src/output-json-smb.c

   1 /* Copyright (C) 2017-2021 Open Information Security Foundation
   2  *
   3  * You can copy, redistribute or modify this Program under the terms of
   4  * the GNU General Public License version 2 as published by the Free
   5  * Software Foundation.
   6  *
   7  * This program is distributed in the hope that it will be useful,
   8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
   9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  10  * GNU General Public License for more details.
  11  *
  12  * You should have received a copy of the GNU General Public License
  13  * version 2 along with this program; if not, write to the Free Software
  14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  15  * 02110-1301, USA.
  16  */
  17
  18 /**
  19  * \file
  20  *
  21  * \author Victor Julien <victor@inliniac.net>
  22  *
  23  * Implement JSON/eve logging app-layer SMB.
  24  */
  25
  26 #include "suricata-common.h"
  27 #include "debug.h"
  28 #include "pkt-var.h"
  29 #include "conf.h"
  30
  31 #include "threads.h"
  32 #include "threadvars.h"
  33 #include "tm-threads.h"
  34
  35 #include "util-unittest.h"
  36 #include "util-buffer.h"
  37 #include "util-debug.h"
  38 #include "util-byte.h"
  39
  40 #include "output.h"
  41 #include "output-json.h"
  42
  43 #include "app-layer.h"
  44 #include "app-layer-parser.h"
  45
  46 #include "output-json-smb.h"
  47
  48 #include "rust.h"
  49
  50 bool EveSMBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *jb)
  51 {
  52     SMBState *state = FlowGetAppState(f);
  53     if (state) {
  54         SMBTransaction *tx = AppLayerParserGetTx(f->proto, ALPROTO_SMB, state, tx_id);
  55         if (tx) {
  56             return rs_smb_log_json_response(jb, state, tx);
  57         }
  58     }
  59     return false;
  60 }
  61
  62 static int JsonSMBLogger(ThreadVars *tv, void *thread_data,
  63     const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id)
  64 {
  65     OutputJsonThreadCtx *thread = thread_data;
  66
  67     JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "smb", NULL, thread->ctx);
  68     if (unlikely(jb == NULL)) {
  69         return TM_ECODE_FAILED;
  70     }
  71
  72     jb_open_object(jb, "smb");
  73     if (!rs_smb_log_json_response(jb, state, tx)) {
  74         goto error;
  75     }
  76     jb_close(jb);
  77
  78     OutputJsonBuilderBuffer(jb, thread);
  79
  80     jb_free(jb);
  81     return TM_ECODE_OK;
  82
  83 error:
  84     jb_free(jb);
  85     return TM_ECODE_FAILED;
  86 }
  87
  88 static OutputInitResult SMBLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
  89 {
  90     AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_SMB);
  91     AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_SMB);
  92     return OutputJsonLogInitSub(conf, parent_ctx);
  93 }
  94
  95 void JsonSMBLogRegister(void)
  96 {
  97     /* Register as an eve sub-module. */
  98     OutputRegisterTxSubModule(LOGGER_JSON_SMB, "eve-log", "JsonSMBLog",
  99         "eve-log.smb", SMBLogInitSub, ALPROTO_SMB,
 100         JsonSMBLogger, JsonLogThreadInit,
 101         JsonLogThreadDeinit, NULL);
 102
 103     SCLogDebug("SMB JSON logger registered.");
 104 }