From: Jeff Lucovsky Date: Mon, 13 May 2019 21:58:21 +0000 (-0700) Subject: app-layer: Initial app layer logging X-Git-Tag: suricata-5.0.0-rc1~274 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=50e23ba93a3c7137bd73b3a0ca41185541d0bd49;p=thirdparty%2Fsuricata.git app-layer: Initial app layer logging --- diff --git a/src/app-layer-events.c b/src/app-layer-events.c index 2876981cd7..6d1842df25 100644 --- a/src/app-layer-events.c +++ b/src/app-layer-events.c @@ -48,6 +48,22 @@ SCEnumCharMap app_layer_event_pkt_table[ ] = { -1 }, }; +int AppLayerGetEventInfoById(int event_id, const char **event_name, + AppLayerEventType *event_type) +{ + *event_name = SCMapEnumValueToName(event_id, app_layer_event_pkt_table); + if (*event_name == NULL) { + SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%d\" not present in " + "app-layer-event's enum map table.", event_id); + /* yes this is fatal */ + return -1; + } + + *event_type = APP_LAYER_EVENT_TYPE_PACKET; + + return 0; +} + int AppLayerGetPktEventInfo(const char *event_name, int *event_id) { *event_id = SCMapEnumNameToValue(event_name, app_layer_event_pkt_table); diff --git a/src/app-layer-events.h b/src/app-layer-events.h index 09b476ff6b..4cd945826b 100644 --- a/src/app-layer-events.h +++ b/src/app-layer-events.h @@ -58,6 +58,8 @@ typedef enum AppLayerEventType_ { int AppLayerGetPktEventInfo(const char *event_name, int *event_id); +int AppLayerGetEventInfoById(int event_id, const char **event_name, + AppLayerEventType *event_type); void AppLayerDecoderEventsSetEventRaw(AppLayerDecoderEvents **sevents, uint8_t event); void AppLayerDecoderEventsSetEvent(Flow *f, uint8_t event); diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index 58af8e3e03..39069eb151 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -110,6 +110,8 @@ typedef struct AppLayerParserProtoCtx_ void *(*StateGetTx)(void *alstate, uint64_t tx_id); AppLayerGetTxIteratorFunc StateGetTxIterator; int (*StateGetProgressCompletionStatus)(uint8_t direction); + int (*StateGetEventInfoById)(int event_id, const char **event_name, + AppLayerEventType *event_type); int (*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type); @@ -547,6 +549,17 @@ void AppLayerParserRegisterGetStateProgressCompletionStatus(AppProto alproto, SCReturn; } +void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, + int (*StateGetEventInfoById)(int event_id, const char **event_name, + AppLayerEventType *event_type)) +{ + SCEnter(); + + alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. + StateGetEventInfoById = StateGetEventInfoById; + + SCReturn; +} void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int (*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type)) @@ -1047,6 +1060,17 @@ int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *ev SCReturnInt(r); } +int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, int event_id, + const char **event_name, AppLayerEventType *event_type) +{ + SCEnter(); + int ipproto_map = FlowGetProtoMapping(ipproto); + *event_name = (const char *)NULL; + int r = (alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfoById == NULL) ? + -1 : alp_ctx.ctxs[ipproto_map][alproto].StateGetEventInfoById(event_id, event_name, event_type); + SCReturnInt(r); +} + uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto) { SCEnter(); diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h index ab3e5e2941..74320b1726 100644 --- a/src/app-layer-parser.h +++ b/src/app-layer-parser.h @@ -161,6 +161,9 @@ void AppLayerParserRegisterGetStateProgressCompletionStatus(AppProto alproto, void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, int (*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type)); +void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, + int (*StateGetEventInfoById)(int event_id, const char **event_name, + AppLayerEventType *event_type)); void AppLayerParserRegisterDetectStateFuncs(uint8_t ipproto, AppProto alproto, DetectEngineState *(*GetTxDetectState)(void *tx), int (*SetTxDetectState)(void *tx, DetectEngineState *)); @@ -208,6 +211,8 @@ void *AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction); int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name, int *event_id, AppLayerEventType *event_type); +int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, int event_id, + const char **event_name, AppLayerEventType *event_type); uint64_t AppLayerParserGetTransactionActive(const Flow *f, AppLayerParserState *pstate, uint8_t direction); diff --git a/src/app-layer-template.c b/src/app-layer-template.c index 299b1ee778..9e8cfeadf6 100644 --- a/src/app-layer-template.c +++ b/src/app-layer-template.c @@ -174,6 +174,22 @@ static int TemplateStateGetEventInfo(const char *event_name, int *event_id, return 0; } +static int TemplateStateGetEventInfoById(int event_id, const char **event_name, + AppLayerEventType *event_type) +{ + *event_name = SCMapEnumValueToName(event_id, template_decoder_event_table); + if (*event_name == NULL) { + SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%d\" not present in " + "template enum map table.", event_id); + /* This should be treated as fatal. */ + return -1; + } + + *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION; + + return 0; +} + static AppLayerDecoderEvents *TemplateGetEvents(void *statev, uint64_t tx_id) { TemplateState *state = statev; @@ -534,6 +550,8 @@ void RegisterTemplateParsers(void) AppLayerParserRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_TEMPLATE, TemplateStateGetEventInfo); + AppLayerParserRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_TEMPLATE, + TemplateStateGetEventInfoById); AppLayerParserRegisterGetEventsFunc(IPPROTO_TCP, ALPROTO_TEMPLATE, TemplateGetEvents); } diff --git a/src/output-json-anomaly.c b/src/output-json-anomaly.c index 743d465b00..f0878b23ae 100644 --- a/src/output-json-anomaly.c +++ b/src/output-json-anomaly.c @@ -29,6 +29,7 @@ #include "detect.h" #include "flow.h" #include "conf.h" +#include "app-layer.h" #include "threads.h" #include "tm-threads.h" @@ -74,7 +75,7 @@ typedef struct JsonAnomalyLogThread_ { AnomalyJsonOutputCtx* json_output_ctx; } JsonAnomalyLogThread; -static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *p) +static int AnomalyDecodeEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *p) { bool is_ip_pkt = PKT_IS_IPV4(p) || PKT_IS_IPV6(p); @@ -134,6 +135,87 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet * return TM_ECODE_OK; } +extern SCEnumCharMap http_decoder_event_table[]; +static int AnomalyAppLayerDecoderEventJson(JsonAnomalyLogThread *aft, const Packet *p, AppLayerDecoderEvents *decoder_events) +{ + for (int i = 0; i < decoder_events->cnt; i++) { + MemBufferReset(aft->json_buffer); + + json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "app_anomaly"); + + if (unlikely(js == NULL)) { + return TM_ECODE_OK; + } + json_t *ajs = json_object(); + if (unlikely(ajs == NULL)) { + json_decref(js); + return TM_ECODE_OK; + } + JsonFiveTuple((const Packet *)p, LOG_DIR_PACKET, js); + JsonAddCommonOptions(&aft->json_output_ctx->cfg, p, p->flow, js); + uint8_t event_code = decoder_events->events[i]; + #if 0 + int r; + AppLayerEventType event_type; + r = AppLayerParserGetEventInfo(p->flow->proto, p->flow->alproto, 1, event_code, &event_type); + printf("r is %d\n", r); + #endif + /* include event code with unrecognized events */ + uint32_t offset = 0; + char unknown_event_buf[8]; + json_object_set_new(ajs, "type", json_string(http_decoder_event_table[event_code].enum_name)); + json_object_set_new(ajs, "alproto", json_string(AppLayerGetProtoName(p->flow->alproto))); + PrintBufferData(unknown_event_buf, &offset, 8, "%d", event_code); + json_object_set_new(ajs, "code", json_string(unknown_event_buf)); + + /* anomaly */ + json_object_set_new(js, "app_anomaly", ajs); + OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer); + + json_object_clear(js); + json_decref(js); + } + return TM_ECODE_OK; +} + +static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *p) +{ + + int rc = TM_ECODE_OK; + + if (p->events.cnt) { + rc = AnomalyDecodeEventJson(tv, aft, p); + } + + if (p->app_layer_events != NULL) { + SCLogInfo("We have some events"); + rc = AnomalyAppLayerDecoderEventJson(aft, p, p->app_layer_events); + } + return rc; + +#if 0 + if (rc == TM_ECODE_OK && p->flow) { + Flow *f = p->flow; + if (!AppLayerParserProtocolIsTxEventAware(f->proto, f->alproto)) { + return rc; + } + + for (uint64_t i = i; i < AppLayerParserGetTxCnt(f, f->alstate); i++) { + AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(f->proto, f->alproto, f->alstate, i); + if (!(decoder_events && decoder_events->cnt)) { + continue; + } + + rc = AnomalyAppLayerDecoderEventJson(aft, p, decoder_events); + if (rc != TM_ECODE_OK) { + break; + } + } + } + return rc; +#endif +} + static int JsonAnomalyLogger(ThreadVars *tv, void *thread_data, const Packet *p) { @@ -143,7 +225,7 @@ static int JsonAnomalyLogger(ThreadVars *tv, void *thread_data, const Packet *p) static int JsonAnomalyLogCondition(ThreadVars *tv, const Packet *p) { - return p->events.cnt > 0 ? TRUE : FALSE; + return p->events.cnt > 0 || p->app_layer_events != NULL; } #define OUTPUT_BUFFER_SIZE 65535