From: Tom DeCanio Date: Mon, 4 Nov 2013 19:41:56 +0000 (-0800) Subject: JSON cleanup X-Git-Tag: suricata-2.0rc1~110 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=34d04c310470f56be32ff012e084e58cbdc32b15;p=thirdparty%2Fsuricata.git JSON cleanup --- diff --git a/src/alert-json.c b/src/alert-json.c index 94603cf18e..9682ffd188 100644 --- a/src/alert-json.c +++ b/src/alert-json.c @@ -191,15 +191,15 @@ TmEcode AlertJsonIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Pa } else { snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IPV4_GET_IPPROTO(p)); } -#if 1 + json_t *js = json_object(); if (js == NULL) - return; + return TM_ECODE_OK; json_t *ajs = json_object(); if (ajs == NULL) { free(js); - return; + return TM_ECODE_OK; } /* time & tx */ @@ -210,7 +210,7 @@ TmEcode AlertJsonIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Pa json_object_set_new(js, "sp", json_integer(p->sp)); json_object_set_new(js, "dstip", json_string(dstip)); json_object_set_new(js, "dp", json_integer(p->dp)); - json_object_set_new(js, "proto", json_integer(proto)); + json_object_set_new(js, "proto", json_string(proto)); json_object_set_new(ajs, "action", json_string(action)); json_object_set_new(ajs, "gid", json_integer(pa->s->gid)); @@ -224,61 +224,15 @@ TmEcode AlertJsonIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Pa /* alert */ json_object_set_new(js, "alert", ajs); -#else - json_error_t error; - js = json_pack_ex( - &error, 0, - "{" - "ss" - "ss" - "si" - "si" - "si" - "ss" - "ss" - "si" - "ss" - "ss" - "si" - "ss" - "si}", - "time", timebuf, - "action", action, - "gid", pa->s->gid, - "id", pa->s->id, - "rev", pa->s->rev, - "msg", (pa->s->msg) ? pa->s->msg : "", - "class", (pa->s->class_msg) ? pa->s->class_msg : "", - "pri", pa->s->prio, - "proto", proto, - "srcip", srcip, - "sp", p->sp, - "dstip", dstip, - "dp", p->dp - ); - - if (js == NULL) { - SCLogInfo("json_pack error %s", error.text); - return TM_ECODE_OK; - } -#endif + SCMutexLock(&aft->file_ctx->fp_mutex); if (json_out == ALERT_FILE) { -#if 1 char *s = json_dumps(js, JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII); MemBufferWriteString(aft->buffer, "%s", s); MemBufferWriteString(aft->buffer, "\n"); free(s); (void)MemBufferPrintToFPAsString(aft->buffer, aft->file_ctx->fp); fflush(aft->file_ctx->fp); -#else - json_dumpf(js, aft->file_ctx->fp, - ((format == INDENT) ? JSON_INDENT(2) : 0) | - JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII); - if (format == INDENT) { - fputs("\n", aft->file_ctx->fp); - } -#endif } else { char *js_s; js_s = json_dumps(js, JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII); @@ -331,15 +285,15 @@ TmEcode AlertJsonIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Pa } else { snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IP_GET_IPPROTO(p)); } -#if 1 + json_t *js = json_object(); if (js == NULL) - return; + return TM_ECODE_OK; json_t *ajs = json_object(); if (ajs == NULL) { free(js); - return; + return TM_ECODE_OK; } /* time & tx */ @@ -350,7 +304,7 @@ TmEcode AlertJsonIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Pa json_object_set_new(js, "sp", json_integer(p->sp)); json_object_set_new(js, "dstip", json_string(dstip)); json_object_set_new(js, "dp", json_integer(p->dp)); - json_object_set_new(js, "proto", json_integer(proto)); + json_object_set_new(js, "proto", json_string(proto)); json_object_set_new(ajs, "action", json_string(action)); json_object_set_new(ajs, "gid", json_integer(pa->s->gid)); @@ -364,61 +318,15 @@ TmEcode AlertJsonIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Pa /* alert */ json_object_set_new(js, "alert", ajs); -#else - json_error_t error; - js = json_pack_ex( - &error, 0, - "{" - "ss" - "ss" - "si" - "si" - "si" - "ss" - "ss" - "si" - "ss" - "ss" - "si" - "ss" - "si}", - "time", timebuf, - "action", action, - "gid", pa->s->gid, - "id", pa->s->id, - "rev", pa->s->rev, - "msg", (pa->s->msg) ? pa->s->msg : "", - "class", (pa->s->class_msg) ? pa->s->class_msg : "", - "pri", pa->s->prio, - "proto", proto, - "srcip", srcip, - "sp", p->sp, - "dstip", dstip, - "dp", p->dp - ); - - if (js == NULL) { - SCLogInfo("json_pack error %s", error.text); - return TM_ECODE_OK; - } -#endif + SCMutexLock(&aft->file_ctx->fp_mutex); if (json_out == ALERT_FILE) { -#if 1 char *s = json_dumps(js, JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII); MemBufferWriteString(aft->buffer, "%s", s); MemBufferWriteString(aft->buffer, "\n"); free(s); (void)MemBufferPrintToFPAsString(aft->buffer, aft->file_ctx->fp); fflush(aft->file_ctx->fp); -#else - json_dumpf(js, aft->file_ctx->fp, - ((format == INDENT) ? JSON_INDENT(2) : 0) | - JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII); - if (format == INDENT) { - fputs("\n", aft->file_ctx->fp); - } -#endif } else { char *js_s; js_s = json_dumps(js, JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII); @@ -464,15 +372,14 @@ TmEcode AlertJsonDecoderEvent(ThreadVars *tv, Packet *p, void *data, PacketQueue char buf[(32 * 3) + 1]; PrintRawLineHexBuf(buf, sizeof(buf), GET_PKT_DATA(p), GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32); -#if 1 json_t *js = json_object(); if (js == NULL) - return; + return TM_ECODE_OK; json_t *ajs = json_object(); if (ajs == NULL) { free(js); - return; + return TM_ECODE_OK; } /* time & tx */ @@ -497,54 +404,15 @@ TmEcode AlertJsonDecoderEvent(ThreadVars *tv, Packet *p, void *data, PacketQueue /* alert */ json_object_set_new(js, "alert", ajs); -#else - json_error_t error; - js = json_pack_ex( - &error, 0, - "{" - "ss" - "ss" - "si" - "si" - "si" - "ss" - "ss" - "si" - "ss}", - "time", timebuf, - "action", action, - "gid", pa->s->gid, - "id", pa->s->id, - "rev", pa->s->rev, - "msg", (pa->s->msg) ? pa->s->msg : "", - "class", (pa->s->class_msg) ? pa->s->class_msg : "", - "pri", pa->s->prio, - "pkt", buf - ); - - if (js == NULL) { - SCLogInfo("json_pack error %s", error.text); - return TM_ECODE_OK; - } -#endif SCMutexLock(&aft->file_ctx->fp_mutex); if (json_out == ALERT_FILE) { -#if 1 char *s = json_dumps(js, JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII); MemBufferWriteString(aft->buffer, "%s", s); MemBufferWriteString(aft->buffer, "\n"); free(s); (void)MemBufferPrintToFPAsString(aft->buffer, aft->file_ctx->fp); fflush(aft->file_ctx->fp); -#else - json_dumpf(js, aft->file_ctx->fp, - ((format == INDENT) ? JSON_INDENT(2) : 0) | - JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII); - //if (format == INDENT) { - fputs("\n", aft->file_ctx->fp); - //} -#endif } else { char *js_s; js_s = json_dumps(js, JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII); diff --git a/src/output-dnslog.c b/src/output-dnslog.c index 8049cdb981..98f0b5c2fe 100644 --- a/src/output-dnslog.c +++ b/src/output-dnslog.c @@ -44,7 +44,7 @@ #include "app-layer.h" #include "util-privs.h" #include "util-buffer.h" - +#include "util-proto-name.h" #include "util-logopenfile.h" #include "util-time.h" @@ -139,7 +139,7 @@ static void CreateTypeString(uint16_t type, char *str, size_t str_size) { } } -static void LogQuery(LogDnsLogThread *aft, char *timebuf, char *srcip, char *dstip, Port sp, Port dp, DNSTransaction *tx, DNSQueryEntry *entry) { +static void LogQuery(LogDnsLogThread *aft, char *timebuf, char *srcip, char *dstip, Port sp, Port dp, char *proto, DNSTransaction *tx, DNSQueryEntry *entry) { LogDnsFileCtx *hlog = aft->dnslog_ctx; SCLogDebug("got a DNS request and now logging !!"); @@ -165,6 +165,7 @@ static void LogQuery(LogDnsLogThread *aft, char *timebuf, char *srcip, char *dst json_object_set_new(js, "sp", json_integer(sp)); json_object_set_new(js, "dstip", json_string(dstip)); json_object_set_new(js, "dp", json_integer(dp)); + json_object_set_new(js, "proto", json_string(proto)); /* type */ json_object_set_new(djs, "type", json_string("query")); @@ -347,7 +348,7 @@ static void AppendAnswer(json_t *djs, DNSTransaction *tx, DNSAnswerEntry *entry) json_array_append_new(djs, js); } -static void LogAnswers(LogDnsLogThread *aft, char *timebuf, char *srcip, char *dstip, Port sp, Port dp, DNSTransaction *tx) { +static void LogAnswers(LogDnsLogThread *aft, char *timebuf, char *srcip, char *dstip, Port sp, Port dp, char *proto, DNSTransaction *tx) { LogDnsFileCtx *hlog = aft->dnslog_ctx; SCLogDebug("got a DNS response and now logging !!"); @@ -373,6 +374,7 @@ static void LogAnswers(LogDnsLogThread *aft, char *timebuf, char *srcip, char *d json_object_set_new(js, "sp", json_integer(sp)); json_object_set_new(js, "dstip", json_string(dstip)); json_object_set_new(js, "dp", json_integer(dp)); + json_object_set_new(js, "proto", json_string(proto)); #if 1 if (tx->no_such_name) { @@ -523,13 +525,20 @@ static TmEcode DnsJsonIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQue sp = p->dp; dp = p->sp; } + char proto_s[16]; + if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) { + strlcpy(proto_s, known_proto[IPV4_GET_IPPROTO(p)], sizeof(proto_s)); + } else { + snprintf(proto_s, sizeof(proto), "PROTO:%03" PRIu32, IPV4_GET_IPPROTO(p)); + } + #if QUERY if (PKT_IS_TOSERVER(p)) { DNSTransaction *tx = NULL; TAILQ_FOREACH(tx, &dns_state->tx_list, next) { DNSQueryEntry *entry = NULL; TAILQ_FOREACH(entry, &tx->query_list, next) { - LogQuery(aft, timebuf, srcip, dstip, sp, dp, tx, entry); + LogQuery(aft, timebuf, srcip, dstip, sp, dp, tx, proto_s, entry); } } } else @@ -544,11 +553,11 @@ static TmEcode DnsJsonIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQue DNSQueryEntry *query = NULL; TAILQ_FOREACH(query, &tx->query_list, next) { - LogQuery(aft, timebuf, dstip, srcip, dp, sp, tx, query); + LogQuery(aft, timebuf, dstip, srcip, dp, sp, proto_s, tx, query); } #if 1 - LogAnswers(aft, timebuf, srcip, dstip, sp, dp, tx); + LogAnswers(aft, timebuf, srcip, dstip, sp, dp, proto_s, tx); #else if (tx->no_such_name) { LogAnswer(aft, timebuf, srcip, dstip, sp, dp, tx, NULL); diff --git a/src/output-httplog.c b/src/output-httplog.c index 33a8d73b77..c698299f21 100644 --- a/src/output-httplog.c +++ b/src/output-httplog.c @@ -45,7 +45,7 @@ #include "app-layer.h" #include "util-privs.h" #include "util-buffer.h" - +#include "util-proto-name.h" #include "util-logopenfile.h" #include "util-time.h" @@ -381,7 +381,8 @@ static void LogHttpLogJSONCustom(LogHttpLogThread *aft, htp_tx_t *tx, const stru #ifdef HAVE_LIBJANSSON /* JSON format logging */ static void LogHttpLogJSON(LogHttpLogThread *aft, htp_tx_t *tx, char * timebuf, - char *srcip, Port sp, char *dstip, Port dp) + char *srcip, Port sp, char *dstip, Port dp, + char *proto) { LogHttpFileCtx *hlog = aft->httplog_ctx; json_t *js = json_object(); @@ -405,6 +406,7 @@ static void LogHttpLogJSON(LogHttpLogThread *aft, htp_tx_t *tx, char * timebuf, json_object_set_new(js, "sp", json_integer(sp)); json_object_set_new(js, "dstip", json_string(dstip)); json_object_set_new(js, "dp", json_integer(dp)); + json_object_set_new(js, "proto", json_string(proto)); char *c; @@ -412,7 +414,7 @@ static void LogHttpLogJSON(LogHttpLogThread *aft, htp_tx_t *tx, char * timebuf, if (tx->request_hostname != NULL) { json_object_set_new(hjs, "hostname", - json_string(c = strndup(bstr_ptr(tx->request_hostname), + json_string(c = strndup((char *)bstr_ptr(tx->request_hostname), bstr_len(tx->request_hostname)))); if (c) free(c); } else { @@ -423,7 +425,7 @@ static void LogHttpLogJSON(LogHttpLogThread *aft, htp_tx_t *tx, char * timebuf, if (tx->request_uri != NULL) { json_object_set_new(hjs, "uri", - json_string(c = strndup(bstr_ptr(tx->request_uri), + json_string(c = strndup((char *)bstr_ptr(tx->request_uri), bstr_len(tx->request_uri)))); if (c) free(c); } @@ -435,7 +437,7 @@ static void LogHttpLogJSON(LogHttpLogThread *aft, htp_tx_t *tx, char * timebuf, } if (h_user_agent != NULL) { json_object_set_new(hjs, "user-agent", - json_string(c = strndup(bstr_ptr(h_user_agent->value), + json_string(c = strndup((char *)bstr_ptr(h_user_agent->value), bstr_len(h_user_agent->value)))); if (c) free(c); } else { @@ -449,7 +451,7 @@ static void LogHttpLogJSON(LogHttpLogThread *aft, htp_tx_t *tx, char * timebuf, } if (h_x_forwarded_for != NULL) { json_object_set_new(hjs, "xff", - json_string(c = strndup(bstr_ptr(h_x_forwarded_for->value), + json_string(c = strndup((char *)bstr_ptr(h_x_forwarded_for->value), bstr_len(h_x_forwarded_for->value)))); if (c) free(c); } @@ -461,7 +463,7 @@ static void LogHttpLogJSON(LogHttpLogThread *aft, htp_tx_t *tx, char * timebuf, } if (h_content_type != NULL) { char *p; - c = strndup(bstr_ptr(h_content_type->value), + c = strndup((char *)bstr_ptr(h_content_type->value), bstr_len(h_content_type->value)); p = strchrnul(c, ';'); *p = '\0'; @@ -477,7 +479,7 @@ static void LogHttpLogJSON(LogHttpLogThread *aft, htp_tx_t *tx, char * timebuf, } if (h_referer != NULL) { json_object_set_new(hjs, "referer", - json_string(c = strndup(bstr_ptr(h_referer->value), + json_string(c = strndup((char *)bstr_ptr(h_referer->value), bstr_len(h_referer->value)))); if (c) free(c); } @@ -485,7 +487,7 @@ static void LogHttpLogJSON(LogHttpLogThread *aft, htp_tx_t *tx, char * timebuf, /* method */ if (tx->request_method != NULL) { json_object_set_new(hjs, "method", - json_string(c = strndup(bstr_ptr(tx->request_method), + json_string(c = strndup((char *)bstr_ptr(tx->request_method), bstr_len(tx->request_method)))); if (c) free(c); } @@ -493,7 +495,7 @@ static void LogHttpLogJSON(LogHttpLogThread *aft, htp_tx_t *tx, char * timebuf, /* protocol */ if (tx->request_protocol != NULL) { json_object_set_new(hjs, "protocol", - json_string(c = strndup(bstr_ptr(tx->request_protocol), + json_string(c = strndup((char *)bstr_ptr(tx->request_protocol), bstr_len(tx->request_protocol)))); if (c) free(c); } @@ -501,14 +503,14 @@ static void LogHttpLogJSON(LogHttpLogThread *aft, htp_tx_t *tx, char * timebuf, /* response status */ if (tx->response_status != NULL) { json_object_set_new(hjs, "status", - json_string(c = strndup(bstr_ptr(tx->response_status), + json_string(c = strndup((char *)bstr_ptr(tx->response_status), bstr_len(tx->response_status)))); if (c) free(c); htp_header_t *h_location = htp_table_get_c(tx->response_headers, "location"); if (h_location != NULL) { json_object_set_new(hjs, "redirect", - json_string(c = strndup(bstr_ptr(h_location->value), + json_string(c = strndup((char *)bstr_ptr(h_location->value), bstr_len(h_location->value)))); if (c) free(c); } @@ -602,6 +604,7 @@ static TmEcode HttpJsonIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQu LogHttpLogThread *aft = (LogHttpLogThread *)data; LogHttpFileCtx *hlog = aft->httplog_ctx; char timebuf[64]; + char proto_s[16]; /* no flow, no htp state */ if (p->flow == NULL) { @@ -660,6 +663,11 @@ static TmEcode HttpJsonIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQu sp = p->dp; dp = p->sp; } + if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) { + strlcpy(proto_s, known_proto[IPV4_GET_IPPROTO(p)], sizeof(proto_s)); + } else { + snprintf(proto_s, sizeof(proto), "PROTO:%03" PRIu32, IPV4_GET_IPPROTO(p)); + } for (; tx_id < total_txs; tx_id++) { @@ -688,7 +696,7 @@ static TmEcode HttpJsonIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQu LogHttpLogJSONCustom(aft, tx, &p->ts, srcip, sp, dstip, dp); //} else if (hlog->flags & LOG_HTTP_JSON) { } else { - LogHttpLogJSON(aft, tx, timebuf, srcip, sp, dstip, dp); + LogHttpLogJSON(aft, tx, timebuf, srcip, sp, dstip, dp, proto_s); } aft->uri_cnt ++;