json_object_set_new(js, "tunnel", tunnel);
}
-static void AlertJsonPacket(const Packet *p, json_t *js)
-{
- unsigned long len = GET_PKT_LEN(p) * 2;
- uint8_t encoded_packet[len];
- Base64Encode((unsigned char*) GET_PKT_DATA(p), GET_PKT_LEN(p),
- encoded_packet, &len);
- json_object_set_new(js, "packet", json_string((char *)encoded_packet));
-
- /* Create packet info. */
- json_t *packetinfo_js = json_object();
- if (unlikely(packetinfo_js == NULL)) {
- return;
- }
- json_object_set_new(packetinfo_js, "linktype", json_integer(p->datalink));
- json_object_set_new(js, "packet_info", packetinfo_js);
-}
-
static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, json_t *js, const Packet *p)
{
if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
/* base64-encoded full packet */
if (json_output_ctx->flags & LOG_JSON_PACKET) {
- AlertJsonPacket(p, js);
+ JsonPacket(p, js, 0);
}
/* signature text */
MemBufferReset(aft->json_buffer);
json_t *packetjs = CreateJSONHeader(p, LOG_DIR_PACKET, "packet");
if (unlikely(packetjs != NULL)) {
- AlertJsonPacket(p, packetjs);
+ JsonPacket(p, packetjs, 0);
OutputJSONBuffer(packetjs, aft->file_ctx, &aft->json_buffer);
json_decref(packetjs);
}
#include "util-proto-name.h"
#include "util-optimize.h"
#include "util-buffer.h"
+#include "util-crypt.h"
#include "util-validate.h"
#define MODULE_NAME "JsonAnomalyLog"
#ifdef HAVE_LIBJANSSON
-#define LOG_JSON_PACKET BIT_U16(0)
-#define JSON_STREAM_BUFFER_SIZE 4096
+#define LOG_JSON_PACKETHDR BIT_U16(0)
typedef struct AnomalyJsonOutputCtx_ {
LogFileCtx* file_ctx;
static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *p)
{
- bool is_IP_pkt = PKT_IS_IPV4(p) || PKT_IS_IPV6(p);
+ bool is_ip_pkt = PKT_IS_IPV4(p) || PKT_IS_IPV6(p);
char timebuf[64];
CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf));
return TM_ECODE_OK;
}
- if (!is_IP_pkt) {
+ if (!is_ip_pkt) {
json_object_set_new(js, "timestamp", json_string(timebuf));
} else {
JsonFiveTuple((const Packet *)p, LOG_DIR_PACKET, js);
JsonAddCommonOptions(&aft->json_output_ctx->cfg, p, p->flow, js);
}
- if (aft->json_output_ctx->flags & LOG_JSON_PACKET) {
- char buf[(32 * 3) + 1];
- PrintRawLineHexBuf(buf, sizeof(buf), GET_PKT_DATA(p),
- GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
- json_object_set_new(js, "packethdr", json_string((char *)buf));
-
- json_object_set_new(js, "linktype", json_integer(p->datalink));
+ if (aft->json_output_ctx->flags & LOG_JSON_PACKETHDR) {
+ JsonPacket(p, js, GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
}
uint8_t event_code = p->events.events[i];
} else {
/* include event code with unrecognized events */
uint32_t offset = 0;
- char unknown_event_buf[16];
+ char unknown_event_buf[8];
json_object_set_new(ajs, "type", json_string("unknown"));
- PrintBufferData(unknown_event_buf, &offset, 16, "%d", event_code);
+ PrintBufferData(unknown_event_buf, &offset, 8, "%d", event_code);
json_object_set_new(ajs, "code", json_string(unknown_event_buf));
}
{
uint16_t flags = 0;
if (conf != NULL) {
- SetFlag(conf, "packethdr", LOG_JSON_PACKET, &flags);
+ SetFlag(conf, "packethdr", LOG_JSON_PACKETHDR, &flags);
}
json_output_ctx->flags |= flags;
}
return result;
error:
- if (json_output_ctx != NULL) {
- SCFree(json_output_ctx);
- }
-
SCFree(output_ctx);
return result;
OutputRegisterPacketModule(LOGGER_JSON_ANOMALY, MODULE_NAME, "anomaly-json-log",
JsonAnomalyLogInitCtx, JsonAnomalyLogger, JsonAnomalyLogCondition,
JsonAnomalyLogThreadInit, JsonAnomalyLogThreadDeinit, NULL);
+
OutputRegisterPacketSubModule(LOGGER_JSON_ANOMALY, "eve-log", MODULE_NAME,
"eve-log.anomaly", JsonAnomalyLogInitCtxSub, JsonAnomalyLogger,
JsonAnomalyLogCondition, JsonAnomalyLogThreadInit, JsonAnomalyLogThreadDeinit,
}
}
+/**
+ * \brief Jsonify a packet
+ *
+ * \param p Packet
+ * \param js JSON object
+ * \param max_length If non-zero, restricts the number of packet data bytes handled.
+ */
+void JsonPacket(const Packet *p, json_t *js, unsigned long max_length)
+{
+ unsigned long max_len = max_length == 0 ? GET_PKT_LEN(p) : max_length;
+ unsigned long len = 2 * max_len;
+ uint8_t encoded_packet[len];
+ Base64Encode((unsigned char*) GET_PKT_DATA(p), max_len, encoded_packet, &len);
+ json_object_set_new(js, "packet", json_string((char *)encoded_packet));
+
+ /* Create packet info. */
+ json_t *packetinfo_js = json_object();
+ if (unlikely(packetinfo_js == NULL)) {
+ return;
+ }
+ json_object_set_new(packetinfo_js, "linktype", json_integer(p->datalink));
+ json_object_set_new(js, "packet_info", packetinfo_js);
+}
/** \brief jsonify tcp flags field
* Only add 'true' fields in an attempt to keep things reasonably compact.
*/
projects / thirdparty / suricata.git / commitdiff
