-1 },
};
+int AppLayerGetEventInfoById(int event_id, const char **event_name,
+ AppLayerEventType *event_type)
+{
+ *event_name = SCMapEnumValueToName(event_id, app_layer_event_pkt_table);
+ if (*event_name == NULL) {
+ SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%d\" not present in "
+ "app-layer-event's enum map table.", event_id);
+ /* yes this is fatal */
+ return -1;
+ }
+
+ *event_type = APP_LAYER_EVENT_TYPE_PACKET;
+
+ return 0;
+}
+
int AppLayerGetPktEventInfo(const char *event_name, int *event_id)
{
*event_id = SCMapEnumNameToValue(event_name, app_layer_event_pkt_table);
int AppLayerGetPktEventInfo(const char *event_name, int *event_id);
+int AppLayerGetEventInfoById(int event_id, const char **event_name,
+ AppLayerEventType *event_type);
void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event);
void AppLayerDecoderEventsSetEvent(Flow *f, uint8_t event);
void *(*StateGetTx)(void *alstate, uint64_t tx_id);
AppLayerGetTxIteratorFunc StateGetTxIterator;
int (*StateGetProgressCompletionStatus)(uint8_t direction);
+ int (*StateGetEventInfoById)(int event_id, const char **event_name,
+ AppLayerEventType *event_type);
int (*StateGetEventInfo)(const char *event_name,
int *event_id, AppLayerEventType *event_type);
SCReturn;
}
+void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto,
+ int (*StateGetEventInfoById)(int event_id, const char **event_name,
+ AppLayerEventType *event_type))
+{
+ SCEnter();
+
+ alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
+ StateGetEventInfoById = StateGetEventInfoById;
+
+ SCReturn;
+}
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto,
int (*StateGetEventInfo)(const char *event_name, int *event_id,
AppLayerEventType *event_type))
SCReturnInt(r);
}
+int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, int event_id,
+ const char **event_name, AppLayerEventType *event_type)
+{
+ SCEnter();
+ int ipproto_map = FlowGetProtoMapping(ipproto);
+ *event_name = (const char *)NULL;
+ int r = (alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfoById == NULL) ?
+ -1 : alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfoById(event_id, event_name, event_type);
+ SCReturnInt(r);
+}
+
uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto)
{
SCEnter();
void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto,
int (*StateGetEventInfo)(const char *event_name, int *event_id,
AppLayerEventType *event_type));
+void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto,
+ int (*StateGetEventInfoById)(int event_id, const char **event_name,
+ AppLayerEventType *event_type));
void AppLayerParserRegisterDetectStateFuncs(uint8_t ipproto, AppProto alproto,
DetectEngineState *(*GetTxDetectState)(void *tx),
int (*SetTxDetectState)(void *tx, DetectEngineState *));
int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction);
int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name,
int *event_id, AppLayerEventType *event_type);
+int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, int event_id,
+ const char **event_name, AppLayerEventType *event_type);
uint64_t AppLayerParserGetTransactionActive(const Flow *f, AppLayerParserState *pstate, uint8_t direction);
return 0;
}
+static int TemplateStateGetEventInfoById(int event_id, const char **event_name,
+ AppLayerEventType *event_type)
+{
+ *event_name = SCMapEnumValueToName(event_id, template_decoder_event_table);
+ if (*event_name == NULL) {
+ SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%d\" not present in "
+ "template enum map table.", event_id);
+ /* This should be treated as fatal. */
+ return -1;
+ }
+
+ *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
+
+ return 0;
+}
+
static AppLayerDecoderEvents *TemplateGetEvents(void *statev, uint64_t tx_id)
{
TemplateState *state = statev;
AppLayerParserRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_TEMPLATE,
TemplateStateGetEventInfo);
+ AppLayerParserRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_TEMPLATE,
+ TemplateStateGetEventInfoById);
AppLayerParserRegisterGetEventsFunc(IPPROTO_TCP, ALPROTO_TEMPLATE,
TemplateGetEvents);
}
#include "detect.h"
#include "flow.h"
#include "conf.h"
+#include "app-layer.h"
#include "threads.h"
#include "tm-threads.h"
AnomalyJsonOutputCtx* json_output_ctx;
} JsonAnomalyLogThread;
-static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *p)
+static int AnomalyDecodeEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *p)
{
bool is_ip_pkt = PKT_IS_IPV4(p) || PKT_IS_IPV6(p);
return TM_ECODE_OK;
}
+extern SCEnumCharMap http_decoder_event_table[];
+static int AnomalyAppLayerDecoderEventJson(JsonAnomalyLogThread *aft, const Packet *p, AppLayerDecoderEvents *decoder_events)
+{
+ for (int i = 0; i < decoder_events->cnt; i++) {
+ MemBufferReset(aft->json_buffer);
+
+ json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "app_anomaly");
+
+ if (unlikely(js == NULL)) {
+ return TM_ECODE_OK;
+ }
+ json_t *ajs = json_object();
+ if (unlikely(ajs == NULL)) {
+ json_decref(js);
+ return TM_ECODE_OK;
+ }
+ JsonFiveTuple((const Packet *)p, LOG_DIR_PACKET, js);
+ JsonAddCommonOptions(&aft->json_output_ctx->cfg, p, p->flow, js);
+ uint8_t event_code = decoder_events->events[i];
+ #if 0
+ int r;
+ AppLayerEventType event_type;
+ r = AppLayerParserGetEventInfo(p->flow->proto, p->flow->alproto, 1, event_code, &event_type);
+ printf("r is %d\n", r);
+ #endif
+ /* include event code with unrecognized events */
+ uint32_t offset = 0;
+ char unknown_event_buf[8];
+ json_object_set_new(ajs, "type", json_string(http_decoder_event_table[event_code].enum_name));
+ json_object_set_new(ajs, "alproto", json_string(AppLayerGetProtoName(p->flow->alproto)));
+ PrintBufferData(unknown_event_buf, &offset, 8, "%d", event_code);
+ json_object_set_new(ajs, "code", json_string(unknown_event_buf));
+
+ /* anomaly */
+ json_object_set_new(js, "app_anomaly", ajs);
+ OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer);
+
+ json_object_clear(js);
+ json_decref(js);
+ }
+ return TM_ECODE_OK;
+}
+
+static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *p)
+{
+
+ int rc = TM_ECODE_OK;
+
+ if (p->events.cnt) {
+ rc = AnomalyDecodeEventJson(tv, aft, p);
+ }
+
+ if (p->app_layer_events != NULL) {
+ SCLogInfo("We have some events");
+ rc = AnomalyAppLayerDecoderEventJson(aft, p, p->app_layer_events);
+ }
+ return rc;
+
+#if 0
+ if (rc == TM_ECODE_OK && p->flow) {
+ Flow *f = p->flow;
+ if (!AppLayerParserProtocolIsTxEventAware(f->proto, f->alproto)) {
+ return rc;
+ }
+
+ for (uint64_t i = i; i < AppLayerParserGetTxCnt(f, f->alstate); i++) {
+ AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(f->proto, f->alproto, f->alstate, i);
+ if (!(decoder_events && decoder_events->cnt)) {
+ continue;
+ }
+
+ rc = AnomalyAppLayerDecoderEventJson(aft, p, decoder_events);
+ if (rc != TM_ECODE_OK) {
+ break;
+ }
+ }
+ }
+ return rc;
+#endif
+}
+
static int JsonAnomalyLogger(ThreadVars *tv, void *thread_data, const Packet *p)
{
static int JsonAnomalyLogCondition(ThreadVars *tv, const Packet *p)
{
- return p->events.cnt > 0 ? TRUE : FALSE;
+ return p->events.cnt > 0 || p->app_layer_events != NULL;
}
#define OUTPUT_BUFFER_SIZE 65535
projects / thirdparty / suricata.git / commitdiff
