From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sat, 20 Apr 2019 12:05:30 +0000 (-0700)
Subject: logging: display base64 decoded string for packet
X-Git-Tag: suricata-5.0.0-beta1~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=74f436d209ef503f49f22f425178561a5a494891;p=thirdparty%2Fsuricata.git

logging: display base64 decoded string for packet

This changeset changes the packet display to be base64, rather than hex.
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 0014a1b653..aad2782272 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -368,23 +368,6 @@ static void AlertJsonTunnel(const Packet *p, json_t *js)
     json_object_set_new(js, "tunnel", tunnel);
 }
 
-static void AlertJsonPacket(const Packet *p, json_t *js)
-{
-    unsigned long len = GET_PKT_LEN(p) * 2;
-    uint8_t encoded_packet[len];
-    Base64Encode((unsigned char*) GET_PKT_DATA(p), GET_PKT_LEN(p),
-        encoded_packet, &len);
-    json_object_set_new(js, "packet", json_string((char *)encoded_packet));
-
-    /* Create packet info. */
-    json_t *packetinfo_js = json_object();
-    if (unlikely(packetinfo_js == NULL)) {
-        return;
-    }
-    json_object_set_new(packetinfo_js, "linktype", json_integer(p->datalink));
-    json_object_set_new(js, "packet_info", packetinfo_js);
-}
-
 static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, json_t *js, const Packet *p)
 {
     if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
@@ -573,7 +556,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
 
         /* base64-encoded full packet */
         if (json_output_ctx->flags & LOG_JSON_PACKET) {
-            AlertJsonPacket(p, js);
+            JsonPacket(p, js, 0);
         }
 
         /* signature text */
@@ -624,7 +607,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
         MemBufferReset(aft->json_buffer);
         json_t *packetjs = CreateJSONHeader(p, LOG_DIR_PACKET, "packet");
         if (unlikely(packetjs != NULL)) {
-            AlertJsonPacket(p, packetjs);
+            JsonPacket(p, packetjs, 0);
             OutputJSONBuffer(packetjs, aft->file_ctx, &aft->json_buffer);
             json_decref(packetjs);
         }
diff --git a/src/output-json-anomaly.c b/src/output-json-anomaly.c
index 9648c23814..743d465b00 100644
--- a/src/output-json-anomaly.c
+++ b/src/output-json-anomaly.c
@@ -52,14 +52,14 @@
 #include "util-proto-name.h"
 #include "util-optimize.h"
 #include "util-buffer.h"
+#include "util-crypt.h"
 #include "util-validate.h"
 
 #define MODULE_NAME "JsonAnomalyLog"
 
 #ifdef HAVE_LIBJANSSON
 
-#define LOG_JSON_PACKET            BIT_U16(0)
-#define JSON_STREAM_BUFFER_SIZE 4096
+#define LOG_JSON_PACKETHDR      BIT_U16(0)
 
 typedef struct AnomalyJsonOutputCtx_ {
     LogFileCtx* file_ctx;
@@ -76,7 +76,7 @@ typedef struct JsonAnomalyLogThread_ {
 
 static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *p)
 {
-    bool is_IP_pkt = PKT_IS_IPV4(p) || PKT_IS_IPV6(p);
+    bool is_ip_pkt = PKT_IS_IPV4(p) || PKT_IS_IPV6(p);
 
     char timebuf[64];
     CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf));
@@ -96,20 +96,15 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *
             return TM_ECODE_OK;
         }
 
-        if (!is_IP_pkt) {
+        if (!is_ip_pkt) {
             json_object_set_new(js, "timestamp", json_string(timebuf));
         } else {
             JsonFiveTuple((const Packet *)p, LOG_DIR_PACKET, js);
             JsonAddCommonOptions(&aft->json_output_ctx->cfg, p, p->flow, js);
         }
 
-        if (aft->json_output_ctx->flags & LOG_JSON_PACKET) {
-            char buf[(32 * 3) + 1];
-            PrintRawLineHexBuf(buf, sizeof(buf), GET_PKT_DATA(p),
-                               GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
-            json_object_set_new(js, "packethdr", json_string((char *)buf));
-
-            json_object_set_new(js, "linktype", json_integer(p->datalink));
+        if (aft->json_output_ctx->flags & LOG_JSON_PACKETHDR) {
+            JsonPacket(p, js, GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
         }
 
         uint8_t event_code = p->events.events[i];
@@ -122,9 +117,9 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *
         } else {
             /* include event code with unrecognized events */
             uint32_t offset = 0;
-            char unknown_event_buf[16];
+            char unknown_event_buf[8];
             json_object_set_new(ajs, "type", json_string("unknown"));
-            PrintBufferData(unknown_event_buf, &offset, 16, "%d", event_code);
+            PrintBufferData(unknown_event_buf, &offset, 8, "%d", event_code);
             json_object_set_new(ajs, "code", json_string(unknown_event_buf));
         }
 
@@ -237,7 +232,7 @@ static void JsonAnomalyLogConf(AnomalyJsonOutputCtx *json_output_ctx,
 {
     uint16_t flags = 0;
     if (conf != NULL) {
-        SetFlag(conf, "packethdr", LOG_JSON_PACKET, &flags);
+        SetFlag(conf, "packethdr", LOG_JSON_PACKETHDR, &flags);
     }
     json_output_ctx->flags |= flags;
 }
@@ -318,10 +313,6 @@ static OutputInitResult JsonAnomalyLogInitCtxSub(ConfNode *conf, OutputCtx *pare
     return result;
 
 error:
-    if (json_output_ctx != NULL) {
-        SCFree(json_output_ctx);
-    }
-
     SCFree(output_ctx);
 
     return result;
@@ -332,6 +323,7 @@ void JsonAnomalyLogRegister (void)
     OutputRegisterPacketModule(LOGGER_JSON_ANOMALY, MODULE_NAME, "anomaly-json-log",
         JsonAnomalyLogInitCtx, JsonAnomalyLogger, JsonAnomalyLogCondition,
         JsonAnomalyLogThreadInit, JsonAnomalyLogThreadDeinit, NULL);
+
     OutputRegisterPacketSubModule(LOGGER_JSON_ANOMALY, "eve-log", MODULE_NAME,
         "eve-log.anomaly", JsonAnomalyLogInitCtxSub, JsonAnomalyLogger,
         JsonAnomalyLogCondition, JsonAnomalyLogThreadInit, JsonAnomalyLogThreadDeinit,
diff --git a/src/output-json.c b/src/output-json.c
index 9892b0d197..b44ee79c72 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -398,6 +398,29 @@ void JsonAddCommonOptions(const OutputJsonCommonSettings *cfg,
     }
 }
 
+/**
+ * \brief Jsonify a packet
+ *
+ * \param p Packet
+ * \param js JSON object
+ * \param max_length If non-zero, restricts the number of packet data bytes handled.
+ */
+void JsonPacket(const Packet *p, json_t *js, unsigned long max_length)
+{
+    unsigned long max_len = max_length == 0 ? GET_PKT_LEN(p) : max_length;
+    unsigned long len = 2 * max_len;
+    uint8_t encoded_packet[len];
+    Base64Encode((unsigned char*) GET_PKT_DATA(p), max_len, encoded_packet, &len);
+    json_object_set_new(js, "packet", json_string((char *)encoded_packet));
+
+    /* Create packet info. */
+    json_t *packetinfo_js = json_object();
+    if (unlikely(packetinfo_js == NULL)) {
+        return;
+    }
+    json_object_set_new(packetinfo_js, "linktype", json_integer(p->datalink));
+    json_object_set_new(js, "packet_info", packetinfo_js);
+}
 /** \brief jsonify tcp flags field
  *  Only add 'true' fields in an attempt to keep things reasonably compact.
  */
diff --git a/src/output-json.h b/src/output-json.h
index 5a4ed908bb..73eddf88ae 100644
--- a/src/output-json.h
+++ b/src/output-json.h
@@ -52,6 +52,7 @@ int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);
 
 void CreateJSONFlowId(json_t *js, const Flow *f);
 void JsonTcpFlags(uint8_t flags, json_t *js);
+void JsonPacket(const Packet *p, json_t *js, unsigned long max_length);
 void JsonFiveTuple(const Packet *, enum OutputJsonLogDirection, json_t *);
 json_t *CreateJSONHeader(const Packet *p,
         enum OutputJsonLogDirection dir, const char *event_type);