pub hdr: IkeV2Header,
+ pub payload_types: Vec<IkePayloadType>,
+ pub notify_types: Vec<NotifyType>,
+
+ /// IKEv2 errors seen during exchange
+ pub errors: u32,
+
/// The internal transaction id
id: u64,
match parse_ikev2_payload_list(rem,hdr.next_payload) {
IResult::Done(_,Ok(ref p)) => {
for payload in p {
+ tx.payload_types.push(payload.hdr.next_payload_type);
match payload.content {
IkeV2PayloadContent::Dummy => (),
IkeV2PayloadContent::SA(ref prop) => {
},
IkeV2PayloadContent::Notify(ref n) => {
SCLogDebug!("Notify: {:?}", n);
+ if n.notify_type.is_error() {
+ tx.errors += 1;
+ }
+ tx.notify_types.push(n.notify_type);
},
// XXX CertificateRequest
// XXX Certificate
msg_id: 0,
length: 0,
},
+ payload_types: Vec::new(),
+ notify_types: Vec::new(),
+ errors: 0,
id: id,
de_state: None,
events: std::ptr::null_mut(),
--- /dev/null
+/* Copyright (C) 2018 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+// written by Pierre Chifflier <chifflier@wzdftpd.net>
+
+use json::*;
+use ikev2::ikev2::{IKEV2State,IKEV2Transaction};
+
+use ikev2::ipsec_parser::IKEV2_FLAG_INITIATOR;
+
+#[no_mangle]
+pub extern "C" fn rs_ikev2_log_json_response(state: &mut IKEV2State, tx: &mut IKEV2Transaction) -> *mut JsonT
+{
+ let js = Json::object();
+ js.set_integer("version_major", tx.hdr.maj_ver as u64);
+ js.set_integer("version_minor", tx.hdr.min_ver as u64);
+ js.set_integer("exchange_type", tx.hdr.exch_type.0 as u64);
+ js.set_integer("message_id", tx.hdr.msg_id as u64);
+ js.set_string("init_spi", &format!("{:016x}", tx.hdr.init_spi));
+ js.set_string("resp_spi", &format!("{:016x}", tx.hdr.resp_spi));
+ if tx.hdr.flags & IKEV2_FLAG_INITIATOR != 0 {
+ js.set_string("role", &"initiator");
+ } else {
+ js.set_string("role", &"responder");
+ js.set_string("alg_enc", &format!("{:?}", state.alg_enc));
+ js.set_string("alg_auth", &format!("{:?}", state.alg_auth));
+ js.set_string("alg_prf", &format!("{:?}", state.alg_prf));
+ js.set_string("alg_dh", &format!("{:?}", state.alg_dh));
+ js.set_string("alg_esn", &format!("{:?}", state.alg_esn));
+ }
+ js.set_integer("errors", tx.errors as u64);
+ let payload_list : Vec<String> = tx.payload_types.iter()
+ .map(|x| format!("{:?}", x.0)) // XXX x.0 until we have a Debug trait for IkePayloadType
+ .collect();
+ let payload_list = payload_list.join(",");
+ js.set_string("payload_list", &payload_list);
+ let notify_list : Vec<String> = tx.notify_types.iter()
+ .map(|x| format!("{:?}", x))
+ .collect();
+ let notify_list = notify_list.join(",");
+ js.set_string("notify_list", ¬ify_list);
+ return js.unwrap();
+}
pub mod ikev2;
pub mod state;
+pub mod log;
output-json-nfs.c output-json-nfs.h \
output-json-tftp.c output-json-tftp.h \
output-json-smb.c output-json-smb.h \
+output-json-ikev2.c output-json-ikev2.h \
output-json-template.c output-json-template.h \
output-json-metadata.c output-json-metadata.h \
output-lua.c output-lua.h \
--- /dev/null
+/* Copyright (C) 2018 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Pierre Chifflier <chifflier@wzdftpd.net>
+ *
+ * Implement JSON/eve logging app-layer IKEv2.
+ */
+
+#include "suricata-common.h"
+#include "debug.h"
+#include "detect.h"
+#include "pkt-var.h"
+#include "conf.h"
+
+#include "threads.h"
+#include "threadvars.h"
+#include "tm-threads.h"
+
+#include "util-unittest.h"
+#include "util-buffer.h"
+#include "util-debug.h"
+#include "util-byte.h"
+
+#include "output.h"
+#include "output-json.h"
+
+#include "app-layer.h"
+#include "app-layer-parser.h"
+
+#include "app-layer-ikev2.h"
+#include "output-json-ikev2.h"
+
+#if defined(HAVE_RUST) && defined(HAVE_RUST_EXTERNAL)
+#ifdef HAVE_LIBJANSSON
+
+#include "rust.h"
+#include "rust-ikev2-log-gen.h"
+
+typedef struct LogIKEv2FileCtx_ {
+ LogFileCtx *file_ctx;
+ uint32_t flags;
+ bool include_metadata;
+} LogIKEv2FileCtx;
+
+typedef struct LogIKEv2LogThread_ {
+ LogIKEv2FileCtx *ikev2log_ctx;
+ uint32_t count;
+ MemBuffer *buffer;
+} LogIKEv2LogThread;
+
+static int JsonIKEv2Logger(ThreadVars *tv, void *thread_data,
+ const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id)
+{
+ IKEV2Transaction *ikev2tx = tx;
+ LogIKEv2LogThread *thread = thread_data;
+ json_t *js, *ikev2js;
+
+ js = CreateJSONHeader((Packet *)p, 0, "ikev2");
+ if (unlikely(js == NULL)) {
+ return TM_ECODE_FAILED;
+ }
+
+ if (thread->ikev2log_ctx->include_metadata) {
+ JsonAddMetadata(p, f, js);
+ }
+
+ ikev2js = rs_ikev2_log_json_response(state, ikev2tx);
+ if (unlikely(ikev2js == NULL)) {
+ goto error;
+ }
+ json_object_set_new(js, "ikev2", ikev2js);
+
+ MemBufferReset(thread->buffer);
+ OutputJSONBuffer(js, thread->ikev2log_ctx->file_ctx, &thread->buffer);
+
+ json_decref(js);
+ return TM_ECODE_OK;
+
+error:
+ json_decref(js);
+ return TM_ECODE_FAILED;
+}
+
+static void OutputIKEv2LogDeInitCtxSub(OutputCtx *output_ctx)
+{
+ LogIKEv2FileCtx *ikev2log_ctx = (LogIKEv2FileCtx *)output_ctx->data;
+ SCFree(ikev2log_ctx);
+ SCFree(output_ctx);
+}
+
+static OutputInitResult OutputIKEv2LogInitSub(ConfNode *conf,
+ OutputCtx *parent_ctx)
+{
+ OutputInitResult result = { NULL, false };
+ OutputJsonCtx *ajt = parent_ctx->data;
+
+ LogIKEv2FileCtx *ikev2log_ctx = SCCalloc(1, sizeof(*ikev2log_ctx));
+ if (unlikely(ikev2log_ctx == NULL)) {
+ return result;
+ }
+ ikev2log_ctx->file_ctx = ajt->file_ctx;
+ ikev2log_ctx->include_metadata = ajt->include_metadata;
+
+ OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx));
+ if (unlikely(output_ctx == NULL)) {
+ SCFree(ikev2log_ctx);
+ return result;
+ }
+ output_ctx->data = ikev2log_ctx;
+ output_ctx->DeInit = OutputIKEv2LogDeInitCtxSub;
+
+ SCLogDebug("IKEv2 log sub-module initialized.");
+
+ AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_IKEV2);
+
+ result.ctx = output_ctx;
+ result.ok = true;
+ return result;
+}
+
+#define OUTPUT_BUFFER_SIZE 65535
+
+static TmEcode JsonIKEv2LogThreadInit(ThreadVars *t, const void *initdata, void **data)
+{
+ LogIKEv2LogThread *thread = SCCalloc(1, sizeof(*thread));
+ if (unlikely(thread == NULL)) {
+ return TM_ECODE_FAILED;
+ }
+
+ if (initdata == NULL) {
+ SCLogDebug("Error getting context for EveLogIKEv2. \"initdata\" is NULL.");
+ SCFree(thread);
+ return TM_ECODE_FAILED;
+ }
+
+ thread->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
+ if (unlikely(thread->buffer == NULL)) {
+ SCFree(thread);
+ return TM_ECODE_FAILED;
+ }
+
+ thread->ikev2log_ctx = ((OutputCtx *)initdata)->data;
+ *data = (void *)thread;
+
+ return TM_ECODE_OK;
+}
+
+static TmEcode JsonIKEv2LogThreadDeinit(ThreadVars *t, void *data)
+{
+ LogIKEv2LogThread *thread = (LogIKEv2LogThread *)data;
+ if (thread == NULL) {
+ return TM_ECODE_OK;
+ }
+ if (thread->buffer != NULL) {
+ MemBufferFree(thread->buffer);
+ }
+ SCFree(thread);
+ return TM_ECODE_OK;
+}
+
+void JsonIKEv2LogRegister(void)
+{
+ /* Register as an eve sub-module. */
+ OutputRegisterTxSubModule(LOGGER_JSON_IKEV2, "eve-log", "JsonIKEv2Log",
+ "eve-log.ikev2", OutputIKEv2LogInitSub, ALPROTO_IKEV2,
+ JsonIKEv2Logger, JsonIKEv2LogThreadInit,
+ JsonIKEv2LogThreadDeinit, NULL);
+
+ SCLogDebug("IKEv2 JSON logger registered.");
+}
+
+#else /* No JSON support. */
+
+void JsonIKEv2LogRegister(void)
+{
+}
+
+#endif /* HAVE_LIBJANSSON */
+#else /* No rust support. */
+
+void JsonIKEv2LogRegister(void)
+{
+}
+
+#endif /* HAVE_RUST */
--- /dev/null
+/* Copyright (C) 2015 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Pierre Chifflier <chifflier@wzdftpd.net>
+ */
+
+#ifndef __OUTPUT_JSON_IKEV2_H__
+#define __OUTPUT_JSON_IKEV2_H__
+
+void JsonIKEv2LogRegister(void);
+
+#endif /* __OUTPUT_JSON_IKEV2_H__ */
#include "output-json-nfs.h"
#include "output-json-tftp.h"
#include "output-json-smb.h"
+#include "output-json-ikev2.h"
#include "output-json-template.h"
#include "output-lua.h"
#include "output-json-dnp3.h"
JsonTFTPLogRegister();
/* SMB JSON logger. */
JsonSMBLogRegister();
+ /* IKEv2 JSON logger. */
+ JsonIKEv2LogRegister();
/* Template JSON logger. */
JsonTemplateLogRegister();
LOGGER_JSON_DNP3_TC,
LOGGER_JSON_SSH,
LOGGER_JSON_SMB,
+ LOGGER_JSON_IKEV2,
LOGGER_JSON_TEMPLATE,
LOGGER_ALERT_DEBUG,
projects / thirdparty / suricata.git / commitdiff
