From 037c449b85838b13c61a0f818bdad3115d69656d Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 4 May 2020 14:01:12 -0600 Subject: [PATCH] tls/eve: convert to jsonbuilder --- src/output-json-alert.c | 11 ++- src/output-json-tls.c | 144 +++++++++++++++++++--------------------- src/output-json-tls.h | 4 +- 3 files changed, 73 insertions(+), 86 deletions(-) diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 477efd5e72..f31205a203 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -131,15 +131,12 @@ static void AlertJsonTls(const Flow *f, JsonBuilder *js) { SSLState *ssl_state = (SSLState *)FlowGetAppState(f); if (ssl_state) { - json_t *tjs = json_object(); - if (unlikely(tjs == NULL)) - return; + jb_open_object(js, "tls"); - JsonTlsLogJSONBasic(tjs, ssl_state); - JsonTlsLogJSONExtended(tjs, ssl_state); + JsonTlsLogJSONBasic(js, ssl_state); + JsonTlsLogJSONExtended(js, ssl_state); - jb_set_jsont(js, "tls", tjs); - json_decref(tjs); + jb_close(js); } return; diff --git a/src/output-json-tls.c b/src/output-json-tls.c index cae854c2f9..785128cac3 100644 --- a/src/output-json-tls.c +++ b/src/output-json-tls.c @@ -110,23 +110,23 @@ typedef struct JsonTlsLogThread_ { MemBuffer *buffer; } JsonTlsLogThread; -static void JsonTlsLogSubject(json_t *js, SSLState *ssl_state) +static void JsonTlsLogSubject(JsonBuilder *js, SSLState *ssl_state) { if (ssl_state->server_connp.cert0_subject) { - json_object_set_new(js, "subject", - SCJsonString(ssl_state->server_connp.cert0_subject)); + jb_set_string(js, "subject", + ssl_state->server_connp.cert0_subject); } } -static void JsonTlsLogIssuer(json_t *js, SSLState *ssl_state) +static void JsonTlsLogIssuer(JsonBuilder *js, SSLState *ssl_state) { if (ssl_state->server_connp.cert0_issuerdn) { - json_object_set_new(js, "issuerdn", - SCJsonString(ssl_state->server_connp.cert0_issuerdn)); + jb_set_string(js, "issuerdn", + ssl_state->server_connp.cert0_issuerdn); } } -static void JsonTlsLogSessionResumed(json_t *js, SSLState *ssl_state) +static void JsonTlsLogSessionResumed(JsonBuilder *js, SSLState *ssl_state) { if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) { /* Only log a session as 'resumed' if a certificate has not @@ -135,43 +135,43 @@ static void JsonTlsLogSessionResumed(json_t *js, SSLState *ssl_state) ssl_state->server_connp.cert0_subject == NULL) && (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) && ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) { - json_object_set_new(js, "session_resumed", json_boolean(true)); + jb_set_bool(js, "session_resumed", true); } } } -static void JsonTlsLogFingerprint(json_t *js, SSLState *ssl_state) +static void JsonTlsLogFingerprint(JsonBuilder *js, SSLState *ssl_state) { if (ssl_state->server_connp.cert0_fingerprint) { - json_object_set_new(js, "fingerprint", - SCJsonString(ssl_state->server_connp.cert0_fingerprint)); + jb_set_string(js, "fingerprint", + ssl_state->server_connp.cert0_fingerprint); } } -static void JsonTlsLogSni(json_t *js, SSLState *ssl_state) +static void JsonTlsLogSni(JsonBuilder *js, SSLState *ssl_state) { if (ssl_state->client_connp.sni) { - json_object_set_new(js, "sni", - SCJsonString(ssl_state->client_connp.sni)); + jb_set_string(js, "sni", + ssl_state->client_connp.sni); } } -static void JsonTlsLogSerial(json_t *js, SSLState *ssl_state) +static void JsonTlsLogSerial(JsonBuilder *js, SSLState *ssl_state) { if (ssl_state->server_connp.cert0_serial) { - json_object_set_new(js, "serial", - SCJsonString(ssl_state->server_connp.cert0_serial)); + jb_set_string(js, "serial", + ssl_state->server_connp.cert0_serial); } } -static void JsonTlsLogVersion(json_t *js, SSLState *ssl_state) +static void JsonTlsLogVersion(JsonBuilder *js, SSLState *ssl_state) { char ssl_version[SSL_VERSION_MAX_STRLEN]; SSLVersionToString(ssl_state->server_connp.version, ssl_version); - json_object_set_new(js, "version", json_string(ssl_version)); + jb_set_string(js, "version", ssl_version); } -static void JsonTlsLogNotBefore(json_t *js, SSLState *ssl_state) +static void JsonTlsLogNotBefore(JsonBuilder *js, SSLState *ssl_state) { if (ssl_state->server_connp.cert0_not_before != 0) { char timebuf[64]; @@ -179,11 +179,11 @@ static void JsonTlsLogNotBefore(json_t *js, SSLState *ssl_state) tv.tv_sec = ssl_state->server_connp.cert0_not_before; tv.tv_usec = 0; CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf)); - json_object_set_new(js, "notbefore", json_string(timebuf)); + jb_set_string(js, "notbefore", timebuf); } } -static void JsonTlsLogNotAfter(json_t *js, SSLState *ssl_state) +static void JsonTlsLogNotAfter(JsonBuilder *js, SSLState *ssl_state) { if (ssl_state->server_connp.cert0_not_after != 0) { char timebuf[64]; @@ -191,68 +191,65 @@ static void JsonTlsLogNotAfter(json_t *js, SSLState *ssl_state) tv.tv_sec = ssl_state->server_connp.cert0_not_after; tv.tv_usec = 0; CreateUtcIsoTimeString(&tv, timebuf, sizeof(timebuf)); - json_object_set_new(js, "notafter", json_string(timebuf)); + jb_set_string(js, "notafter", timebuf); } } -static void JsonTlsLogJa3Hash(json_t *js, SSLState *ssl_state) +static void JsonTlsLogJa3Hash(JsonBuilder *js, SSLState *ssl_state) { if (ssl_state->client_connp.ja3_hash != NULL) { - json_object_set_new(js, "hash", - json_string(ssl_state->client_connp.ja3_hash)); + jb_set_string(js, "hash", + ssl_state->client_connp.ja3_hash); } } -static void JsonTlsLogJa3String(json_t *js, SSLState *ssl_state) +static void JsonTlsLogJa3String(JsonBuilder *js, SSLState *ssl_state) { if ((ssl_state->client_connp.ja3_str != NULL) && ssl_state->client_connp.ja3_str->data != NULL) { - json_object_set_new(js, "string", - json_string(ssl_state->client_connp.ja3_str->data)); + jb_set_string(js, "string", + ssl_state->client_connp.ja3_str->data); } } -static void JsonTlsLogJa3(json_t *js, SSLState *ssl_state) +static void JsonTlsLogJa3(JsonBuilder *js, SSLState *ssl_state) { - json_t *tjs = json_object(); - if (unlikely(tjs == NULL)) - return; + jb_open_object(js, "ja3"); - JsonTlsLogJa3Hash(tjs, ssl_state); - JsonTlsLogJa3String(tjs, ssl_state); + JsonTlsLogJa3Hash(js, ssl_state); + JsonTlsLogJa3String(js, ssl_state); - json_object_set_new(js, "ja3", tjs); + jb_close(js); } -static void JsonTlsLogJa3SHash(json_t *js, SSLState *ssl_state) +static void JsonTlsLogJa3SHash(JsonBuilder *js, SSLState *ssl_state) { if (ssl_state->server_connp.ja3_hash != NULL) { - json_object_set_new(js, "hash", - json_string(ssl_state->server_connp.ja3_hash)); + jb_set_string(js, "hash", + ssl_state->server_connp.ja3_hash); } } -static void JsonTlsLogJa3SString(json_t *js, SSLState *ssl_state) +static void JsonTlsLogJa3SString(JsonBuilder *js, SSLState *ssl_state) { if ((ssl_state->server_connp.ja3_str != NULL) && ssl_state->server_connp.ja3_str->data != NULL) { - json_object_set_new(js, "string", - json_string(ssl_state->server_connp.ja3_str->data)); + jb_set_string(js, "string", + ssl_state->server_connp.ja3_str->data); } } -static void JsonTlsLogJa3S(json_t *js, SSLState *ssl_state) +static void JsonTlsLogJa3S(JsonBuilder *js, SSLState *ssl_state) { - json_t *tjs = json_object(); - if (unlikely(tjs == NULL)) - return; + jb_open_object(js, "ja3s"); - JsonTlsLogJa3SHash(tjs, ssl_state); - JsonTlsLogJa3SString(tjs, ssl_state); + JsonTlsLogJa3SHash(js, ssl_state); + JsonTlsLogJa3SString(js, ssl_state); - json_object_set_new(js, "ja3s", tjs); + jb_close(js); } -static void JsonTlsLogCertificate(json_t *js, SSLState *ssl_state) + +static void JsonTlsLogCertificate(JsonBuilder *js, SSLState *ssl_state) { if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) { return; @@ -267,20 +264,17 @@ static void JsonTlsLogCertificate(json_t *js, SSLState *ssl_state) uint8_t encoded[len]; if (Base64Encode(cert->cert_data, cert->cert_len, encoded, &len) == SC_BASE64_OK) { - json_object_set_new(js, "certificate", json_string((char *)encoded)); + jb_set_string(js, "certificate", (char *)encoded); } } -static void JsonTlsLogChain(json_t *js, SSLState *ssl_state) +static void JsonTlsLogChain(JsonBuilder *js, SSLState *ssl_state) { if (TAILQ_EMPTY(&ssl_state->server_connp.certs)) { return; } - json_t *chain = json_array(); - if (chain == NULL) { - return; - } + jb_open_array(js, "chain"); SSLCertsChain *cert; TAILQ_FOREACH(cert, &ssl_state->server_connp.certs, next) { @@ -288,14 +282,14 @@ static void JsonTlsLogChain(json_t *js, SSLState *ssl_state) uint8_t encoded[len]; if (Base64Encode(cert->cert_data, cert->cert_len, encoded, &len) == SC_BASE64_OK) { - json_array_append_new(chain, json_string((char *)encoded)); + jb_append_string(js, (char *)encoded); } } - json_object_set_new(js, "chain", chain); + jb_close(js); } -void JsonTlsLogJSONBasic(json_t *js, SSLState *ssl_state) +void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state) { /* tls subject */ JsonTlsLogSubject(js, ssl_state); @@ -307,7 +301,7 @@ void JsonTlsLogJSONBasic(json_t *js, SSLState *ssl_state) JsonTlsLogSessionResumed(js, ssl_state); } -static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, json_t *js, +static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, JsonBuilder *js, SSLState *ssl_state) { /* tls subject */ @@ -363,7 +357,7 @@ static void JsonTlsLogJSONCustom(OutputTlsCtx *tls_ctx, json_t *js, JsonTlsLogJa3S(js, ssl_state); } -void JsonTlsLogJSONExtended(json_t *tjs, SSLState * state) +void JsonTlsLogJSONExtended(JsonBuilder *tjs, SSLState * state) { JsonTlsLogJSONBasic(tjs, state); @@ -411,47 +405,43 @@ static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p, return 0; } - json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "tls", NULL); + JsonBuilder *js = CreateEveHeader(p, LOG_DIR_FLOW, "tls", NULL); if (unlikely(js == NULL)) { return 0; } - JsonAddCommonOptions(&tls_ctx->cfg, p, f, js); + EveAddCommonOptions(&tls_ctx->cfg, p, f, js); - json_t *tjs = json_object(); - if (tjs == NULL) { - free(js); - return 0; - } + jb_open_object(js, "tls"); /* reset */ MemBufferReset(aft->buffer); /* log custom fields */ if (tls_ctx->flags & LOG_TLS_CUSTOM) { - JsonTlsLogJSONCustom(tls_ctx, tjs, ssl_state); + JsonTlsLogJSONCustom(tls_ctx, js, ssl_state); } /* log extended */ else if (tls_ctx->flags & LOG_TLS_EXTENDED) { - JsonTlsLogJSONExtended(tjs, ssl_state); + JsonTlsLogJSONExtended(js, ssl_state); } /* log basic */ else { - JsonTlsLogJSONBasic(tjs, ssl_state); + JsonTlsLogJSONBasic(js, ssl_state); } /* print original application level protocol when it have been changed because of STARTTLS, HTTP CONNECT, or similar. */ if (f->alproto_orig != ALPROTO_UNKNOWN) { - json_object_set_new(tjs, "from_proto", - json_string(AppLayerGetProtoName(f->alproto_orig))); + jb_set_string(js, "from_proto", + AppLayerGetProtoName(f->alproto_orig)); } - json_object_set_new(js, "tls", tjs); + /* Close the tls object. */ + jb_close(js); - OutputJSONBuffer(js, tls_ctx->file_ctx, &aft->buffer); - json_object_clear(js); - json_decref(js); + OutputJsonBuilderBuffer(js, tls_ctx->file_ctx, &aft->buffer); + jb_free(js); return 0; } diff --git a/src/output-json-tls.h b/src/output-json-tls.h index 799a8ea19c..737e6233ef 100644 --- a/src/output-json-tls.h +++ b/src/output-json-tls.h @@ -28,7 +28,7 @@ void JsonTlsLogRegister(void); #include "app-layer-ssl.h" -void JsonTlsLogJSONBasic(json_t *js, SSLState *ssl_state); -void JsonTlsLogJSONExtended(json_t *js, SSLState *ssl_state); +void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state); +void JsonTlsLogJSONExtended(JsonBuilder *js, SSLState *ssl_state); #endif /* __OUTPUT_JSON_TLS_H__ */ -- 2.47.2