From: Jason Ish Date: Wed, 24 Jan 2018 20:51:03 +0000 (-0600) Subject: json-vars: rename to metadata and use new metadata format X-Git-Tag: suricata-4.1.0-beta1~255 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34811cf69e243567afe23266b59f437283db1d15;p=thirdparty%2Fsuricata.git json-vars: rename to metadata and use new metadata format --- diff --git a/src/output-json-vars.c b/src/output-json-vars.c index 502d12f225..dcbace3291 100644 --- a/src/output-json-vars.c +++ b/src/output-json-vars.c @@ -63,7 +63,7 @@ #include "util-buffer.h" #include "util-crypt.h" -#define MODULE_NAME "JsonVarsLog" +#define MODULE_NAME "JsonMetadataLog" #ifdef HAVE_LIBJANSSON @@ -82,13 +82,13 @@ typedef struct JsonVarsLogThread_ { static int VarsJson(ThreadVars *tv, JsonVarsLogThread *aft, const Packet *p) { - json_t *js = CreateJSONHeader((Packet *)p, 0, "vars"); + json_t *js = CreateJSONHeader((Packet *)p, 0, "metadata"); if (unlikely(js == NULL)) return TM_ECODE_OK; - JsonAddVars(p, p->flow, js); + JsonAddMetadata(p, p->flow, js); OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer); - json_object_del(js, "vars"); + json_object_del(js, "metadata"); json_object_clear(js); json_decref(js); @@ -177,7 +177,7 @@ static void JsonVarsLogDeInitCtxSub(OutputCtx *output_ctx) SCFree(output_ctx); } -#define DEFAULT_LOG_FILENAME "vars.json" +#define DEFAULT_LOG_FILENAME "metadata.json" /** * \brief Create a new LogFileCtx for "fast" output style. @@ -266,10 +266,21 @@ error: void JsonVarsLogRegister (void) { - OutputRegisterPacketModule(LOGGER_JSON_VARS, MODULE_NAME, "vars-json-log", - JsonVarsLogInitCtx, JsonVarsLogger, JsonVarsLogCondition, - JsonVarsLogThreadInit, JsonVarsLogThreadDeinit, NULL); - OutputRegisterPacketSubModule(LOGGER_JSON_VARS, "eve-log", MODULE_NAME, + OutputRegisterPacketModule(LOGGER_JSON_METADATA, MODULE_NAME, + "metadata-json-log", JsonVarsLogInitCtx, JsonVarsLogger, + JsonVarsLogCondition, JsonVarsLogThreadInit, + JsonVarsLogThreadDeinit, NULL); + OutputRegisterPacketSubModule(LOGGER_JSON_METADATA, "eve-log", MODULE_NAME, + "eve-log.metadata", JsonVarsLogInitCtxSub, JsonVarsLogger, + JsonVarsLogCondition, JsonVarsLogThreadInit, JsonVarsLogThreadDeinit, + NULL); + + /* Kept for compatibility. */ + OutputRegisterPacketModule(LOGGER_JSON_METADATA, MODULE_NAME, + "vars-json-log", JsonVarsLogInitCtx, JsonVarsLogger, + JsonVarsLogCondition, JsonVarsLogThreadInit, JsonVarsLogThreadDeinit, + NULL); + OutputRegisterPacketSubModule(LOGGER_JSON_METADATA, "eve-log", MODULE_NAME, "eve-log.vars", JsonVarsLogInitCtxSub, JsonVarsLogger, JsonVarsLogCondition, JsonVarsLogThreadInit, JsonVarsLogThreadDeinit, NULL); diff --git a/src/output-json.c b/src/output-json.c index 03f3df010d..7b52074eca 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -155,13 +155,10 @@ static void JsonAddPacketvars(const Packet *p, json_t *js_vars) } /** - * \brief "New" Add flow variables to a json object. + * \brief Add flow variables to a json object. * * Adds "flowvars" (map), "flowints" (map) and "flowbits" (array) to * the json object provided as js_root. - * - * This is the "new" method for doing this as flowbits is an array of - * strings instead of a map of boolean values. */ static void JsonAddFlowVars(const Flow *f, json_t *js_root) { @@ -259,115 +256,6 @@ static void JsonAddFlowVars(const Flow *f, json_t *js_root) } } -static void JsonAddFlowvars(const Flow *f, json_t *js_vars) -{ - if (f == NULL || f->flowvar == NULL) { - return; - } - json_t *js_flowvars = NULL; - json_t *js_flowints = NULL; - json_t *js_flowbits = NULL; - GenericVar *gv = f->flowvar; - while (gv != NULL) { - if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) { - FlowVar *fv = (FlowVar *)gv; - if (fv->datatype == FLOWVAR_TYPE_STR && fv->key == NULL) { - const char *varname = VarNameStoreLookupById(fv->idx, VAR_TYPE_FLOW_VAR); - if (varname) { - if (js_flowvars == NULL) { - js_flowvars = json_object(); - if (js_flowvars == NULL) - break; - } - - uint32_t len = fv->data.fv_str.value_len; - uint8_t printable_buf[len + 1]; - uint32_t offset = 0; - PrintStringsToBuffer(printable_buf, &offset, - sizeof(printable_buf), - fv->data.fv_str.value, fv->data.fv_str.value_len); - - json_object_set_new(js_flowvars, varname, - json_string((char *)printable_buf)); - } - } else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) { - if (js_flowvars == NULL) { - js_flowvars = json_object(); - if (js_flowvars == NULL) - break; - } - - uint8_t keybuf[fv->keylen + 1]; - uint32_t offset = 0; - PrintStringsToBuffer(keybuf, &offset, - sizeof(keybuf), - fv->key, fv->keylen); - - uint32_t len = fv->data.fv_str.value_len; - uint8_t printable_buf[len + 1]; - offset = 0; - PrintStringsToBuffer(printable_buf, &offset, - sizeof(printable_buf), - fv->data.fv_str.value, fv->data.fv_str.value_len); - - json_object_set_new(js_flowvars, (const char *)keybuf, - json_string((char *)printable_buf)); - - } else if (fv->datatype == FLOWVAR_TYPE_INT) { - const char *varname = VarNameStoreLookupById(fv->idx, VAR_TYPE_FLOW_INT); - if (varname) { - if (js_flowints == NULL) { - js_flowints = json_object(); - if (js_flowints == NULL) - break; - } - - json_object_set_new(js_flowints, varname, json_integer(fv->data.fv_int.value)); - } - - } - } else if (gv->type == DETECT_FLOWBITS) { - FlowBit *fb = (FlowBit *)gv; - const char *varname = VarNameStoreLookupById(fb->idx, VAR_TYPE_FLOW_BIT); - if (varname) { - if (js_flowbits == NULL) { - js_flowbits = json_object(); - if (js_flowbits == NULL) - break; - } - json_object_set_new(js_flowbits, varname, json_boolean(1)); - } - } - gv = gv->next; - } - if (js_flowbits) { - json_object_set_new(js_vars, "flowbits", js_flowbits); - } - if (js_flowints) { - json_object_set_new(js_vars, "flowints", js_flowints); - } - if (js_flowvars) { - json_object_set_new(js_vars, "flowvars", js_flowvars); - } -} - -void JsonAddVars(const Packet *p, const Flow *f, json_t *js) -{ - if ((p && p->pktvar) || (f && f->flowvar)) { - json_t *js_vars = json_object(); - if (js_vars) { - if (f && f->flowvar) { - JsonAddFlowvars(f, js_vars); - } - if (p && p->pktvar) { - JsonAddPacketvars(p, js_vars); - } - - json_object_set_new(js, "vars", js_vars); - } - } -} - /** * \brief Add top-level metadata to the eve json object. */ diff --git a/src/output-json.h b/src/output-json.h index c912a19dab..efc348b3a3 100644 --- a/src/output-json.h +++ b/src/output-json.h @@ -40,7 +40,6 @@ typedef struct OutputJSONMemBufferWrapper_ { int OutputJSONMemBufferCallback(const char *str, size_t size, void *data); -void JsonAddVars(const Packet *p, const Flow *f, json_t *js); void JsonAddMetadata(const Packet *p, const Flow *f, json_t *js); void CreateJSONFlowId(json_t *js, const Flow *f); void JsonTcpFlags(uint8_t flags, json_t *js); diff --git a/src/suricata-common.h b/src/suricata-common.h index 1e71d0a6a4..082335e00e 100644 --- a/src/suricata-common.h +++ b/src/suricata-common.h @@ -431,7 +431,7 @@ typedef enum { LOGGER_JSON_STATS, LOGGER_PRELUDE, LOGGER_PCAP, - LOGGER_JSON_VARS, + LOGGER_JSON_METADATA, LOGGER_SIZE, } LoggerId; diff --git a/src/util-profiling.c b/src/util-profiling.c index 728f5758c0..01b22dfe40 100644 --- a/src/util-profiling.c +++ b/src/util-profiling.c @@ -1265,7 +1265,7 @@ const char * PacketProfileLoggertIdToString(LoggerId id) CASE_CODE (LOGGER_JSON_STATS); CASE_CODE (LOGGER_PRELUDE); CASE_CODE (LOGGER_PCAP); - CASE_CODE (LOGGER_JSON_VARS); + CASE_CODE (LOGGER_JSON_METADATA); default: return "UNKNOWN"; } diff --git a/suricata.yaml.in b/suricata.yaml.in index 068bce55b7..20d12ada52 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -253,8 +253,11 @@ outputs: - flow # uni-directional flows #- netflow - # Vars log flowbits and other packet and flow vars - #- vars + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata # alert output for use with Barnyard2 - unified2-alert: