/src/output-json-dnp3.h @@ -20,9 +20,6 @@ #include "app-layer-dnp3.h" -void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *); -void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *); - void JsonDNP3LogRegister(void); bool AlertJsonDnp3(void *vtx, JsonBuilder *js); From bc65a1e4fc19e6d00d7af36c6a64810cbbd7a744 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 09:46:04 +0200 Subject: [PATCH 25/28] output/modbus: generic tx json logger --- src/Makefile.am | 2 - src/output-json-alert.c | 1 - src/output-json-modbus.c | 149 --------------------------------------- src/output-json-modbus.h | 23 ------ src/output.c | 13 +++- 5 files changed, 11 insertions(+), 177 deletions(-) delete mode 100644 src/output-json-modbus.c delete mode 100644 src/output-json-modbus.h diff --git a/src/Makefile.am b/src/Makefile.am index 9d65c100cba3..70fe74cde040 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -409,7 +409,6 @@ noinst_HEADERS = \ output-json-http.h \ output-json-ike.h \ output-json-metadata.h \ - output-json-modbus.h \ output-json-mqtt.h \ output-json-netflow.h \ output-json-nfs.h \ @@ -1010,7 +1009,6 @@ libsuricata_c_a_SOURCES = \ output-json-http.c \ output-json-ike.c \ output-json-metadata.c \ - output-json-modbus.c \ output-json-mqtt.c \ output-json-netflow.c \ output-json-nfs.c \ diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 3bc62b7567a6..507c16ce720e 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -73,7 +73,6 @@ #include "output-json-flow.h" #include "output-json-mqtt.h" #include "output-json-ike.h" -#include "output-json-modbus.h" #include "output-json-frame.h" #include "util-byte.h" diff --git a/src/output-json-modbus.c b/src/output-json-modbus.c deleted file mode 100644 index d332cbb282a3..000000000000 --- a/src/output-json-modbus.c +++ /dev/null @@ -1,149 +0,0 @@ -/* Copyright (C) 2019-2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" -#include "output.h" -#include "output-json.h" -#include "app-layer.h" -#include "app-layer-parser.h" -#include "output-json-modbus.h" -#include "rust.h" - -typedef struct LogModbusFileCtx_ { - LogFileCtx *file_ctx; - OutputJsonCtx *eve_ctx; -} LogModbusFileCtx; - -typedef struct JsonModbusLogThread_ { - LogModbusFileCtx *modbuslog_ctx; - OutputJsonThreadCtx *ctx; -} JsonModbusLogThread; - -static int JsonModbusLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, - void *state, void *tx, uint64_t tx_id) -{ - JsonModbusLogThread *thread = thread_data; - - JsonBuilder *js = - CreateEveHeader(p, LOG_DIR_FLOW, "modbus", NULL, thread->modbuslog_ctx->eve_ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_OK; - } - jb_open_object(js, "modbus"); - if (!rs_modbus_to_json(tx, js)) { - jb_free(js); - return TM_ECODE_FAILED; - } - jb_close(js); - OutputJsonBuilderBuffer(js, thread->ctx); - - jb_free(js); - return TM_ECODE_OK; -} - -static void OutputModbusLogDeInitCtxSub(OutputCtx *output_ctx) -{ - LogModbusFileCtx *modbuslog_ctx = (LogModbusFileCtx *)output_ctx->data; - SCFree(modbuslog_ctx); - SCFree(output_ctx); -} - -static OutputInitResult OutputModbusLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) -{ - OutputInitResult result = { NULL, false }; - OutputJsonCtx *ajt = parent_ctx->data; - - LogModbusFileCtx *modbuslog_ctx = SCCalloc(1, sizeof(*modbuslog_ctx)); - if (unlikely(modbuslog_ctx == NULL)) { - return result; - } - modbuslog_ctx->file_ctx = ajt->file_ctx; - modbuslog_ctx->eve_ctx = ajt; - - OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx)); - if (unlikely(output_ctx == NULL)) { - SCFree(modbuslog_ctx); - return result; - } - output_ctx->data = modbuslog_ctx; - output_ctx->DeInit = OutputModbusLogDeInitCtxSub; - - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_MODBUS); - - SCLogDebug("modbus log sub-module initialized."); - - result.ctx = output_ctx; - result.ok = true; - return result; -} - -static TmEcode JsonModbusLogThreadInit(ThreadVars *t, const void *initdata, void **data) -{ - if (initdata == NULL) { - SCLogDebug("Error getting context for EveLogModbus. \"initdata\" is NULL."); - return TM_ECODE_FAILED; - } - - JsonModbusLogThread *thread = SCCalloc(1, sizeof(*thread)); - if (unlikely(thread == NULL)) { - return TM_ECODE_FAILED; - } - - thread->modbuslog_ctx = ((OutputCtx *)initdata)->data; - thread->ctx = CreateEveThreadCtx(t, thread->modbuslog_ctx->eve_ctx); - if (thread->ctx == NULL) { - goto error_exit; - } - - *data = (void *)thread; - return TM_ECODE_OK; - -error_exit: - SCFree(thread); - return TM_ECODE_FAILED; -} - -static TmEcode JsonModbusLogThreadDeinit(ThreadVars *t, void *data) -{ - JsonModbusLogThread *thread = (JsonModbusLogThread *)data; - if (thread == NULL) { - return TM_ECODE_OK; - } - FreeEveThreadCtx(thread->ctx); - SCFree(thread); - return TM_ECODE_OK; -} - -void JsonModbusLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonModbusLog", "eve-log.modbus", - OutputModbusLogInitSub, ALPROTO_MODBUS, JsonModbusLogger, JsonModbusLogThreadInit, - JsonModbusLogThreadDeinit, NULL); - - SCLogDebug("modbus json logger registered."); -} diff --git a/src/output-json-modbus.h b/src/output-json-modbus.h deleted file mode 100644 index 2b07e4eb2d5c..000000000000 --- a/src/output-json-modbus.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#ifndef __OUTPUT_JSON_MODBUS_H__ -#define __OUTPUT_JSON_MODBUS_H__ - -void JsonModbusLogRegister(void); - -#endif /* __OUTPUT_JSON_MODBUS_H__ */ diff --git a/src/output.c b/src/output.c index 130f4d11c8ce..9e4514a85207 100644 --- a/src/output.c +++ b/src/output.c @@ -54,7 +54,6 @@ #include "log-httplog.h" #include "output-json-http.h" #include "output-json-dns.h" -#include "output-json-modbus.h" #include "log-tlslog.h" #include "log-tlsstore.h" #include "output-json-tls.h" @@ -1106,6 +1105,12 @@ static OutputInitResult OutputTFTPLogInitSub(ConfNode *conf, OutputCtx *parent_c return OutputJsonLogInitSub(conf, parent_ctx); } +static OutputInitResult OutputModbusLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_MODBUS); + return OutputJsonLogInitSub(conf, parent_ctx); +} + static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP2); @@ -1153,7 +1158,11 @@ void OutputRegisterLoggers(void) /* dns */ JsonDnsLogRegister(); /* modbus */ - JsonModbusLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonModbusLog", "eve-log.modbus", + OutputModbusLogInitSub, ALPROTO_MODBUS, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + + SCLogDebug("modbus json logger registered."); /* tcp streaming data */ LogTcpDataLogRegister(); /* log stats */ From 481eb5598ca4913ea65624c6ede5651bfe744583 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 09:49:48 +0200 Subject: [PATCH 26/28] output/ssh: generic tx json logger --- src/Makefile.am | 2 - src/output-json-alert.c | 1 - src/output-json-ssh.c | 91 ----------------------------------------- src/output-json-ssh.h | 29 ------------- src/output.c | 13 +++++- 5 files changed, 11 insertions(+), 125 deletions(-) delete mode 100644 src/output-json-ssh.c delete mode 100644 src/output-json-ssh.h diff --git a/src/Makefile.am b/src/Makefile.am index 70fe74cde040..041ddea7b2c2 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -415,7 +415,6 @@ noinst_HEADERS = \ output-json-pgsql.h \ output-json-smb.h \ output-json-smtp.h \ - output-json-ssh.h \ output-json-stats.h \ output-json-template.h \ output-json-tls.h \ @@ -1015,7 +1014,6 @@ libsuricata_c_a_SOURCES = \ output-json-pgsql.c \ output-json-smb.c \ output-json-smtp.c \ - output-json-ssh.c \ output-json-stats.c \ output-json-template.c \ output-json-tls.c \ diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 507c16ce720e..dce9542e4da3 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -64,7 +64,6 @@ #include "output-json-dns.h" #include "output-json-http.h" #include "output-json-tls.h" -#include "output-json-ssh.h" #include "rust.h" #include "output-json-smtp.h" #include "output-json-email-common.h" diff --git a/src/output-json-ssh.c b/src/output-json-ssh.c deleted file mode 100644 index 5ec70142f634..000000000000 --- a/src/output-json-ssh.c +++ /dev/null @@ -1,91 +0,0 @@ -/* Copyright (C) 2014-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Victor Julien - * - * Implements SSH JSON logging portion of the engine. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-print.h" -#include "util-unittest.h" - -#include "util-debug.h" -#include "app-layer-parser.h" -#include "output.h" -#include "app-layer-ssh.h" -#include "app-layer.h" -#include "util-privs.h" -#include "util-buffer.h" - -#include "util-logopenfile.h" - -#include "output-json.h" -#include "output-json-ssh.h" -#include "rust.h" - -#define MODULE_NAME "LogSshLog" - -static int JsonSshLogger(ThreadVars *tv, void *thread_data, const Packet *p, - Flow *f, void *state, void *txptr, uint64_t tx_id) -{ - OutputJsonThreadCtx *thread = thread_data; - - if (unlikely(state == NULL)) { - return 0; - } - - JsonBuilder *js = CreateEveHeaderWithTxId(p, LOG_DIR_FLOW, "ssh", NULL, tx_id, thread->ctx); - if (unlikely(js == NULL)) - return 0; - - jb_open_object(js, "ssh"); - if (!rs_ssh_log_json(txptr, js)) { - goto end; - } - jb_close(js); - OutputJsonBuilderBuffer(js, thread); - -end: - jb_free(js); - return 0; -} - -static OutputInitResult OutputSshLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_SSH); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonSshLogRegister (void) -{ - /* register as child of eve-log */ - OutputRegisterTxSubModuleWithCondition(LOGGER_JSON_TX, "eve-log", "JsonSshLog", "eve-log.ssh", - OutputSshLogInitSub, ALPROTO_SSH, JsonSshLogger, SSHTxLogCondition, JsonLogThreadInit, - JsonLogThreadDeinit, NULL); -} diff --git a/src/output-json-ssh.h b/src/output-json-ssh.h deleted file mode 100644 index d0f9d3fc7dde..000000000000 --- a/src/output-json-ssh.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2014 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Victor Julien - */ - -#ifndef __OUTPUT_JSON_SSH_H__ -#define __OUTPUT_JSON_SSH_H__ - -void JsonSshLogRegister(void); - -#endif /* __OUTPUT_JSON_SSH_H__ */ diff --git a/src/output.c b/src/output.c index 9e4514a85207..f525de0e53ec 100644 --- a/src/output.c +++ b/src/output.c @@ -57,8 +57,9 @@ #include "log-tlslog.h" #include "log-tlsstore.h" #include "output-json-tls.h" -#include "output-json-ssh.h" #include "log-pcap.h" +// for SSHTxLogCondition +#include "app-layer-ssh.h" #include "output-json-file.h" #include "output-json-smtp.h" #include "output-json-stats.h" @@ -1117,6 +1118,12 @@ static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ return OutputJsonLogInitSub(conf, parent_ctx); } +static OutputInitResult OutputSshLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_SSH); + return OutputJsonLogInitSub(conf, parent_ctx); +} + /** * \brief Register all non-root logging modules. */ @@ -1149,7 +1156,9 @@ void OutputRegisterLoggers(void) JsonTlsLogRegister(); LogTlsStoreRegister(); /* ssh */ - JsonSshLogRegister(); + OutputRegisterTxSubModuleWithCondition(LOGGER_JSON_TX, "eve-log", "JsonSshLog", "eve-log.ssh", + OutputSshLogInitSub, ALPROTO_SSH, JsonGenericLogger, SSHTxLogCondition, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); /* pcap log */ PcapLogRegister(); /* file log */ From 9dbcbbdbcdc2790896342eeaf4440abe3b25e4ca Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 09:58:38 +0200 Subject: [PATCH 27/28] output/http2: reuse code for file events --- src/Makefile.am | 2 -- src/output-json-file.c | 8 ++------ src/output-json-http2.c | 42 ----------------------------------------- src/output-json-http2.h | 29 ---------------------------- src/output.c | 1 - 5 files changed, 2 insertions(+), 80 deletions(-) delete mode 100644 src/output-json-http2.c delete mode 100644 src/output-json-http2.h diff --git a/src/Makefile.am b/src/Makefile.am index 041ddea7b2c2..3d6c19c460fa 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -405,7 +405,6 @@ noinst_HEADERS = \ output-json-frame.h \ output-json-ftp.h \ output-json.h \ - output-json-http2.h \ output-json-http.h \ output-json-ike.h \ output-json-metadata.h \ @@ -1004,7 +1003,6 @@ libsuricata_c_a_SOURCES = \ output-json-flow.c \ output-json-frame.c \ output-json-ftp.c \ - output-json-http2.c \ output-json-http.c \ output-json-ike.c \ output-json-metadata.c \ diff --git a/src/output-json-file.c b/src/output-json-file.c index 540e1be001f7..0513d8bb1d6a 100644 --- a/src/output-json-file.c +++ b/src/output-json-file.c @@ -61,7 +61,6 @@ #include "output-json-email-common.h" #include "output-json-nfs.h" #include "output-json-smb.h" -#include "output-json-http2.h" #include "app-layer-htp.h" #include "app-layer-htp-xff.h" @@ -123,6 +122,7 @@ JsonBuilder *JsonBuildFileInfoRecord(const Packet *p, const File *ff, void *tx, return NULL; JsonBuilderMark mark = { 0, 0, 0 }; + jb_get_mark(js, &mark); switch (p->flow->alproto) { case ALPROTO_HTTP1: jb_open_object(js, "http"); @@ -130,7 +130,6 @@ JsonBuilder *JsonBuildFileInfoRecord(const Packet *p, const File *ff, void *tx, jb_close(js); break; case ALPROTO_SMTP: - jb_get_mark(js, &mark); jb_open_object(js, "smtp"); if (EveSMTPAddMetadata(p->flow, tx_id, js)) { jb_close(js); @@ -147,7 +146,6 @@ JsonBuilder *JsonBuildFileInfoRecord(const Packet *p, const File *ff, void *tx, break; case ALPROTO_NFS: /* rpc */ - jb_get_mark(js, &mark); jb_open_object(js, "rpc"); if (EveNFSAddMetadataRPC(p->flow, tx_id, js)) { jb_close(js); @@ -164,7 +162,6 @@ JsonBuilder *JsonBuildFileInfoRecord(const Packet *p, const File *ff, void *tx, } break; case ALPROTO_SMB: - jb_get_mark(js, &mark); jb_open_object(js, "smb"); if (EveSMBAddMetadata(p->flow, tx_id, js)) { jb_close(js); @@ -173,9 +170,8 @@ JsonBuilder *JsonBuildFileInfoRecord(const Packet *p, const File *ff, void *tx, } break; case ALPROTO_HTTP2: - jb_get_mark(js, &mark); jb_open_object(js, "http2"); - if (EveHTTP2AddMetadata(p->flow, tx_id, js)) { + if (tx && rs_http2_log_json(tx, js)) { jb_close(js); } else { jb_restore_mark(js, &mark); diff --git a/src/output-json-http2.c b/src/output-json-http2.c deleted file mode 100644 index 98622c5d9dd7..000000000000 --- a/src/output-json-http2.c +++ /dev/null @@ -1,42 +0,0 @@ -/* Copyright (C) 2020-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Philippe Antoine - * - * Implements HTTP2 JSON logging portion of the engine. - */ - -#include "suricata-common.h" -#include "app-layer-parser.h" -#include "output-json.h" -#include "output-json-http2.h" -#include "rust.h" - -bool EveHTTP2AddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb) -{ - void *state = FlowGetAppState(f); - if (state) { - void *tx = AppLayerParserGetTx(f->proto, ALPROTO_HTTP2, state, tx_id); - if (tx) { - return rs_http2_log_json(tx, jb); - } - } - return false; -} diff --git a/src/output-json-http2.h b/src/output-json-http2.h deleted file mode 100644 index 7e41dc7ea6ed..000000000000 --- a/src/output-json-http2.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Philippe Antoine - */ - -#ifndef __OUTPUT_JSON_HTTP2_H__ -#define __OUTPUT_JSON_HTTP2_H__ - -bool EveHTTP2AddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb); - -#endif /* __OUTPUT_JSON_HTTP2_H__ */ diff --git a/src/output.c b/src/output.c index f525de0e53ec..66e964467215 100644 --- a/src/output.c +++ b/src/output.c @@ -75,7 +75,6 @@ #include "output-json-mqtt.h" #include "output-json-pgsql.h" #include "output-json-template.h" -#include "output-json-http2.h" #include "output-lua.h" #include "output-json-dnp3.h" #include "output-json-metadata.h" From d544917d204c40b890273d433123212e4707b661 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 15 May 2023 16:12:12 +0200 Subject: [PATCH 28/28] output/template: reuse code for file events And fix setup app layer script up for it --- scripts/setup-app-layer.py | 34 +++---- src/Makefile.am | 2 - src/output-json-template.c | 178 ------------------------------------- src/output-json-template.h | 29 ------ src/output.c | 17 ++-- 5 files changed, 24 insertions(+), 236 deletions(-) delete mode 100644 src/output-json-template.c delete mode 100644 src/output-json-template.h diff --git a/scripts/setup-app-layer.py b/scripts/setup-app-layer.py index d8426634bca8..26d9892b87f7 100755 --- a/scripts/setup-app-layer.py +++ b/scripts/setup-app-layer.py @@ -200,15 +200,21 @@ def logger_patch_output_c(proto): output = io.StringIO() inlines = open(filename).readlines() for i, line in enumerate(inlines): - if line.find("ALPROTO_TEMPLATE") > -1: - new_line = line.replace("TEMPLATE", proto.upper()).replace( - "template", proto.lower()) - output.write(new_line) - if line.find("output-json-template.h") > -1: - output.write(line.replace("template", proto.lower())) if line.find("/* Template JSON logger.") > -1: output.write(inlines[i].replace("Template", proto)) output.write(inlines[i+1].replace("Template", proto)) + output.write(inlines[i+2].replace("TEMPLATE", proto.upper()).replace( + "template", proto.lower()).replace("Template", proto)) + output.write(inlines[i+3]) + if line.find("rs_template_logger_log") > -1: + output.write(inlines[i].replace("TEMPLATE", proto.upper()).replace( + "template", proto.lower())) + if line.find("OutputTemplateLogInitSub(") > -1: + output.write(inlines[i].replace("Template", proto)) + output.write(inlines[i+1]) + output.write(inlines[i+2].replace("TEMPLATE", proto.upper())) + output.write(inlines[i+3]) + output.write(inlines[i+4]) output.write(line) open(filename, "w").write(output.getvalue()) @@ -216,27 +222,12 @@ def logger_copy_templates(proto): lower = proto.lower() pairs = ( - ("src/output-json-template.h", - "src/output-json-%s.h" % (lower)), - ("src/output-json-template.c", - "src/output-json-%s.c" % (lower)), ("rust/src/applayertemplate/logger.rs", "rust/src/applayer%s/logger.rs" % (lower)), ) common_copy_templates(proto, pairs) -def logger_patch_makefile_am(protoname): - filename = "src/Makefile.am" - print("Patching %s." % (filename)) - output = io.StringIO() - with open(filename) as infile: - for line in infile: - if line.lstrip().startswith("output-json-template."): - output.write(line.replace("template", protoname.lower())) - output.write(line) - open(filename, "w").write(output.getvalue()) - def detect_copy_templates(proto, buffername): lower = proto.lower() @@ -398,7 +389,6 @@ def main(): raise SetupError("no app-layer parser exists for %s" % (proto)) logger_copy_templates(proto) patch_rust_applayer_mod_rs(proto) - logger_patch_makefile_am(proto) logger_patch_output_c(proto) logger_patch_suricata_yaml_in(proto) diff --git a/src/Makefile.am b/src/Makefile.am index 3d6c19c460fa..7d8f30765342 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -415,7 +415,6 @@ noinst_HEADERS = \ output-json-smb.h \ output-json-smtp.h \ output-json-stats.h \ - output-json-template.h \ output-json-tls.h \ output-eve-syslog.h \ output-lua.h \ @@ -1013,7 +1012,6 @@ libsuricata_c_a_SOURCES = \ output-json-smb.c \ output-json-smtp.c \ output-json-stats.c \ - output-json-template.c \ output-json-tls.c \ output-eve-syslog.c \ output-lua.c \ diff --git a/src/output-json-template.c b/src/output-json-template.c deleted file mode 100644 index 76d42ad834e6..000000000000 --- a/src/output-json-template.c +++ /dev/null @@ -1,178 +0,0 @@ -/* Copyright (C) 2018-2022 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/* - * TODO: Update \author in this file and in output-json-template.h. - * TODO: Remove SCLogNotice statements, or convert to debug. - * TODO: Implement your app-layers logging. - */ - -/** - * \file - * - * \author FirstName LastName - * - * Implement JSON/eve logging app-layer Template. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "output-json-template.h" -#include "rust.h" - -typedef struct LogTemplateFileCtx_ { - uint32_t flags; - OutputJsonCtx *eve_ctx; -} LogTemplateFileCtx; - -typedef struct LogTemplateLogThread_ { - LogTemplateFileCtx *templatelog_ctx; - OutputJsonThreadCtx *ctx; -} LogTemplateLogThread; - -static int JsonTemplateLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, - void *state, void *tx, uint64_t tx_id) -{ - SCLogNotice("JsonTemplateLogger"); - LogTemplateLogThread *thread = thread_data; - - JsonBuilder *js = - CreateEveHeader(p, LOG_DIR_PACKET, "template", NULL, thread->templatelog_ctx->eve_ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_FAILED; - } - - jb_open_object(js, "template"); - if (!rs_template_logger_log(tx, js)) { - goto error; - } - jb_close(js); - - OutputJsonBuilderBuffer(js, thread->ctx); - jb_free(js); - - return TM_ECODE_OK; - -error: - jb_free(js); - return TM_ECODE_FAILED; -} - -static void OutputTemplateLogDeInitCtxSub(OutputCtx *output_ctx) -{ - LogTemplateFileCtx *templatelog_ctx = (LogTemplateFileCtx *)output_ctx->data; - SCFree(templatelog_ctx); - SCFree(output_ctx); -} - -static OutputInitResult OutputTemplateLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) -{ - OutputInitResult result = { NULL, false }; - OutputJsonCtx *ajt = parent_ctx->data; - - LogTemplateFileCtx *templatelog_ctx = SCCalloc(1, sizeof(*templatelog_ctx)); - if (unlikely(templatelog_ctx == NULL)) { - return result; - } - templatelog_ctx->eve_ctx = ajt; - - OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx)); - if (unlikely(output_ctx == NULL)) { - SCFree(templatelog_ctx); - return result; - } - output_ctx->data = templatelog_ctx; - output_ctx->DeInit = OutputTemplateLogDeInitCtxSub; - - SCLogNotice("Template log sub-module initialized."); - - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TEMPLATE); - - result.ctx = output_ctx; - result.ok = true; - return result; -} - -static TmEcode JsonTemplateLogThreadInit(ThreadVars *t, const void *initdata, void **data) -{ - LogTemplateLogThread *thread = SCCalloc(1, sizeof(*thread)); - if (unlikely(thread == NULL)) { - return TM_ECODE_FAILED; - } - - if (initdata == NULL) { - SCLogDebug("Error getting context for EveLogTemplate. \"initdata\" is NULL."); - goto error_exit; - } - - thread->templatelog_ctx = ((OutputCtx *)initdata)->data; - thread->ctx = CreateEveThreadCtx(t, thread->templatelog_ctx->eve_ctx); - if (!thread->ctx) { - goto error_exit; - } - *data = (void *)thread; - - return TM_ECODE_OK; - -error_exit: - SCFree(thread); - return TM_ECODE_FAILED; -} - -static TmEcode JsonTemplateLogThreadDeinit(ThreadVars *t, void *data) -{ - LogTemplateLogThread *thread = (LogTemplateLogThread *)data; - if (thread == NULL) { - return TM_ECODE_OK; - } - FreeEveThreadCtx(thread->ctx); - SCFree(thread); - return TM_ECODE_OK; -} - -void JsonTemplateLogRegister(void) -{ - /* TEMPLATE_START_REMOVE */ - if (ConfGetNode("app-layer.protocols.template") == NULL) { - return; - } - /* TEMPLATE_END_REMOVE */ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonTemplateLog", "eve-log.template", - OutputTemplateLogInitSub, ALPROTO_TEMPLATE, JsonTemplateLogger, - JsonTemplateLogThreadInit, JsonTemplateLogThreadDeinit, NULL); - - SCLogNotice("Template JSON logger registered."); -} diff --git a/src/output-json-template.h b/src/output-json-template.h deleted file mode 100644 index d27b8d7c0e05..000000000000 --- a/src/output-json-template.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2018 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author FirstName LastName - */ - -#ifndef __OUTPUT_JSON_TEMPLATE_RUST_H__ -#define __OUTPUT_JSON_TEMPLATE_RUST_H__ - -void JsonTemplateLogRegister(void); - -#endif /* __OUTPUT_JSON_TEMPLATE_RUST_H__ */ diff --git a/src/output.c b/src/output.c index 66e964467215..23da55cf0fa8 100644 --- a/src/output.c +++ b/src/output.c @@ -74,7 +74,6 @@ #include "output-json-dhcp.h" #include "output-json-mqtt.h" #include "output-json-pgsql.h" -#include "output-json-template.h" #include "output-lua.h" #include "output-json-dnp3.h" #include "output-json-metadata.h" @@ -1074,6 +1073,12 @@ static OutputInitResult OutputRFBLogInitSub(ConfNode *conf, OutputCtx *parent_ct return OutputJsonLogInitSub(conf, parent_ctx); } +static OutputInitResult OutputTemplateLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TEMPLATE); + return OutputJsonLogInitSub(conf, parent_ctx); +} + static OutputInitResult OutputSIPLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) { AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_SIP); @@ -1156,8 +1161,8 @@ void OutputRegisterLoggers(void) LogTlsStoreRegister(); /* ssh */ OutputRegisterTxSubModuleWithCondition(LOGGER_JSON_TX, "eve-log", "JsonSshLog", "eve-log.ssh", - OutputSshLogInitSub, ALPROTO_SSH, JsonGenericLogger, SSHTxLogCondition, JsonLogThreadInit, - JsonLogThreadDeinit, NULL); + OutputSshLogInitSub, ALPROTO_SSH, JsonGenericLogger, SSHTxLogCondition, + JsonLogThreadInit, JsonLogThreadDeinit, NULL); /* pcap log */ PcapLogRegister(); /* file log */ @@ -1168,7 +1173,7 @@ void OutputRegisterLoggers(void) /* modbus */ OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonModbusLog", "eve-log.modbus", OutputModbusLogInitSub, ALPROTO_MODBUS, JsonGenericLogger, JsonLogThreadInit, - JsonLogThreadDeinit, NULL); + JsonLogThreadDeinit, NULL); SCLogDebug("modbus json logger registered."); /* tcp streaming data */ @@ -1237,7 +1242,9 @@ void OutputRegisterLoggers(void) /* Pgsql JSON logger. */ JsonPgsqlLogRegister(); /* Template JSON logger. */ - JsonTemplateLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonTemplateLog", "eve-log.template", + OutputTemplateLogInitSub, ALPROTO_TEMPLATE, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); /* RDP JSON logger. */ OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRdpLog", "eve-log.rdp", OutputRdpLogInitSub, ALPROTO_RDP, JsonGenericLogger, JsonLogThreadInit,