diff --git a/rust/src/core.rs b/rust/src/core.rs index abb27ea578fe..5d8de0ce1c77 100644 --- a/rust/src/core.rs +++ b/rust/src/core.rs @@ -253,6 +253,13 @@ pub extern "C" fn rs_init(context: &'static SuricataContext) init_ffi(context); } +#[no_mangle] +pub extern "C" fn rs_update_alproto_failed(alproto: AppProto) { + unsafe { + ALPROTO_FAILED = alproto; + } +} + /// DetectEngineStateFree wrapper. pub fn sc_detect_engine_state_free(state: *mut DetectEngineState) { diff --git a/rust/src/mqtt/detect.rs b/rust/src/mqtt/detect.rs index df0c78e8497f..b4ee22992b55 100644 --- a/rust/src/mqtt/detect.rs +++ b/rust/src/mqtt/detect.rs @@ -168,15 +168,15 @@ pub unsafe extern "C" fn rs_mqtt_tx_get_connect_username( #[no_mangle] pub unsafe extern "C" fn rs_mqtt_tx_get_connect_password( - tx: &MQTTTransaction, buffer: *mut *const u8, buffer_len: *mut u32, -) -> u8 { + tx: &MQTTTransaction, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, +) -> bool { for msg in tx.msg.iter() { if let MQTTOperation::CONNECT(ref cv) = msg.op { if let Some(p) = &cv.password { if !p.is_empty() { *buffer = p.as_ptr(); *buffer_len = p.len() as u32; - return 1; + return true; } } } @@ -184,7 +184,7 @@ pub unsafe extern "C" fn rs_mqtt_tx_get_connect_password( *buffer = ptr::null(); *buffer_len = 0; - return 0; + return false; } #[no_mangle] diff --git a/scripts/setup-app-layer.py b/scripts/setup-app-layer.py index d8426634bca8..26d9892b87f7 100755 --- a/scripts/setup-app-layer.py +++ b/scripts/setup-app-layer.py @@ -200,15 +200,21 @@ def logger_patch_output_c(proto): output = io.StringIO() inlines = open(filename).readlines() for i, line in enumerate(inlines): - if line.find("ALPROTO_TEMPLATE") > -1: - new_line = line.replace("TEMPLATE", proto.upper()).replace( - "template", proto.lower()) - output.write(new_line) - if line.find("output-json-template.h") > -1: - output.write(line.replace("template", proto.lower())) if line.find("/* Template JSON logger.") > -1: output.write(inlines[i].replace("Template", proto)) output.write(inlines[i+1].replace("Template", proto)) + output.write(inlines[i+2].replace("TEMPLATE", proto.upper()).replace( + "template", proto.lower()).replace("Template", proto)) + output.write(inlines[i+3]) + if line.find("rs_template_logger_log") > -1: + output.write(inlines[i].replace("TEMPLATE", proto.upper()).replace( + "template", proto.lower())) + if line.find("OutputTemplateLogInitSub(") > -1: + output.write(inlines[i].replace("Template", proto)) + output.write(inlines[i+1]) + output.write(inlines[i+2].replace("TEMPLATE", proto.upper())) + output.write(inlines[i+3]) + output.write(inlines[i+4]) output.write(line) open(filename, "w").write(output.getvalue()) @@ -216,27 +222,12 @@ def logger_copy_templates(proto): lower = proto.lower() pairs = ( - ("src/output-json-template.h", - "src/output-json-%s.h" % (lower)), - ("src/output-json-template.c", - "src/output-json-%s.c" % (lower)), ("rust/src/applayertemplate/logger.rs", "rust/src/applayer%s/logger.rs" % (lower)), ) common_copy_templates(proto, pairs) -def logger_patch_makefile_am(protoname): - filename = "src/Makefile.am" - print("Patching %s." % (filename)) - output = io.StringIO() - with open(filename) as infile: - for line in infile: - if line.lstrip().startswith("output-json-template."): - output.write(line.replace("template", protoname.lower())) - output.write(line) - open(filename, "w").write(output.getvalue()) - def detect_copy_templates(proto, buffername): lower = proto.lower() @@ -398,7 +389,6 @@ def main(): raise SetupError("no app-layer parser exists for %s" % (proto)) logger_copy_templates(proto) patch_rust_applayer_mod_rs(proto) - logger_patch_makefile_am(proto) logger_patch_output_c(proto) logger_patch_suricata_yaml_in(proto) diff --git a/src/Makefile.am b/src/Makefile.am index 21e1dfe5fbeb..7ab0b06bc6b9 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -137,6 +137,7 @@ noinst_HEADERS = \ detect-engine-file.h \ detect-engine-frame.h \ detect-engine.h \ + detect-engine-helper.h \ detect-engine-iponly.h \ detect-engine-loader.h \ detect-engine-mpm.h \ @@ -397,7 +398,6 @@ noinst_HEADERS = \ output.h \ output-json-alert.h \ output-json-anomaly.h \ - output-json-bittorrent-dht.h \ output-json-dcerpc.h \ output-json-dhcp.h \ output-json-dnp3.h \ @@ -410,27 +410,16 @@ noinst_HEADERS = \ output-json-frame.h \ output-json-ftp.h \ output-json.h \ - output-json-http2.h \ output-json-http.h \ output-json-ike.h \ - output-json-krb5.h \ output-json-metadata.h \ - output-json-modbus.h \ - output-json-quic.h \ output-json-mqtt.h \ output-json-netflow.h \ output-json-nfs.h \ output-json-pgsql.h \ - output-json-rdp.h \ - output-json-rfb.h \ - output-json-sip.h \ output-json-smb.h \ output-json-smtp.h \ - output-json-snmp.h \ - output-json-ssh.h \ output-json-stats.h \ - output-json-template.h \ - output-json-tftp.h \ output-json-tls.h \ output-eve-syslog.h \ output-lua.h \ @@ -753,6 +742,7 @@ libsuricata_c_a_SOURCES = \ detect-engine-event.c \ detect-engine-file.c \ detect-engine-frame.c \ + detect-engine-helper.c \ detect-engine-iponly.c \ detect-engine-loader.c \ detect-engine-mpm.c \ @@ -1009,7 +999,6 @@ libsuricata_c_a_SOURCES = \ output-flow.c \ output-json-alert.c \ output-json-anomaly.c \ - output-json-bittorrent-dht.c \ output-json.c \ output-json-common.c \ output-json-dcerpc.c \ @@ -1023,27 +1012,16 @@ libsuricata_c_a_SOURCES = \ output-json-flow.c \ output-json-frame.c \ output-json-ftp.c \ - output-json-http2.c \ output-json-http.c \ output-json-ike.c \ - output-json-krb5.c \ output-json-metadata.c \ - output-json-modbus.c \ - output-json-quic.c \ output-json-mqtt.c \ output-json-netflow.c \ output-json-nfs.c \ output-json-pgsql.c \ - output-json-rdp.c \ - output-json-rfb.c \ - output-json-sip.c \ output-json-smb.c \ output-json-smtp.c \ - output-json-snmp.c \ - output-json-ssh.c \ output-json-stats.c \ - output-json-template.c \ - output-json-tftp.c \ output-json-tls.c \ output-eve-syslog.c \ output-eve-null.c \ diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index 690950d34e72..4aa7049c6345 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -489,8 +489,8 @@ static inline AppProto PPGetProto(const AppLayerProtoDetectProbingParserElement if (AppProtoIsValid(alproto)) { SCReturnUInt(alproto); } - if (alproto == ALPROTO_FAILED || - (pe->max_depth != 0 && buflen > pe->max_depth)) { + if (alproto == ALPROTO_FAILED || alproto == ALPROTO_INVALID || + (pe->max_depth != 0 && buflen > pe->max_depth)) { alproto_masks[0] |= pe->alproto_mask; } pe = pe->next; diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index 1f6066471757..557e348a5429 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -63,6 +63,10 @@ #include "app-layer-rdp.h" #include "app-layer-http2.h" +#ifdef ALPROTO_DYNAMIC_NB +#include "util-plugin.h" +#endif + struct AppLayerParserThreadCtx_ { void *alproto_local_storage[FLOW_PROTO_MAX][ALPROTO_MAX]; }; @@ -1786,6 +1790,16 @@ void AppLayerParserRegisterProtocolParsers(void) "imap"); } +#ifdef ALPROTO_DYNAMIC_NB + for (size_t i = 0; i < ALPROTO_DYNAMIC_NB; i++) { + SCAppLayerPlugin *app_layer_plugin = SCPluginFindAppLayerByIndex(i); + if (app_layer_plugin == NULL) { + break; + } + app_layer_plugin->Register(); + } +#endif + ValidateParsers(); return; } diff --git a/src/app-layer-protos.c b/src/app-layer-protos.c index 368efacd88d7..ad5a77c37daf 100644 --- a/src/app-layer-protos.c +++ b/src/app-layer-protos.c @@ -24,13 +24,16 @@ #include "suricata-common.h" #include "app-layer-protos.h" +#include "rust.h" + +AppProto ALPROTO_FAILED = ALPROTO_MAX_STATIC; typedef struct AppProtoStringTuple { AppProto alproto; const char *str; } AppProtoStringTuple; -const AppProtoStringTuple AppProtoStrings[ALPROTO_MAX] = { +AppProtoStringTuple AppProtoStrings[ALPROTO_MAX] = { { ALPROTO_UNKNOWN, "unknown" }, { ALPROTO_HTTP1, "http1" }, { ALPROTO_FTP, "ftp" }, @@ -65,10 +68,10 @@ const AppProtoStringTuple AppProtoStrings[ALPROTO_MAX] = { { ALPROTO_HTTP2, "http2" }, { ALPROTO_BITTORRENT_DHT, "bittorrent-dht" }, { ALPROTO_HTTP, "http" }, - { ALPROTO_FAILED, "failed" }, #ifdef UNITTESTS { ALPROTO_TEST, "test" }, #endif + { ALPROTO_MAX_STATIC, "failed" }, }; const char *AppProtoToString(AppProto alproto) @@ -98,9 +101,21 @@ AppProto StringToAppProto(const char *proto_name) // We could use a Multi Pattern Matcher for (size_t i = 0; i < ARRAY_SIZE(AppProtoStrings); i++) { - if (strcmp(proto_name, AppProtoStrings[i].str) == 0) + if (AppProtoStrings[i].str != NULL && strcmp(proto_name, AppProtoStrings[i].str) == 0) return AppProtoStrings[i].alproto; } return ALPROTO_UNKNOWN; } + +void RegisterAppProtoString(AppProto alproto, const char *proto_name) +{ + if (alproto == ALPROTO_FAILED && alproto + 1 < ALPROTO_MAX) { + AppProtoStrings[alproto].str = proto_name; + AppProtoStrings[alproto].alproto = alproto; + ALPROTO_FAILED++; + rs_update_alproto_failed(ALPROTO_FAILED); + AppProtoStrings[ALPROTO_FAILED].str = "failed"; + AppProtoStrings[ALPROTO_FAILED].alproto = ALPROTO_FAILED; + } +} diff --git a/src/app-layer-protos.h b/src/app-layer-protos.h index dd372550cbf5..4b0134559a06 100644 --- a/src/app-layer-protos.h +++ b/src/app-layer-protos.h @@ -65,20 +65,24 @@ enum AppProtoEnum { // HTTP for any version (ALPROTO_HTTP1 (version 1) or ALPROTO_HTTP2) ALPROTO_HTTP, - /* used by the probing parser when alproto detection fails - * permanently for that particular stream */ - ALPROTO_FAILED, #ifdef UNITTESTS ALPROTO_TEST, #endif /* UNITESTS */ /* keep last */ - ALPROTO_MAX, + ALPROTO_MAX_STATIC, + ALPROTO_INVALID = 0xffff, }; // NOTE: if ALPROTO's get >= 256, update SignatureNonPrefilterStore /* not using the enum as that is a unsigned int, so 4 bytes */ typedef uint16_t AppProto; +extern AppProto ALPROTO_FAILED; +#ifdef ALPROTO_DYNAMIC_NB +#define ALPROTO_MAX (ALPROTO_MAX_STATIC + 1 + ALPROTO_DYNAMIC_NB) +#else +#define ALPROTO_MAX (ALPROTO_MAX_STATIC + 1) +#endif static inline bool AppProtoIsValid(AppProto a) { return ((a > ALPROTO_UNKNOWN && a < ALPROTO_FAILED)); @@ -115,4 +119,6 @@ const char *AppProtoToString(AppProto alproto); */ AppProto StringToAppProto(const char *proto_name); +void RegisterAppProtoString(AppProto alproto, const char *proto_name); + #endif /* __APP_LAYER_PROTOS_H__ */ diff --git a/src/app-layer-register.c b/src/app-layer-register.c index c4441d9f7c5b..c51073543b91 100644 --- a/src/app-layer-register.c +++ b/src/app-layer-register.c @@ -58,7 +58,6 @@ AppProto AppLayerRegisterProtocolDetection(const struct AppLayerParser *p, int e AppLayerProtoDetectRegisterProtocol(alproto, p->name); if (p->ProbeTS == NULL && p->ProbeTC == NULL) { - BUG_ON(p->default_port != NULL); return alproto; } diff --git a/src/app-layer.c b/src/app-layer.c index 3625e87e9ed6..b9965b0ac25b 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -839,42 +839,39 @@ int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow * tctx->alpd_tctx, f, p->payload, p->payload_len, IPPROTO_UDP, flags, &reverse_flow); PACKET_PROFILING_APP_PD_END(tctx); - switch (*alproto) { - case ALPROTO_UNKNOWN: - if (*alproto_otherdir != ALPROTO_UNKNOWN) { - // Use recognized side - f->alproto = *alproto_otherdir; - // do not keep ALPROTO_UNKNOWN for this side so as not to loop - *alproto = *alproto_otherdir; - if (*alproto_otherdir == ALPROTO_FAILED) { - SCLogDebug("ALPROTO_UNKNOWN flow %p", f); - } - } else { - // First side of protocol is unknown - *alproto = ALPROTO_FAILED; + if (*alproto == ALPROTO_UNKNOWN) { + if (*alproto_otherdir != ALPROTO_UNKNOWN) { + // Use recognized side + f->alproto = *alproto_otherdir; + // do not keep ALPROTO_UNKNOWN for this side so as not to loop + *alproto = *alproto_otherdir; + if (*alproto_otherdir == ALPROTO_FAILED) { + SCLogDebug("ALPROTO_UNKNOWN flow %p", f); } - break; - case ALPROTO_FAILED: - if (*alproto_otherdir != ALPROTO_UNKNOWN) { - // Use recognized side - f->alproto = *alproto_otherdir; - if (*alproto_otherdir == ALPROTO_FAILED) { - SCLogDebug("ALPROTO_UNKNOWN flow %p", f); - } + } else { + // First side of protocol is unknown + *alproto = ALPROTO_FAILED; + } + } else if (*alproto == ALPROTO_FAILED) { + if (*alproto_otherdir != ALPROTO_UNKNOWN) { + // Use recognized side + f->alproto = *alproto_otherdir; + if (*alproto_otherdir == ALPROTO_FAILED) { + SCLogDebug("ALPROTO_UNKNOWN flow %p", f); } - // else wait for second side of protocol - break; - default: - if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) { - if (*alproto_otherdir != *alproto) { - AppLayerDecoderEventsSetEventRaw( - &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS); - // data already sent to parser, we cannot change the protocol to use the one - // of the server - } - } else { - f->alproto = *alproto; + } + // else wait for second side of protocol + } else { + if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != ALPROTO_FAILED) { + if (*alproto_otherdir != *alproto) { + AppLayerDecoderEventsSetEventRaw( + &p->app_layer_events, APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS); + // data already sent to parser, we cannot change the protocol to use the one + // of the server } + } else { + f->alproto = *alproto; + } } if (*alproto_otherdir == ALPROTO_UNKNOWN) { if (f->alproto == ALPROTO_UNKNOWN) { diff --git a/src/detect-engine-file.h b/src/detect-engine-file.h index 3705a8f6e601..3b58ac9deee4 100644 --- a/src/detect-engine-file.h +++ b/src/detect-engine-file.h @@ -28,4 +28,15 @@ uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *_alstate, void *tx, uint64_t tx_id); +// file protocols with common file handling +typedef struct { + AppProto al_proto; + int direction; + int to_client_progress; + int to_server_progress; +} DetectFileHandlerProtocol_t; + +void DetectFileRegisterProto( + AppProto alproto, int direction, int to_client_progress, int to_server_progress); + #endif /* __DETECT_ENGINE_FILE_H__ */ diff --git a/src/detect-engine-helper.c b/src/detect-engine-helper.c new file mode 100644 index 000000000000..634afd3f1c40 --- /dev/null +++ b/src/detect-engine-helper.c @@ -0,0 +1,110 @@ +/* Copyright (C) 2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Philippe Antoine + * + */ + +#include "suricata-common.h" +#include "detect-engine.h" +#include "detect-engine-helper.h" +#include "detect-engine-mpm.h" +#include "detect-engine-prefilter.h" +#include "detect-parse.h" + +int DetectHelperBufferRegister(const char *name, AppProto alproto, bool toclient, bool toserver) +{ + if (toserver) { + DetectAppLayerInspectEngineRegister2( + name, alproto, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL); + } + if (toclient) { + DetectAppLayerInspectEngineRegister2( + name, alproto, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectGenericList, NULL); + } + return DetectBufferTypeRegister(name); +} + +InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, + const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, + const int list_id, + bool (*GetBuf)(void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)) +{ + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + if (buffer->inspect == NULL) { + const uint8_t *b = NULL; + uint32_t b_len = 0; + + if (!GetBuf(txv, flow_flags, &b, &b_len)) + return NULL; + + InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + return buffer; +} + +int DetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto, + bool toclient, bool toserver, InspectionBufferGetDataPtr GetData) +{ + if (toserver) { + DetectAppLayerInspectEngineRegister2( + name, alproto, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetData); + DetectAppLayerMpmRegister2( + name, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, alproto, 0); + } + if (toclient) { + DetectAppLayerInspectEngineRegister2( + name, alproto, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectBufferGeneric, GetData); + DetectAppLayerMpmRegister2( + name, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, GetData, alproto, 0); + } + DetectBufferTypeSetDescriptionByName(name, desc); + return DetectBufferTypeGetByName(name); +} + +int DetectHelperKeywordRegister(const SCPluginSigTableElmt *kw) +{ + if (DETECT_TBLSIZE_IDX < DETECT_TBLSIZE) { + sigmatch_table[DETECT_TBLSIZE_IDX].name = kw->name; + sigmatch_table[DETECT_TBLSIZE_IDX].desc = kw->desc; + sigmatch_table[DETECT_TBLSIZE_IDX].flags = kw->flags; + sigmatch_table[DETECT_TBLSIZE_IDX].AppLayerTxMatch = kw->AppLayerTxMatch; + sigmatch_table[DETECT_TBLSIZE_IDX].Setup = kw->Setup; + sigmatch_table[DETECT_TBLSIZE_IDX].Free = kw->Free; + DETECT_TBLSIZE_IDX++; + return DETECT_TBLSIZE_IDX - 1; + } + return -1; +} + +int DetectHelperKeywordSetup(DetectEngineCtx *de_ctx, AppProto alproto, uint16_t kw_id, int buf_id, + Signature *s, void *ctx) +{ + if (DetectSignatureSetAppProto(s, alproto) != 0) + return -1; + + /* okay so far so good, lets get this into a SigMatch + * and put it in the Signature. */ + if (SigMatchAppendSMToList(de_ctx, s, kw_id, (SigMatchCtx *)ctx, buf_id) == NULL) { + return -1; + } + return 0; +} diff --git a/src/detect-engine-helper.h b/src/detect-engine-helper.h new file mode 100644 index 000000000000..9291c0f1e27e --- /dev/null +++ b/src/detect-engine-helper.h @@ -0,0 +1,54 @@ +/* Copyright (C) 2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Philippe Antoine + */ + +#ifndef __DETECT_ENGINE_HELPER_H +#define __DETECT_ENGINE_HELPER_H + +#include "app-layer-protos.h" +#include "detect.h" + +// Structure for keyword dynamic registration by plugin +typedef struct SCPluginSigTableElmt { + const char *name; + const char *desc; + uint16_t flags; + int (*Setup)(DetectEngineCtx *, Signature *, const char *); + void (*Free)(DetectEngineCtx *, void *); + int (*AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, + const Signature *, const SigMatchCtx *); +} SCPluginSigTableElmt; + +int DetectHelperKeywordRegister(const SCPluginSigTableElmt *kw); +int DetectHelperBufferRegister(const char *name, AppProto alproto, bool toclient, bool toserver); + +typedef bool (*SimpleGetTxBuffer)(void *, uint8_t, const uint8_t **, uint32_t *); + +int DetectHelperKeywordSetup(DetectEngineCtx *de_ctx, AppProto alproto, uint16_t kw_id, int buf_id, + Signature *s, void *ctx); +InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, + const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, + const int list_id, SimpleGetTxBuffer GetBuf); +int DetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto, + bool toclient, bool toserver, InspectionBufferGetDataPtr GetData); + +#endif /* __DETECT_ENGINE_HELPER_H */ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 0f459eccb67b..3b92c2b7f83b 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -309,6 +309,10 @@ #include "util-path.h" #include "util-mpm-ac.h" #include "runmodes.h" +#include "util-plugin.h" + +int DETECT_TBLSIZE = DETECT_TBLSIZE_STATIC; +int DETECT_TBLSIZE_IDX = DETECT_TBLSIZE_STATIC; static void PrintFeatureList(const SigTableElmt *e, char sep) { @@ -378,7 +382,7 @@ static void SigMultilinePrint(int i, const char *prefix) int SigTableList(const char *keyword) { - size_t size = sizeof(sigmatch_table) / sizeof(SigTableElmt); + size_t size = DETECT_TBLSIZE; size_t i; if (keyword == NULL) { @@ -453,15 +457,54 @@ int SigTableList(const char *keyword) static void DetectFileHandlerRegister(void) { - for (int i = 0; i < DETECT_TBLSIZE; i++) { + for (int i = 0; i < DETECT_TBLSIZE_STATIC; i++) { if (filehandler_table[i].name) DetectFileRegisterFileProtocols(&filehandler_table[i]); } } +void SigTableCleanup(void) +{ + if (sigmatch_table != sigmatch_table_static) { + SCFree(sigmatch_table); + sigmatch_table = sigmatch_table_static; + DETECT_TBLSIZE = DETECT_TBLSIZE_STATIC; + } +} + void SigTableSetup(void) { - memset(sigmatch_table, 0, sizeof(sigmatch_table)); +#ifdef ALPROTO_DYNAMIC_NB + bool to_grow = false; + for (size_t i = 0; i < ALPROTO_DYNAMIC_NB; i++) { + SCAppLayerPlugin *app_layer_plugin = SCPluginFindAppLayerByIndex(i); + if (app_layer_plugin == NULL) { + break; + } + if (app_layer_plugin->keywords_nb > 0) { + DETECT_TBLSIZE += app_layer_plugin->keywords_nb; + to_grow = true; + } + } + if (to_grow) { + if (sigmatch_table == sigmatch_table_static) { + sigmatch_table = SCMalloc(DETECT_TBLSIZE * sizeof(SigTableElmt)); + if (sigmatch_table == NULL) { + SCLogError("Failed to allocate bigger sigmatch_table, falling back to static one"); + sigmatch_table = sigmatch_table_static; + DETECT_TBLSIZE = DETECT_TBLSIZE_STATIC; + } + } else { + void *tmp = SCRealloc(sigmatch_table, DETECT_TBLSIZE * sizeof(SigTableElmt)); + if (tmp == NULL) { + SCLogError("Failed to reallocate bigger sigmatch_table, keeping one"); + } else { + sigmatch_table = tmp; + } + } + } +#endif + memset(sigmatch_table, 0, DETECT_TBLSIZE * sizeof(SigTableElmt)); DetectSidRegister(); DetectPriorityRegister(); @@ -693,6 +736,18 @@ void SigTableSetup(void) DetectQuicCyuHashRegister(); DetectQuicCyuStringRegister(); +#ifdef ALPROTO_DYNAMIC_NB + for (size_t i = 0; i < ALPROTO_DYNAMIC_NB; i++) { + SCAppLayerPlugin *app_layer_plugin = SCPluginFindAppLayerByIndex(i); + if (app_layer_plugin == NULL) { + break; + } + if (app_layer_plugin->KeywordsRegister != NULL) { + app_layer_plugin->KeywordsRegister(); + } + } +#endif + DetectBypassRegister(); DetectConfigRegister(); diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 273aa10d7c9b..67960ef6c1f7 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -341,10 +341,13 @@ enum DetectKeywordId { DETECT_AL_IKE_KEY_EXCHANGE, /* make sure this stays last */ - DETECT_TBLSIZE, + DETECT_TBLSIZE_STATIC, }; +extern int DETECT_TBLSIZE; +extern int DETECT_TBLSIZE_IDX; int SigTableList(const char *keyword); +void SigTableCleanup(void); void SigTableSetup(void); void SigTableRegisterTests(void); diff --git a/src/detect-engine.c b/src/detect-engine.c index 4cf145df6e2b..32ef333a3a35 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2508,6 +2508,14 @@ static DetectEngineCtx *DetectEngineCtxInitReal( goto error; } + de_ctx->sm_types_prefilter = SCCalloc(DETECT_TBLSIZE, sizeof(bool)); + if (de_ctx->sm_types_prefilter == NULL) { + goto error; + } + de_ctx->sm_types_silent_error = SCCalloc(DETECT_TBLSIZE, sizeof(bool)); + if (de_ctx->sm_types_silent_error == NULL) { + goto error; + } if (DetectEngineCtxLoadConf(de_ctx) == -1) { goto error; } @@ -2641,6 +2649,8 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) SigGroupCleanup(de_ctx); SpmDestroyGlobalThreadCtx(de_ctx->spm_global_thread_ctx); + SCFree(de_ctx->sm_types_prefilter); + SCFree(de_ctx->sm_types_silent_error); MpmFactoryDeRegisterAllMpmCtxProfiles(de_ctx); diff --git a/src/detect-mqtt-connect-password.c b/src/detect-mqtt-connect-password.c index c08390748fe0..6749629a017e 100644 --- a/src/detect-mqtt-connect-password.c +++ b/src/detect-mqtt-connect-password.c @@ -26,6 +26,7 @@ #include "detect.h" #include "detect-parse.h" #include "detect-engine.h" +#include "detect-engine-helper.h" #include "detect-engine-mpm.h" #include "detect-engine-prefilter.h" #include "detect-mqtt-connect-password.h" @@ -49,24 +50,11 @@ static int DetectMQTTConnectPasswordSetup(DetectEngineCtx *de_ctx, Signature *s, } static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, - Flow *_f, const uint8_t _flow_flags, - void *txv, const int list_id) + const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv, + const int list_id) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - const uint8_t *b = NULL; - uint32_t b_len = 0; - - if (rs_mqtt_tx_get_connect_password(txv, &b, &b_len) != 1) - return NULL; - if (b == NULL || b_len == 0) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); - } - return buffer; + return DetectHelperGetData(det_ctx, transforms, _f, flow_flags, txv, list_id, + (SimpleGetTxBuffer)rs_mqtt_tx_get_connect_password); } void DetectMQTTConnectPasswordRegister(void) @@ -78,17 +66,8 @@ void DetectMQTTConnectPasswordRegister(void) sigmatch_table[DETECT_AL_MQTT_CONNECT_PASSWORD].Setup = DetectMQTTConnectPasswordSetup; sigmatch_table[DETECT_AL_MQTT_CONNECT_PASSWORD].flags |= SIGMATCH_NOOPT; - DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_MQTT, - SIG_FLAG_TOSERVER, 0, - DetectEngineInspectBufferGeneric, GetData); - - DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, - PrefilterGenericMpmRegister, GetData, ALPROTO_MQTT, - 1); - - DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); - - g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); + g_buffer_id = DetectHelperBufferMpmRegister( + BUFFER_NAME, BUFFER_DESC, ALPROTO_MQTT, false, true, GetData); SCLogDebug("registering " BUFFER_NAME " rule option"); } diff --git a/src/detect-parse.c b/src/detect-parse.c index e1ac5f74b5a4..d5adba00a9a8 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -68,40 +68,52 @@ #include "string.h" #include "detect-parse.h" #include "detect-engine-iponly.h" +#include "detect-engine-file.h" #include "app-layer-detect-proto.h" #include "action-globals.h" #include "util-validate.h" /* Table with all filehandler registrations */ -DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE]; +DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE_STATIC]; + +// file protocols with common file handling +DetectFileHandlerProtocol_t al_protocols[ALPROTO_MAX] = { + { .al_proto = ALPROTO_NFS, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, + { .al_proto = ALPROTO_SMB, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, + { .al_proto = ALPROTO_FTP, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, + { .al_proto = ALPROTO_FTPDATA, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, + { .al_proto = ALPROTO_HTTP1, + .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT, + .to_client_progress = HTP_RESPONSE_BODY, + .to_server_progress = HTP_REQUEST_BODY }, + { .al_proto = ALPROTO_HTTP2, + .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT, + .to_client_progress = HTTP2StateDataServer, + .to_server_progress = HTTP2StateDataClient }, + { .al_proto = ALPROTO_SMTP, .direction = SIG_FLAG_TOSERVER }, { .al_proto = ALPROTO_UNKNOWN } +}; + +void DetectFileRegisterProto( + AppProto alproto, int direction, int to_client_progress, int to_server_progress) +{ + size_t i = 0; + while (al_protocols[i].al_proto != ALPROTO_UNKNOWN) { + i++; + } + al_protocols[i].al_proto = alproto; + al_protocols[i].direction = direction; + al_protocols[i].to_client_progress = to_client_progress; + al_protocols[i].to_server_progress = to_server_progress; + al_protocols[i + 1].al_proto = ALPROTO_UNKNOWN; +} void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *reg) { - // file protocols with common file handling - typedef struct { - AppProto al_proto; - int direction; - int to_client_progress; - int to_server_progress; - } DetectFileHandlerProtocol_t; - static DetectFileHandlerProtocol_t al_protocols[] = { - { .al_proto = ALPROTO_NFS, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, - { .al_proto = ALPROTO_SMB, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, - { .al_proto = ALPROTO_FTP, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, - { .al_proto = ALPROTO_FTPDATA, .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT }, - { .al_proto = ALPROTO_HTTP1, - .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT, - .to_client_progress = HTP_RESPONSE_BODY, - .to_server_progress = HTP_REQUEST_BODY }, - { .al_proto = ALPROTO_HTTP2, - .direction = SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT, - .to_client_progress = HTTP2StateDataServer, - .to_server_progress = HTTP2StateDataClient }, - { .al_proto = ALPROTO_SMTP, .direction = SIG_FLAG_TOSERVER } - }; - for (size_t i = 0; i < ARRAY_SIZE(al_protocols); i++) { + if (al_protocols[i].al_proto == ALPROTO_UNKNOWN) { + break; + } int direction = al_protocols[i].direction == 0 ? (int)(SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT) : al_protocols[i].direction; @@ -126,7 +138,8 @@ void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *reg) } /* Table with all SigMatch registrations */ -SigTableElmt sigmatch_table[DETECT_TBLSIZE]; +SigTableElmt sigmatch_table_static[DETECT_TBLSIZE_STATIC]; +SigTableElmt *sigmatch_table = sigmatch_table_static; extern bool sc_set_caps; @@ -396,7 +409,7 @@ bool SigMatchSilentErrorEnabled(const DetectEngineCtx *de_ctx, bool SigMatchStrictEnabled(const enum DetectKeywordId id) { - if (id < DETECT_TBLSIZE) { + if ((int)id < DETECT_TBLSIZE) { return ((sigmatch_table[id].flags & SIGMATCH_STRICT_PARSING) != 0); } return false; diff --git a/src/detect-parse.h b/src/detect-parse.h index 2eecd286f631..ebcd7ab905f1 100644 --- a/src/detect-parse.h +++ b/src/detect-parse.h @@ -42,7 +42,7 @@ typedef struct DetectFileHandlerTableElmt_ { void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *entry); /* File registration table */ -extern DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE]; +extern DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE_STATIC]; /** Flags to indicate if the Signature parsing must be done * switching the source and dest (for ip addresses and ports) diff --git a/src/detect-snmp-version.c b/src/detect-snmp-version.c index 64029659381e..3400452e7d0b 100644 --- a/src/detect-snmp-version.c +++ b/src/detect-snmp-version.c @@ -29,6 +29,7 @@ #include "detect-engine-content-inspection.h" #include "detect-snmp-version.h" #include "detect-engine-uint.h" +#include "detect-engine-helper.h" #include "app-layer-parser.h" #include "rust.h" @@ -60,13 +61,7 @@ void DetectSNMPVersionRegister (void) sigmatch_table[DETECT_AL_SNMP_VERSION].RegisterTests = DetectSNMPVersionRegisterTests; #endif - DetectAppLayerInspectEngineRegister2("snmp.version", ALPROTO_SNMP, SIG_FLAG_TOSERVER, 0, - DetectEngineInspectGenericList, NULL); - - DetectAppLayerInspectEngineRegister2("snmp.version", ALPROTO_SNMP, SIG_FLAG_TOCLIENT, 0, - DetectEngineInspectGenericList, NULL); - - g_snmp_version_buffer_id = DetectBufferTypeGetByName("snmp.version"); + g_snmp_version_buffer_id = DetectHelperBufferRegister("snmp.version", ALPROTO_SNMP, true, true); } /** @@ -131,30 +126,18 @@ static DetectU32Data *DetectSNMPVersionParse(const char *rawstr) static int DetectSNMPVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) { - DetectU32Data *dd = NULL; - - if (DetectSignatureSetAppProto(s, ALPROTO_SNMP) != 0) - return -1; - - dd = DetectSNMPVersionParse(rawstr); + DetectU32Data *dd = DetectSNMPVersionParse(rawstr); if (dd == NULL) { SCLogError("Parsing \'%s\' failed", rawstr); - goto error; + return -1; } - - /* okay so far so good, lets get this into a SigMatch - * and put it in the Signature. */ - - SCLogDebug("snmp.version %d", dd->arg1); - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_SNMP_VERSION, (SigMatchCtx *)dd, - g_snmp_version_buffer_id) == NULL) { - goto error; + if (DetectHelperKeywordSetup(de_ctx, ALPROTO_SNMP, DETECT_AL_SNMP_VERSION, + g_snmp_version_buffer_id, s, dd) < 0) { + DetectSNMPVersionFree(de_ctx, dd); + return -1; } + SCLogDebug("snmp.version %d", dd->arg1); return 0; - -error: - DetectSNMPVersionFree(de_ctx, dd); - return -1; } /** diff --git a/src/detect.h b/src/detect.h index a3cd161fa654..033c6f2d6d56 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1010,8 +1010,8 @@ typedef struct DetectEngineCtx_ { /** per keyword flag indicating if a prefilter has been * set for it. If true, the setup function will have to * run. */ - bool sm_types_prefilter[DETECT_TBLSIZE]; - bool sm_types_silent_error[DETECT_TBLSIZE]; + bool *sm_types_prefilter; + bool *sm_types_silent_error; /* classification config parsing */ @@ -1543,7 +1543,8 @@ typedef struct DetectEngineMasterCtx_ { } DetectEngineMasterCtx; /* Table with all SigMatch registrations */ -extern SigTableElmt sigmatch_table[DETECT_TBLSIZE]; +extern SigTableElmt *sigmatch_table; +extern SigTableElmt sigmatch_table_static[DETECT_TBLSIZE_STATIC]; /** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */ diff --git a/src/output-json-alert.c b/src/output-json-alert.c index c7acfe64d140..129845fcd7b3 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -64,20 +64,15 @@ #include "output-json-dns.h" #include "output-json-http.h" #include "output-json-tls.h" -#include "output-json-ssh.h" #include "rust.h" #include "output-json-smtp.h" #include "output-json-email-common.h" #include "output-json-nfs.h" #include "output-json-smb.h" #include "output-json-flow.h" -#include "output-json-sip.h" -#include "output-json-rfb.h" #include "output-json-mqtt.h" #include "output-json-ike.h" -#include "output-json-modbus.h" #include "output-json-frame.h" -#include "output-json-quic.h" #include "util-byte.h" #include "util-privs.h" diff --git a/src/output-json-bittorrent-dht.c b/src/output-json-bittorrent-dht.c deleted file mode 100644 index 066df78f61fb..000000000000 --- a/src/output-json-bittorrent-dht.c +++ /dev/null @@ -1,163 +0,0 @@ -/* Copyright (C) 2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * Implement JSON/eve logging app-layer BitTorrent DHT. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "output-json-bittorrent-dht.h" -#include "rust.h" - -typedef struct LogBitTorrentDHTFileCtx_ { - uint32_t flags; - OutputJsonCtx *eve_ctx; -} LogBitTorrentDHTFileCtx; - -typedef struct LogBitTorrentDHTLogThread_ { - LogBitTorrentDHTFileCtx *bittorrent_dht_log_ctx; - OutputJsonThreadCtx *ctx; -} LogBitTorrentDHTLogThread; - -static int JsonBitTorrentDHTLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, - void *state, void *tx, uint64_t tx_id) -{ - LogBitTorrentDHTLogThread *thread = thread_data; - - JsonBuilder *js = CreateEveHeader( - p, LOG_DIR_PACKET, "bittorrent_dht", NULL, thread->bittorrent_dht_log_ctx->eve_ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_FAILED; - } - - if (!rs_bittorrent_dht_logger_log(tx, js)) { - goto error; - } - - OutputJsonBuilderBuffer(js, thread->ctx); - jb_free(js); - - return TM_ECODE_OK; - -error: - jb_free(js); - return TM_ECODE_FAILED; -} - -static void OutputBitTorrentDHTLogDeInitCtxSub(OutputCtx *output_ctx) -{ - LogBitTorrentDHTFileCtx *bittorrent_dht_log_ctx = (LogBitTorrentDHTFileCtx *)output_ctx->data; - SCFree(bittorrent_dht_log_ctx); - SCFree(output_ctx); -} - -static OutputInitResult OutputBitTorrentDHTLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) -{ - OutputInitResult result = { NULL, false }; - OutputJsonCtx *ajt = parent_ctx->data; - - LogBitTorrentDHTFileCtx *bittorrent_dht_log_ctx = SCCalloc(1, sizeof(*bittorrent_dht_log_ctx)); - if (unlikely(bittorrent_dht_log_ctx == NULL)) { - return result; - } - bittorrent_dht_log_ctx->eve_ctx = ajt; - - OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx)); - if (unlikely(output_ctx == NULL)) { - SCFree(bittorrent_dht_log_ctx); - return result; - } - output_ctx->data = bittorrent_dht_log_ctx; - output_ctx->DeInit = OutputBitTorrentDHTLogDeInitCtxSub; - - AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_BITTORRENT_DHT); - - result.ctx = output_ctx; - result.ok = true; - return result; -} - -static TmEcode JsonBitTorrentDHTLogThreadInit(ThreadVars *t, const void *initdata, void **data) -{ - LogBitTorrentDHTLogThread *thread = SCCalloc(1, sizeof(*thread)); - if (unlikely(thread == NULL)) { - return TM_ECODE_FAILED; - } - - if (initdata == NULL) { - SCLogDebug("Error getting context for EveLogBitTorrentDHT. \"initdata\" is NULL."); - goto error_exit; - } - - thread->bittorrent_dht_log_ctx = ((OutputCtx *)initdata)->data; - thread->ctx = CreateEveThreadCtx(t, thread->bittorrent_dht_log_ctx->eve_ctx); - if (!thread->ctx) { - goto error_exit; - } - *data = (void *)thread; - - return TM_ECODE_OK; - -error_exit: - SCFree(thread); - return TM_ECODE_FAILED; -} - -static TmEcode JsonBitTorrentDHTLogThreadDeinit(ThreadVars *t, void *data) -{ - LogBitTorrentDHTLogThread *thread = (LogBitTorrentDHTLogThread *)data; - if (thread == NULL) { - return TM_ECODE_OK; - } - FreeEveThreadCtx(thread->ctx); - SCFree(thread); - return TM_ECODE_OK; -} - -void JsonBitTorrentDHTLogRegister(void) -{ - if (ConfGetNode("app-layer.protocols.bittorrent-dht") == NULL) { - return; - } - - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonBitTorrentDHTLog", - "eve-log.bittorrent-dht", OutputBitTorrentDHTLogInitSub, ALPROTO_BITTORRENT_DHT, - JsonBitTorrentDHTLogger, JsonBitTorrentDHTLogThreadInit, - JsonBitTorrentDHTLogThreadDeinit, NULL); -} diff --git a/src/output-json-bittorrent-dht.h b/src/output-json-bittorrent-dht.h deleted file mode 100644 index 8927f4d15996..000000000000 --- a/src/output-json-bittorrent-dht.h +++ /dev/null @@ -1,27 +0,0 @@ -/* Copyright (C) 2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - */ - -#ifndef __OUTPUT_JSON_BITTORRENT_DHT_H__ -#define __OUTPUT_JSON_BITTORRENT_DHT_H__ - -void JsonBitTorrentDHTLogRegister(void); - -#endif /* __OUTPUT_JSON_BITTORRENT_DHT_H__ */ diff --git a/src/output-json-dnp3.c b/src/output-json-dnp3.c index 4336e04e070c..1387d6213632 100644 --- a/src/output-json-dnp3.c +++ b/src/output-json-dnp3.c @@ -140,7 +140,7 @@ static void JsonDNP3LogObjects(JsonBuilder *js, DNP3ObjectList *objects) } } -void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *dnp3tx) +static void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *dnp3tx) { JB_SET_STRING(js, "type", "request"); @@ -171,7 +171,7 @@ void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *dnp3tx) jb_close(js); } -void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *dnp3tx) +static void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *dnp3tx) { if (dnp3tx->ah.function_code == DNP3_APP_FC_UNSOLICITED_RESP) { JB_SET_STRING(js, "type", "unsolicited_response"); diff --git a/src/output-json-dnp3.h b/src/output-json-dnp3.h index 6f81026780d9..5b5f56236abd 100644 --- a/src/output-json-dnp3.h +++ b/src/output-json-dnp3.h @@ -20,9 +20,6 @@ #include "app-layer-dnp3.h" -void JsonDNP3LogRequest(JsonBuilder *js, DNP3Transaction *); -void JsonDNP3LogResponse(JsonBuilder *js, DNP3Transaction *); - void JsonDNP3LogRegister(void); bool AlertJsonDnp3(void *vtx, JsonBuilder *js); diff --git a/src/output-json-dns.c b/src/output-json-dns.c index 27aa55d8e305..29fd62f42b52 100644 --- a/src/output-json-dns.c +++ b/src/output-json-dns.c @@ -306,19 +306,22 @@ static JsonBuilder *JsonDNSLogAnswer(void *txptr) bool AlertJsonDns(void *txptr, JsonBuilder *js) { + bool r = false; jb_open_object(js, "dns"); JsonBuilder *qjs = JsonDNSLogQuery(txptr); if (qjs != NULL) { jb_set_object(js, "query", qjs); jb_free(qjs); + r = true; } JsonBuilder *ajs = JsonDNSLogAnswer(txptr); if (ajs != NULL) { jb_set_object(js, "answer", ajs); jb_free(ajs); + r = true; } jb_close(js); - return true; + return r; } static int JsonDnsLoggerToServer(ThreadVars *tv, void *thread_data, diff --git a/src/output-json-file.c b/src/output-json-file.c index 1018be06ee80..ae8400a18d53 100644 --- a/src/output-json-file.c +++ b/src/output-json-file.c @@ -61,7 +61,6 @@ #include "output-json-email-common.h" #include "output-json-nfs.h" #include "output-json-smb.h" -#include "output-json-http2.h" #include "app-layer-htp.h" #include "app-layer-htp-xff.h" diff --git a/src/output-json-ftp.c b/src/output-json-ftp.c index 34422f72f4af..14232bdfe393 100644 --- a/src/output-json-ftp.c +++ b/src/output-json-ftp.c @@ -154,60 +154,3 @@ bool EveFTPLogCommand(void *vtx, JsonBuilder *jb) jb_close(jb); return true; } - - -static int JsonFTPLogger(ThreadVars *tv, void *thread_data, - const Packet *p, Flow *f, void *state, void *vtx, uint64_t tx_id) -{ - SCEnter(); - OutputJsonThreadCtx *thread = thread_data; - - const char *event_type; - if (f->alproto == ALPROTO_FTPDATA) { - event_type = "ftp_data"; - } else { - event_type = "ftp"; - } - - JsonBuilder *jb = - CreateEveHeaderWithTxId(p, LOG_DIR_FLOW, event_type, NULL, tx_id, thread->ctx); - if (likely(jb)) { - if (f->alproto == ALPROTO_FTPDATA) { - if (!EveFTPDataAddMetadata(vtx, jb)) { - goto fail; - } - } else { - EveFTPLogCommand(vtx, jb); - } - - OutputJsonBuilderBuffer(jb, thread); - - jb_free(jb); - } - return TM_ECODE_OK; - -fail: - jb_free(jb); - return TM_ECODE_FAILED; -} - -static OutputInitResult OutputFTPLogInitSub(ConfNode *conf, - OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_FTP); - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_FTPDATA); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonFTPLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonFTPLog", "eve-log.ftp", - OutputFTPLogInitSub, ALPROTO_FTP, JsonFTPLogger, JsonLogThreadInit, JsonLogThreadDeinit, - NULL); - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonFTPLog", "eve-log.ftp", - OutputFTPLogInitSub, ALPROTO_FTPDATA, JsonFTPLogger, JsonLogThreadInit, - JsonLogThreadDeinit, NULL); - - SCLogDebug("FTP JSON logger registered."); -} diff --git a/src/output-json-ftp.h b/src/output-json-ftp.h index 704defd9585c..61922795ce6f 100644 --- a/src/output-json-ftp.h +++ b/src/output-json-ftp.h @@ -24,7 +24,6 @@ #ifndef __OUTPUT_JSON_FTP_H__ #define __OUTPUT_JSON_FTP_H__ -void JsonFTPLogRegister(void); bool EveFTPLogCommand(void *vtx, JsonBuilder *js); #endif /* __OUTPUT_JSON_FTP_H__ */ diff --git a/src/output-json-http2.c b/src/output-json-http2.c deleted file mode 100644 index cb096f37a043..000000000000 --- a/src/output-json-http2.c +++ /dev/null @@ -1,169 +0,0 @@ -/* Copyright (C) 2020-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Philippe Antoine - * - * Implements HTTP2 JSON logging portion of the engine. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-print.h" -#include "util-unittest.h" - -#include "util-debug.h" -#include "app-layer-parser.h" -#include "output.h" -#include "app-layer-http2.h" -#include "app-layer.h" -#include "util-privs.h" -#include "util-buffer.h" - -#include "util-logopenfile.h" - -#include "output-json.h" -#include "output-json-http2.h" -#include "rust.h" - -#define MODULE_NAME "LogHttp2Log" - -typedef struct OutputHttp2Ctx_ { - OutputJsonCtx *eve_ctx; -} OutputHttp2Ctx; - - -typedef struct JsonHttp2LogThread_ { - OutputHttp2Ctx *http2log_ctx; - OutputJsonThreadCtx *ctx; -} JsonHttp2LogThread; - -static int JsonHttp2Logger(ThreadVars *tv, void *thread_data, const Packet *p, - Flow *f, void *state, void *txptr, uint64_t tx_id) -{ - JsonHttp2LogThread *aft = (JsonHttp2LogThread *)thread_data; - - if (unlikely(state == NULL)) { - return 0; - } - - JsonBuilder *js = CreateEveHeaderWithTxId( - p, LOG_DIR_FLOW, "http", NULL, tx_id, aft->http2log_ctx->eve_ctx); - if (unlikely(js == NULL)) - return 0; - - if (!rs_http2_log_json(txptr, js)) { - goto end; - } - OutputJsonBuilderBuffer(js, aft->ctx); -end: - jb_free(js); - return 0; -} - -static TmEcode JsonHttp2LogThreadInit(ThreadVars *t, const void *initdata, void **data) -{ - JsonHttp2LogThread *aft = SCCalloc(1, sizeof(JsonHttp2LogThread)); - if (unlikely(aft == NULL)) - return TM_ECODE_FAILED; - - if(initdata == NULL) - { - SCLogDebug("Error getting context for EveLogHTTP2. \"initdata\" argument NULL"); - goto error_exit; - } - - /* Use the Output Context (file pointer and mutex) */ - aft->http2log_ctx = ((OutputCtx *)initdata)->data; - aft->ctx = CreateEveThreadCtx(t, aft->http2log_ctx->eve_ctx); - if (!aft->ctx) { - goto error_exit; - } - - *data = (void *)aft; - return TM_ECODE_OK; - -error_exit: - SCFree(aft); - return TM_ECODE_FAILED; -} - -static TmEcode JsonHttp2LogThreadDeinit(ThreadVars *t, void *data) -{ - JsonHttp2LogThread *aft = (JsonHttp2LogThread *)data; - if (aft == NULL) { - return TM_ECODE_OK; - } - - FreeEveThreadCtx(aft->ctx); - /* clear memory */ - memset(aft, 0, sizeof(JsonHttp2LogThread)); - - SCFree(aft); - return TM_ECODE_OK; -} - -static void OutputHttp2LogDeinitSub(OutputCtx *output_ctx) -{ - OutputHttp2Ctx *http2_ctx = output_ctx->data; - SCFree(http2_ctx); - SCFree(output_ctx); -} - -static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) -{ - OutputInitResult result = { NULL, false }; - OutputJsonCtx *ojc = parent_ctx->data; - - OutputHttp2Ctx *http2_ctx = SCCalloc(1, sizeof(OutputHttp2Ctx)); - if (unlikely(http2_ctx == NULL)) - return result; - - OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx)); - if (unlikely(output_ctx == NULL)) { - SCFree(http2_ctx); - return result; - } - - http2_ctx->eve_ctx = ojc; - - output_ctx->data = http2_ctx; - output_ctx->DeInit = OutputHttp2LogDeinitSub; - - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP2); - - result.ctx = output_ctx; - result.ok = true; - return result; -} - -void JsonHttp2LogRegister (void) -{ - /* also register as child of eve-log */ - OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_TX, "eve-log", MODULE_NAME, "eve-log.http2", - OutputHttp2LogInitSub, ALPROTO_HTTP2, JsonHttp2Logger, HTTP2StateClosed, - HTTP2StateClosed, JsonHttp2LogThreadInit, JsonHttp2LogThreadDeinit, NULL); -} diff --git a/src/output-json-http2.h b/src/output-json-http2.h deleted file mode 100644 index 88ba420ab2df..000000000000 --- a/src/output-json-http2.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Philippe Antoine - */ - -#ifndef __OUTPUT_JSON_HTTP2_H__ -#define __OUTPUT_JSON_HTTP2_H__ - -void JsonHttp2LogRegister(void); - -#endif /* __OUTPUT_JSON_HTTP2_H__ */ diff --git a/src/output-json-krb5.c b/src/output-json-krb5.c deleted file mode 100644 index 9fc45c5d3c53..000000000000 --- a/src/output-json-krb5.c +++ /dev/null @@ -1,92 +0,0 @@ -/* Copyright (C) 2018-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Pierre Chifflier - * - * Implement JSON/eve logging app-layer KRB5. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "app-layer-krb5.h" -#include "output-json-krb5.h" - -#include "rust.h" - -static int JsonKRB5Logger(ThreadVars *tv, void *thread_data, - const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) -{ - KRB5Transaction *krb5tx = tx; - OutputJsonThreadCtx *thread = thread_data; - - JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "krb5", NULL, thread->ctx); - if (unlikely(jb == NULL)) { - return TM_ECODE_FAILED; - } - - if (!rs_krb5_log_json_response(krb5tx, jb)) { - goto error; - } - - OutputJsonBuilderBuffer(jb, thread); - - jb_free(jb); - return TM_ECODE_OK; - -error: - jb_free(jb); - return TM_ECODE_FAILED; -} - -static OutputInitResult OutputKRB5LogInitSub(ConfNode *conf, - OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_KRB5); - AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_KRB5); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonKRB5LogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonKRB5Log", "eve-log.krb5", - OutputKRB5LogInitSub, ALPROTO_KRB5, JsonKRB5Logger, JsonLogThreadInit, - JsonLogThreadDeinit, NULL); - - SCLogDebug("KRB5 JSON logger registered."); -} diff --git a/src/output-json-krb5.h b/src/output-json-krb5.h deleted file mode 100644 index 87f5b79136cb..000000000000 --- a/src/output-json-krb5.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2015 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Pierre Chifflier - */ - -#ifndef __OUTPUT_JSON_KRB5_H__ -#define __OUTPUT_JSON_KRB5_H__ - -void JsonKRB5LogRegister(void); - -#endif /* __OUTPUT_JSON_KRB5_H__ */ diff --git a/src/output-json-modbus.c b/src/output-json-modbus.c deleted file mode 100644 index 9e508ead9acc..000000000000 --- a/src/output-json-modbus.c +++ /dev/null @@ -1,147 +0,0 @@ -/* Copyright (C) 2019-2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" -#include "output.h" -#include "output-json.h" -#include "app-layer.h" -#include "app-layer-parser.h" -#include "output-json-modbus.h" -#include "rust.h" - -typedef struct LogModbusFileCtx_ { - LogFileCtx *file_ctx; - OutputJsonCtx *eve_ctx; -} LogModbusFileCtx; - -typedef struct JsonModbusLogThread_ { - LogModbusFileCtx *modbuslog_ctx; - OutputJsonThreadCtx *ctx; -} JsonModbusLogThread; - -static int JsonModbusLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, - void *state, void *tx, uint64_t tx_id) -{ - JsonModbusLogThread *thread = thread_data; - - JsonBuilder *js = - CreateEveHeader(p, LOG_DIR_FLOW, "modbus", NULL, thread->modbuslog_ctx->eve_ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_OK; - } - if (!rs_modbus_to_json(tx, js)) { - jb_free(js); - return TM_ECODE_FAILED; - } - OutputJsonBuilderBuffer(js, thread->ctx); - - jb_free(js); - return TM_ECODE_OK; -} - -static void OutputModbusLogDeInitCtxSub(OutputCtx *output_ctx) -{ - LogModbusFileCtx *modbuslog_ctx = (LogModbusFileCtx *)output_ctx->data; - SCFree(modbuslog_ctx); - SCFree(output_ctx); -} - -static OutputInitResult OutputModbusLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) -{ - OutputInitResult result = { NULL, false }; - OutputJsonCtx *ajt = parent_ctx->data; - - LogModbusFileCtx *modbuslog_ctx = SCCalloc(1, sizeof(*modbuslog_ctx)); - if (unlikely(modbuslog_ctx == NULL)) { - return result; - } - modbuslog_ctx->file_ctx = ajt->file_ctx; - modbuslog_ctx->eve_ctx = ajt; - - OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx)); - if (unlikely(output_ctx == NULL)) { - SCFree(modbuslog_ctx); - return result; - } - output_ctx->data = modbuslog_ctx; - output_ctx->DeInit = OutputModbusLogDeInitCtxSub; - - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_MODBUS); - - SCLogDebug("modbus log sub-module initialized."); - - result.ctx = output_ctx; - result.ok = true; - return result; -} - -static TmEcode JsonModbusLogThreadInit(ThreadVars *t, const void *initdata, void **data) -{ - if (initdata == NULL) { - SCLogDebug("Error getting context for EveLogModbus. \"initdata\" is NULL."); - return TM_ECODE_FAILED; - } - - JsonModbusLogThread *thread = SCCalloc(1, sizeof(*thread)); - if (unlikely(thread == NULL)) { - return TM_ECODE_FAILED; - } - - thread->modbuslog_ctx = ((OutputCtx *)initdata)->data; - thread->ctx = CreateEveThreadCtx(t, thread->modbuslog_ctx->eve_ctx); - if (thread->ctx == NULL) { - goto error_exit; - } - - *data = (void *)thread; - return TM_ECODE_OK; - -error_exit: - SCFree(thread); - return TM_ECODE_FAILED; -} - -static TmEcode JsonModbusLogThreadDeinit(ThreadVars *t, void *data) -{ - JsonModbusLogThread *thread = (JsonModbusLogThread *)data; - if (thread == NULL) { - return TM_ECODE_OK; - } - FreeEveThreadCtx(thread->ctx); - SCFree(thread); - return TM_ECODE_OK; -} - -void JsonModbusLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonModbusLog", "eve-log.modbus", - OutputModbusLogInitSub, ALPROTO_MODBUS, JsonModbusLogger, JsonModbusLogThreadInit, - JsonModbusLogThreadDeinit, NULL); - - SCLogDebug("modbus json logger registered."); -} diff --git a/src/output-json-modbus.h b/src/output-json-modbus.h deleted file mode 100644 index 2b07e4eb2d5c..000000000000 --- a/src/output-json-modbus.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#ifndef __OUTPUT_JSON_MODBUS_H__ -#define __OUTPUT_JSON_MODBUS_H__ - -void JsonModbusLogRegister(void); - -#endif /* __OUTPUT_JSON_MODBUS_H__ */ diff --git a/src/output-json-quic.c b/src/output-json-quic.c deleted file mode 100644 index 830ac78fdfbb..000000000000 --- a/src/output-json-quic.c +++ /dev/null @@ -1,151 +0,0 @@ -/* Copyright (C) 2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * Implements JSON/eve logging for Quic app-layer. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" -#include "output.h" -#include "output-json.h" -#include "app-layer.h" -#include "app-layer-parser.h" -#include "output-json-quic.h" -#include "rust.h" - -typedef struct LogQuicFileCtx_ { - LogFileCtx *file_ctx; - OutputJsonCtx *eve_ctx; -} LogQuicFileCtx; - -typedef struct JsonQuicLogThread_ { - LogQuicFileCtx *quiclog_ctx; - OutputJsonThreadCtx *ctx; -} JsonQuicLogThread; - -static int JsonQuicLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, - void *tx, uint64_t tx_id) -{ - JsonQuicLogThread *thread = thread_data; - - JsonBuilder *js = - CreateEveHeader(p, LOG_DIR_PACKET, "quic", NULL, thread->quiclog_ctx->eve_ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_OK; - } - if (!rs_quic_to_json(tx, js)) { - jb_free(js); - return TM_ECODE_FAILED; - } - OutputJsonBuilderBuffer(js, thread->ctx); - - jb_free(js); - return TM_ECODE_OK; -} - -static void OutputQuicLogDeInitCtxSub(OutputCtx *output_ctx) -{ - LogQuicFileCtx *quiclog_ctx = (LogQuicFileCtx *)output_ctx->data; - SCFree(quiclog_ctx); - SCFree(output_ctx); -} - -static OutputInitResult OutputQuicLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) -{ - OutputInitResult result = { NULL, false }; - OutputJsonCtx *ajt = parent_ctx->data; - - LogQuicFileCtx *quiclog_ctx = SCCalloc(1, sizeof(*quiclog_ctx)); - if (unlikely(quiclog_ctx == NULL)) { - return result; - } - quiclog_ctx->file_ctx = ajt->file_ctx; - quiclog_ctx->eve_ctx = ajt; - - OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx)); - if (unlikely(output_ctx == NULL)) { - SCFree(quiclog_ctx); - return result; - } - output_ctx->data = quiclog_ctx; - output_ctx->DeInit = OutputQuicLogDeInitCtxSub; - - AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_QUIC); - - result.ctx = output_ctx; - result.ok = true; - return result; -} - -static TmEcode JsonQuicLogThreadInit(ThreadVars *t, const void *initdata, void **data) -{ - if (initdata == NULL) { - SCLogDebug("Error getting context for EveLogQuic. \"initdata\" is NULL."); - return TM_ECODE_FAILED; - } - - JsonQuicLogThread *thread = SCCalloc(1, sizeof(*thread)); - if (unlikely(thread == NULL)) { - return TM_ECODE_FAILED; - } - - thread->quiclog_ctx = ((OutputCtx *)initdata)->data; - thread->ctx = CreateEveThreadCtx(t, thread->quiclog_ctx->eve_ctx); - if (thread->ctx == NULL) { - goto error_exit; - } - - *data = (void *)thread; - return TM_ECODE_OK; - -error_exit: - SCFree(thread); - return TM_ECODE_FAILED; -} - -static TmEcode JsonQuicLogThreadDeinit(ThreadVars *t, void *data) -{ - JsonQuicLogThread *thread = (JsonQuicLogThread *)data; - if (thread == NULL) { - return TM_ECODE_OK; - } - FreeEveThreadCtx(thread->ctx); - SCFree(thread); - return TM_ECODE_OK; -} - -void JsonQuicLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonQuicLog", "eve-log.quic", - OutputQuicLogInitSub, ALPROTO_QUIC, JsonQuicLogger, JsonQuicLogThreadInit, - JsonQuicLogThreadDeinit, NULL); - - SCLogDebug("quic json logger registered."); -} diff --git a/src/output-json-quic.h b/src/output-json-quic.h deleted file mode 100644 index 48e38185f2bd..000000000000 --- a/src/output-json-quic.h +++ /dev/null @@ -1,27 +0,0 @@ -/* Copyright (C) 2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - */ - -#ifndef __OUTPUT_JSON_QUIC_H__ -#define __OUTPUT_JSON_QUIC_H__ - -void JsonQuicLogRegister(void); - -#endif /* __OUTPUT_JSON_QUIC_H__ */ diff --git a/src/output-json-rdp.c b/src/output-json-rdp.c deleted file mode 100644 index bc5d9ae9df89..000000000000 --- a/src/output-json-rdp.c +++ /dev/null @@ -1,79 +0,0 @@ -/* Copyright (C) 2019-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Zach Kelly - * - * Application layer logger for RDP - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" -#include "output.h" -#include "output-json.h" -#include "app-layer.h" -#include "app-layer-parser.h" -#include "app-layer-rdp.h" -#include "output-json-rdp.h" -#include "rust.h" - -static int JsonRdpLogger(ThreadVars *tv, void *thread_data, - const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) -{ - OutputJsonThreadCtx *thread = thread_data; - - JsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, "rdp", NULL, thread->ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_OK; - } - if (!rs_rdp_to_json(tx, js)) { - jb_free(js); - return TM_ECODE_FAILED; - } - OutputJsonBuilderBuffer(js, thread); - - jb_free(js); - return TM_ECODE_OK; -} - -static OutputInitResult OutputRdpLogInitSub(ConfNode *conf, - OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_RDP); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonRdpLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRdpLog", "eve-log.rdp", - OutputRdpLogInitSub, ALPROTO_RDP, JsonRdpLogger, JsonLogThreadInit, JsonLogThreadDeinit, - NULL); - - SCLogDebug("rdp json logger registered."); -} diff --git a/src/output-json-rdp.h b/src/output-json-rdp.h deleted file mode 100644 index 5dc9237691ea..000000000000 --- a/src/output-json-rdp.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Zach Kelly - */ - -#ifndef __OUTPUT_JSON_RDP_H__ -#define __OUTPUT_JSON_RDP_H__ - -void JsonRdpLogRegister(void); - -#endif /* __OUTPUT_JSON_RDP_H__ */ diff --git a/src/output-json-rfb.c b/src/output-json-rfb.c deleted file mode 100644 index e2b832bece13..000000000000 --- a/src/output-json-rfb.c +++ /dev/null @@ -1,86 +0,0 @@ -/* Copyright (C) 2020-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Frank Honza - * - * Implement JSON/eve logging app-layer RFB. - */ - -#include "suricata-common.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "app-layer-rfb.h" -#include "output-json-rfb.h" - -#include "rust-bindings.h" - -static int JsonRFBLogger(ThreadVars *tv, void *thread_data, - const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) -{ - OutputJsonThreadCtx *thread = thread_data; - - JsonBuilder *js = CreateEveHeader(p, LOG_DIR_FLOW, "rfb", NULL, thread->ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_FAILED; - } - - if (!rs_rfb_logger_log(tx, js)) { - goto error; - } - - OutputJsonBuilderBuffer(js, thread); - jb_free(js); - - return TM_ECODE_OK; - -error: - jb_free(js); - return TM_ECODE_FAILED; -} - -static OutputInitResult OutputRFBLogInitSub(ConfNode *conf, - OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_RFB); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonRFBLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRFBLog", "eve-log.rfb", - OutputRFBLogInitSub, ALPROTO_RFB, JsonRFBLogger, JsonLogThreadInit, JsonLogThreadDeinit, - NULL); -} diff --git a/src/output-json-rfb.h b/src/output-json-rfb.h deleted file mode 100644 index 7e4e48ebd4c8..000000000000 --- a/src/output-json-rfb.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Frank Honza - */ - -#ifndef __OUTPUT_JSON_RFB_H__ -#define __OUTPUT_JSON_RFB_H__ - -void JsonRFBLogRegister(void); - -#endif /* __OUTPUT_JSON_RFB_H__ */ diff --git a/src/output-json-sip.c b/src/output-json-sip.c deleted file mode 100644 index 7dd442cf6aba..000000000000 --- a/src/output-json-sip.c +++ /dev/null @@ -1,91 +0,0 @@ -/* Copyright (C) 2018-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Giuseppe Longo - * - * Implement JSON/eve logging app-layer SIP. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "app-layer-sip.h" -#include "output-json-sip.h" - -#include "rust.h" - -static int JsonSIPLogger(ThreadVars *tv, void *thread_data, - const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) -{ - SIPTransaction *siptx = tx; - OutputJsonThreadCtx *thread = thread_data; - - JsonBuilder *js = CreateEveHeader((Packet *)p, LOG_DIR_PACKET, "sip", NULL, thread->ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_OK; - } - - if (!rs_sip_log_json(siptx, js)) { - goto error; - } - - OutputJsonBuilderBuffer(js, thread); - jb_free(js); - - return TM_ECODE_OK; - -error: - jb_free(js); - return TM_ECODE_FAILED; -} - -static OutputInitResult OutputSIPLogInitSub(ConfNode *conf, - OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_SIP); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonSIPLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSIPLog", "eve-log.sip", - OutputSIPLogInitSub, ALPROTO_SIP, JsonSIPLogger, JsonLogThreadInit, JsonLogThreadDeinit, - NULL); - - SCLogDebug("SIP JSON logger registered."); -} diff --git a/src/output-json-sip.h b/src/output-json-sip.h deleted file mode 100644 index 0d2c53fa50df..000000000000 --- a/src/output-json-sip.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2015 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Giuseppe Longo - */ - -#ifndef __OUTPUT_JSON_SIP_H__ -#define __OUTPUT_JSON_SIP_H__ - -void JsonSIPLogRegister(void); - -#endif /* __OUTPUT_JSON_SIP_H__ */ diff --git a/src/output-json-snmp.c b/src/output-json-snmp.c deleted file mode 100644 index cbf0a7c992e4..000000000000 --- a/src/output-json-snmp.c +++ /dev/null @@ -1,91 +0,0 @@ -/* Copyright (C) 2018-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Pierre Chifflier - * - * Implement JSON/eve logging app-layer SNMP. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "app-layer-snmp.h" -#include "output-json-snmp.h" - -#include "rust.h" - -static int JsonSNMPLogger(ThreadVars *tv, void *thread_data, - const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) -{ - SNMPTransaction *snmptx = tx; - OutputJsonThreadCtx *thread = thread_data; - - JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "snmp", NULL, thread->ctx); - if (unlikely(jb == NULL)) { - return TM_ECODE_FAILED; - } - - if (!rs_snmp_log_json_response(snmptx, jb)) { - goto error; - } - - OutputJsonBuilderBuffer(jb, thread); - - jb_free(jb); - return TM_ECODE_OK; - -error: - jb_free(jb); - return TM_ECODE_FAILED; -} - -static OutputInitResult OutputSNMPLogInitSub(ConfNode *conf, - OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_SNMP); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonSNMPLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSNMPLog", "eve-log.snmp", - OutputSNMPLogInitSub, ALPROTO_SNMP, JsonSNMPLogger, JsonLogThreadInit, - JsonLogThreadDeinit, NULL); - - SCLogDebug("SNMP JSON logger registered."); -} diff --git a/src/output-json-snmp.h b/src/output-json-snmp.h deleted file mode 100644 index 4c88db32317d..000000000000 --- a/src/output-json-snmp.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2015-2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Pierre Chifflier - */ - -#ifndef __OUTPUT_JSON_SNMP_H__ -#define __OUTPUT_JSON_SNMP_H__ - -void JsonSNMPLogRegister(void); - -#endif /* __OUTPUT_JSON_SNMP_H__ */ diff --git a/src/output-json-ssh.c b/src/output-json-ssh.c deleted file mode 100644 index 45a8d8eab333..000000000000 --- a/src/output-json-ssh.c +++ /dev/null @@ -1,89 +0,0 @@ -/* Copyright (C) 2014-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Victor Julien - * - * Implements SSH JSON logging portion of the engine. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-print.h" -#include "util-unittest.h" - -#include "util-debug.h" -#include "app-layer-parser.h" -#include "output.h" -#include "app-layer-ssh.h" -#include "app-layer.h" -#include "util-privs.h" -#include "util-buffer.h" - -#include "util-logopenfile.h" - -#include "output-json.h" -#include "output-json-ssh.h" -#include "rust.h" - -#define MODULE_NAME "LogSshLog" - -static int JsonSshLogger(ThreadVars *tv, void *thread_data, const Packet *p, - Flow *f, void *state, void *txptr, uint64_t tx_id) -{ - OutputJsonThreadCtx *thread = thread_data; - - if (unlikely(state == NULL)) { - return 0; - } - - JsonBuilder *js = CreateEveHeaderWithTxId(p, LOG_DIR_FLOW, "ssh", NULL, tx_id, thread->ctx); - if (unlikely(js == NULL)) - return 0; - - if (!rs_ssh_log_json(txptr, js)) { - goto end; - } - OutputJsonBuilderBuffer(js, thread); - -end: - jb_free(js); - return 0; -} - -static OutputInitResult OutputSshLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_SSH); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonSshLogRegister (void) -{ - /* register as child of eve-log */ - OutputRegisterTxSubModuleWithCondition(LOGGER_JSON_TX, "eve-log", "JsonSshLog", "eve-log.ssh", - OutputSshLogInitSub, ALPROTO_SSH, JsonSshLogger, SSHTxLogCondition, JsonLogThreadInit, - JsonLogThreadDeinit, NULL); -} diff --git a/src/output-json-ssh.h b/src/output-json-ssh.h deleted file mode 100644 index d0f9d3fc7dde..000000000000 --- a/src/output-json-ssh.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2014 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Victor Julien - */ - -#ifndef __OUTPUT_JSON_SSH_H__ -#define __OUTPUT_JSON_SSH_H__ - -void JsonSshLogRegister(void); - -#endif /* __OUTPUT_JSON_SSH_H__ */ diff --git a/src/output-json-template.c b/src/output-json-template.c deleted file mode 100644 index 2ca48b7ae373..000000000000 --- a/src/output-json-template.c +++ /dev/null @@ -1,176 +0,0 @@ -/* Copyright (C) 2018-2022 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/* - * TODO: Update \author in this file and in output-json-template.h. - * TODO: Remove SCLogNotice statements, or convert to debug. - * TODO: Implement your app-layers logging. - */ - -/** - * \file - * - * \author FirstName LastName - * - * Implement JSON/eve logging app-layer Template. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "output-json-template.h" -#include "rust.h" - -typedef struct LogTemplateFileCtx_ { - uint32_t flags; - OutputJsonCtx *eve_ctx; -} LogTemplateFileCtx; - -typedef struct LogTemplateLogThread_ { - LogTemplateFileCtx *templatelog_ctx; - OutputJsonThreadCtx *ctx; -} LogTemplateLogThread; - -static int JsonTemplateLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, - void *state, void *tx, uint64_t tx_id) -{ - SCLogNotice("JsonTemplateLogger"); - LogTemplateLogThread *thread = thread_data; - - JsonBuilder *js = - CreateEveHeader(p, LOG_DIR_PACKET, "template", NULL, thread->templatelog_ctx->eve_ctx); - if (unlikely(js == NULL)) { - return TM_ECODE_FAILED; - } - - if (!rs_template_logger_log(tx, js)) { - goto error; - } - - OutputJsonBuilderBuffer(js, thread->ctx); - jb_free(js); - - return TM_ECODE_OK; - -error: - jb_free(js); - return TM_ECODE_FAILED; -} - -static void OutputTemplateLogDeInitCtxSub(OutputCtx *output_ctx) -{ - LogTemplateFileCtx *templatelog_ctx = (LogTemplateFileCtx *)output_ctx->data; - SCFree(templatelog_ctx); - SCFree(output_ctx); -} - -static OutputInitResult OutputTemplateLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) -{ - OutputInitResult result = { NULL, false }; - OutputJsonCtx *ajt = parent_ctx->data; - - LogTemplateFileCtx *templatelog_ctx = SCCalloc(1, sizeof(*templatelog_ctx)); - if (unlikely(templatelog_ctx == NULL)) { - return result; - } - templatelog_ctx->eve_ctx = ajt; - - OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx)); - if (unlikely(output_ctx == NULL)) { - SCFree(templatelog_ctx); - return result; - } - output_ctx->data = templatelog_ctx; - output_ctx->DeInit = OutputTemplateLogDeInitCtxSub; - - SCLogNotice("Template log sub-module initialized."); - - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TEMPLATE); - - result.ctx = output_ctx; - result.ok = true; - return result; -} - -static TmEcode JsonTemplateLogThreadInit(ThreadVars *t, const void *initdata, void **data) -{ - LogTemplateLogThread *thread = SCCalloc(1, sizeof(*thread)); - if (unlikely(thread == NULL)) { - return TM_ECODE_FAILED; - } - - if (initdata == NULL) { - SCLogDebug("Error getting context for EveLogTemplate. \"initdata\" is NULL."); - goto error_exit; - } - - thread->templatelog_ctx = ((OutputCtx *)initdata)->data; - thread->ctx = CreateEveThreadCtx(t, thread->templatelog_ctx->eve_ctx); - if (!thread->ctx) { - goto error_exit; - } - *data = (void *)thread; - - return TM_ECODE_OK; - -error_exit: - SCFree(thread); - return TM_ECODE_FAILED; -} - -static TmEcode JsonTemplateLogThreadDeinit(ThreadVars *t, void *data) -{ - LogTemplateLogThread *thread = (LogTemplateLogThread *)data; - if (thread == NULL) { - return TM_ECODE_OK; - } - FreeEveThreadCtx(thread->ctx); - SCFree(thread); - return TM_ECODE_OK; -} - -void JsonTemplateLogRegister(void) -{ - /* TEMPLATE_START_REMOVE */ - if (ConfGetNode("app-layer.protocols.template") == NULL) { - return; - } - /* TEMPLATE_END_REMOVE */ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonTemplateLog", "eve-log.template", - OutputTemplateLogInitSub, ALPROTO_TEMPLATE, JsonTemplateLogger, - JsonTemplateLogThreadInit, JsonTemplateLogThreadDeinit, NULL); - - SCLogNotice("Template JSON logger registered."); -} diff --git a/src/output-json-template.h b/src/output-json-template.h deleted file mode 100644 index d27b8d7c0e05..000000000000 --- a/src/output-json-template.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2018 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author FirstName LastName - */ - -#ifndef __OUTPUT_JSON_TEMPLATE_RUST_H__ -#define __OUTPUT_JSON_TEMPLATE_RUST_H__ - -void JsonTemplateLogRegister(void); - -#endif /* __OUTPUT_JSON_TEMPLATE_RUST_H__ */ diff --git a/src/output-json-tftp.c b/src/output-json-tftp.c deleted file mode 100644 index a0bc9ee1809e..000000000000 --- a/src/output-json-tftp.c +++ /dev/null @@ -1,90 +0,0 @@ -/* Copyright (C) 2020-2021 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Clément Galland - * - * Implement JSON/eve logging app-layer TFTP. - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-unittest.h" -#include "util-buffer.h" -#include "util-debug.h" -#include "util-byte.h" - -#include "output.h" -#include "output-json.h" - -#include "app-layer.h" -#include "app-layer-parser.h" - -#include "app-layer-tftp.h" -#include "output-json-tftp.h" - -#include "rust.h" - -static int JsonTFTPLogger(ThreadVars *tv, void *thread_data, - const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) -{ - OutputJsonThreadCtx *thread = thread_data; - - JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "tftp", NULL, thread->ctx); - if (unlikely(jb == NULL)) { - return TM_ECODE_FAILED; - } - - if (unlikely(!rs_tftp_log_json_request(tx, jb))) { - goto error; - } - - OutputJsonBuilderBuffer(jb, thread); - - jb_free(jb); - return TM_ECODE_OK; - -error: - jb_free(jb); - return TM_ECODE_FAILED; -} - -static OutputInitResult OutputTFTPLogInitSub(ConfNode *conf, - OutputCtx *parent_ctx) -{ - AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_TFTP); - return OutputJsonLogInitSub(conf, parent_ctx); -} - -void JsonTFTPLogRegister(void) -{ - /* Register as an eve sub-module. */ - OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonTFTPLog", "eve-log.tftp", - OutputTFTPLogInitSub, ALPROTO_TFTP, JsonTFTPLogger, JsonLogThreadInit, - JsonLogThreadDeinit, NULL); - - SCLogDebug("TFTP JSON logger registered."); -} diff --git a/src/output-json-tftp.h b/src/output-json-tftp.h deleted file mode 100644 index 3db4ba06cd55..000000000000 --- a/src/output-json-tftp.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2017 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Clément Galland - */ - -#ifndef __OUTPUT_JSON_TFTP_H__ -#define __OUTPUT_JSON_TFTP_H__ - -void JsonTFTPLogRegister(void); - -#endif /* __OUTPUT_JSON_TFTP_H__ */ diff --git a/src/output.c b/src/output.c index 149dda58c284..865d6a5cfb0d 100644 --- a/src/output.c +++ b/src/output.c @@ -54,12 +54,12 @@ #include "log-httplog.h" #include "output-json-http.h" #include "output-json-dns.h" -#include "output-json-modbus.h" #include "log-tlslog.h" #include "log-tlsstore.h" #include "output-json-tls.h" -#include "output-json-ssh.h" #include "log-pcap.h" +// for SSHTxLogCondition +#include "app-layer-ssh.h" #include "output-json-file.h" #include "output-json-smtp.h" #include "output-json-stats.h" @@ -69,26 +69,17 @@ #include "output-json-ftp.h" // for misplaced EveFTPDataAddMetadata #include "app-layer-ftp.h" -#include "output-json-tftp.h" #include "output-json-smb.h" #include "output-json-ike.h" -#include "output-json-krb5.h" -#include "output-json-quic.h" #include "output-json-dhcp.h" -#include "output-json-snmp.h" -#include "output-json-sip.h" -#include "output-json-rfb.h" #include "output-json-mqtt.h" #include "output-json-pgsql.h" -#include "output-json-template.h" -#include "output-json-rdp.h" -#include "output-json-http2.h" #include "output-lua.h" #include "output-json-dnp3.h" #include "output-json-metadata.h" #include "output-json-dcerpc.h" #include "output-json-frame.h" -#include "output-json-bittorrent-dht.h" +#include "app-layer-parser.h" #include "output-filestore.h" typedef struct RootLogger_ { @@ -1034,6 +1025,136 @@ void OutputRegisterRootLoggers(void) OutputStreamingLoggerRegister(); } +static int JsonGenericLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, + void *state, void *tx, uint64_t tx_id) +{ + OutputJsonThreadCtx *thread = thread_data; + EveJsonSimpleAppLayerLogger *al = SCEveJsonSimpleGetLogger(f->alproto); + if (al == NULL) { + return TM_ECODE_FAILED; + } + + const char *name; + switch (al->proto) { + case ALPROTO_HTTP2: + // special case + name = "http"; + break; + case ALPROTO_FTPDATA: + // underscore instead of dash + name = "ftp_data"; + break; + case ALPROTO_BITTORRENT_DHT: + // underscore instead of dash + name = "bittorrent_dht"; + break; + default: + name = AppProtoToString(al->proto); + } + JsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, name, NULL, thread->ctx); + if (unlikely(js == NULL)) { + return TM_ECODE_FAILED; + } + + if (!al->LogTx(tx, js)) { + goto error; + } + + OutputJsonBuilderBuffer(js, thread); + jb_free(js); + + return TM_ECODE_OK; + +error: + jb_free(js); + return TM_ECODE_FAILED; +} + +static OutputInitResult OutputBitTorrentDHTLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_BITTORRENT_DHT); + return OutputJsonLogInitSub(conf, parent_ctx); +} + +static OutputInitResult OutputRdpLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_RDP); + return OutputJsonLogInitSub(conf, parent_ctx); +} + +static OutputInitResult OutputRFBLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_RFB); + return OutputJsonLogInitSub(conf, parent_ctx); +} + +static OutputInitResult OutputTemplateLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TEMPLATE); + return OutputJsonLogInitSub(conf, parent_ctx); +} + +static OutputInitResult OutputSIPLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_SIP); + return OutputJsonLogInitSub(conf, parent_ctx); +} + +static OutputInitResult OutputSNMPLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_SNMP); + return OutputJsonLogInitSub(conf, parent_ctx); +} + +static OutputInitResult OutputQuicLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_QUIC); + return OutputJsonLogInitSub(conf, parent_ctx); +} + +static OutputInitResult OutputKRB5LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_KRB5); + AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_KRB5); + return OutputJsonLogInitSub(conf, parent_ctx); +} + +static OutputInitResult OutputTFTPLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_TFTP); + return OutputJsonLogInitSub(conf, parent_ctx); +} + +static OutputInitResult OutputModbusLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_MODBUS); + return OutputJsonLogInitSub(conf, parent_ctx); +} + +static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP2); + return OutputJsonLogInitSub(conf, parent_ctx); +} + +static OutputInitResult OutputSshLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_SSH); + return OutputJsonLogInitSub(conf, parent_ctx); +} + +static OutputInitResult OutputFTPLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_FTP); + return OutputJsonLogInitSub(conf, parent_ctx); +} + +static OutputInitResult OutputFTPDataLogInitSub(ConfNode *conf, OutputCtx *parent_ctx) +{ + AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_FTPDATA); + return OutputJsonLogInitSub(conf, parent_ctx); +} + /** * \brief Register all non-root logging modules. */ @@ -1058,13 +1179,17 @@ void OutputRegisterLoggers(void) /* http log */ LogHttpLogRegister(); JsonHttpLogRegister(); - JsonHttp2LogRegister(); + OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_TX, "eve-log", "LogHttp2Log", "eve-log.http2", + OutputHttp2LogInitSub, ALPROTO_HTTP2, JsonGenericLogger, HTTP2StateClosed, + HTTP2StateClosed, JsonLogThreadInit, JsonLogThreadDeinit, NULL); /* tls log */ LogTlsLogRegister(); JsonTlsLogRegister(); LogTlsStoreRegister(); /* ssh */ - JsonSshLogRegister(); + OutputRegisterTxSubModuleWithCondition(LOGGER_JSON_TX, "eve-log", "JsonSshLog", "eve-log.ssh", + OutputSshLogInitSub, ALPROTO_SSH, JsonGenericLogger, SSHTxLogCondition, + JsonLogThreadInit, JsonLogThreadDeinit, NULL); /* pcap log */ PcapLogRegister(); /* file log */ @@ -1073,7 +1198,11 @@ void OutputRegisterLoggers(void) /* dns */ JsonDnsLogRegister(); /* modbus */ - JsonModbusLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonModbusLog", "eve-log.modbus", + OutputModbusLogInitSub, ALPROTO_MODBUS, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + + SCLogDebug("modbus json logger registered."); /* tcp streaming data */ LogTcpDataLogRegister(); /* log stats */ @@ -1094,39 +1223,78 @@ void OutputRegisterLoggers(void) /* NFS JSON logger. */ JsonNFSLogRegister(); /* TFTP JSON logger. */ - JsonTFTPLogRegister(); - /* FTP JSON logger. */ - JsonFTPLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonTFTPLog", "eve-log.tftp", + OutputTFTPLogInitSub, ALPROTO_TFTP, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + + SCLogDebug("TFTP JSON logger registered."); + /* FTP and FTP-DATA JSON loggers. */ + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonFTPLog", "eve-log.ftp", + OutputFTPLogInitSub, ALPROTO_FTP, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonFTPLog", "eve-log.ftp", + OutputFTPDataLogInitSub, ALPROTO_FTPDATA, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + SCLogDebug("FTP JSON logger registered."); + /* SMB JSON logger. */ JsonSMBLogRegister(); /* IKE JSON logger. */ JsonIKELogRegister(); /* KRB5 JSON logger. */ - JsonKRB5LogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonKRB5Log", "eve-log.krb5", + OutputKRB5LogInitSub, ALPROTO_KRB5, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + + SCLogDebug("KRB5 JSON logger registered."); /* QUIC JSON logger. */ - JsonQuicLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonQuicLog", "eve-log.quic", + OutputQuicLogInitSub, ALPROTO_QUIC, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + + SCLogDebug("quic json logger registered."); /* DHCP JSON logger. */ JsonDHCPLogRegister(); /* SNMP JSON logger. */ - JsonSNMPLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSNMPLog", "eve-log.snmp", + OutputSNMPLogInitSub, ALPROTO_SNMP, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + + SCLogDebug("SNMP JSON logger registered."); /* SIP JSON logger. */ - JsonSIPLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonSIPLog", "eve-log.sip", + OutputSIPLogInitSub, ALPROTO_SIP, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + + SCLogDebug("SIP JSON logger registered."); /* RFB JSON logger. */ - JsonRFBLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRFBLog", "eve-log.rfb", + OutputRFBLogInitSub, ALPROTO_RFB, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); /* MQTT JSON logger. */ JsonMQTTLogRegister(); /* Pgsql JSON logger. */ JsonPgsqlLogRegister(); /* Template JSON logger. */ - JsonTemplateLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonTemplateLog", "eve-log.template", + OutputTemplateLogInitSub, ALPROTO_TEMPLATE, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); /* RDP JSON logger. */ - JsonRdpLogRegister(); + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonRdpLog", "eve-log.rdp", + OutputRdpLogInitSub, ALPROTO_RDP, JsonGenericLogger, JsonLogThreadInit, + JsonLogThreadDeinit, NULL); + SCLogDebug("rdp json logger registered."); /* DCERPC JSON logger. */ JsonDCERPCLogRegister(); /* app layer frames */ JsonFrameLogRegister(); /* BitTorrent DHT JSON logger */ - JsonBitTorrentDHTLogRegister(); + if (ConfGetNode("app-layer.protocols.bittorrent-dht") != NULL) { + /* Register as an eve sub-module. */ + OutputRegisterTxSubModule(LOGGER_JSON_TX, "eve-log", "JsonBitTorrentDHTLog", + "eve-log.bittorrent-dht", OutputBitTorrentDHTLogInitSub, ALPROTO_BITTORRENT_DHT, + JsonGenericLogger, JsonLogThreadInit, JsonLogThreadDeinit, NULL); + } } static EveJsonSimpleAppLayerLogger simple_json_applayer_loggers[ALPROTO_MAX] = { @@ -1164,10 +1332,10 @@ static EveJsonSimpleAppLayerLogger simple_json_applayer_loggers[ALPROTO_MAX] = { { ALPROTO_HTTP2, rs_http2_log_json }, { ALPROTO_BITTORRENT_DHT, rs_bittorrent_dht_logger_log }, { ALPROTO_HTTP, NULL }, // signature protocol, not for app-layer logging - { ALPROTO_FAILED, NULL }, #ifdef UNITTESTS { ALPROTO_TEST, NULL }, #endif /* UNITESTS */ + { ALPROTO_MAX_STATIC, NULL }, }; EveJsonSimpleAppLayerLogger *SCEveJsonSimpleGetLogger(AppProto alproto) @@ -1178,3 +1346,11 @@ EveJsonSimpleAppLayerLogger *SCEveJsonSimpleGetLogger(AppProto alproto) } return NULL; } + +void RegisterAppProtoAppLayerLogger(AppProto alproto, EveJsonSimpleTxLogFunc log) +{ + if (alproto < ALPROTO_MAX) { + simple_json_applayer_loggers[alproto].proto = alproto; + simple_json_applayer_loggers[alproto].LogTx = log; + } +} diff --git a/src/output.h b/src/output.h index 815b2f20ed73..33eda482d1ac 100644 --- a/src/output.h +++ b/src/output.h @@ -216,5 +216,6 @@ typedef struct EveJsonSimpleAppLayerLogger { } EveJsonSimpleAppLayerLogger; EveJsonSimpleAppLayerLogger *SCEveJsonSimpleGetLogger(AppProto alproto); +void RegisterAppProtoAppLayerLogger(AppProto alproto, EveJsonSimpleTxLogFunc log); #endif /* ! __OUTPUT_H__ */ diff --git a/src/suricata-plugin.h b/src/suricata-plugin.h index 3296b51397b8..bb73c1ea35fd 100644 --- a/src/suricata-plugin.h +++ b/src/suricata-plugin.h @@ -74,4 +74,16 @@ typedef struct SCCapturePlugin_ { int SCPluginRegisterCapture(SCCapturePlugin *); +typedef struct SCAppLayerPlugin_ { + char *name; + char *logname; + char *confname; + void (*Register)(void); + bool (*Logger)(void *tx, void *jb); + void (*KeywordsRegister)(void); + uint32_t keywords_nb; +} SCAppLayerPlugin; + +int SCPluginRegisterAppLayer(SCAppLayerPlugin *); + #endif /* __SURICATA_PLUGIN_H */ diff --git a/src/suricata.c b/src/suricata.c index ffa970ae7297..2543fb2a4b34 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -385,6 +385,7 @@ static void GlobalsDestroy(SCInstance *suri) FeatureTrackingRelease(); SCProtoNameRelease(); TimeDeinit(); + SigTableCleanup(); TmqhCleanup(); TmModuleRunDeInit(); ParseSizeDeinit(); @@ -2673,6 +2674,9 @@ int PostConfLoadedSetup(SCInstance *suri) RunModeEngineIsIPS( suricata.run_mode, suricata.runmode_custom_mode, suricata.capture_plugin_name); +#ifdef HAVE_PLUGINS + SCPluginsLoad(suri->capture_plugin_name, suri->capture_plugin_args); +#endif if (EngineModeIsUnknown()) { // if still uninitialized, set the default SCLogInfo("Setting engine mode to IDS mode by default"); @@ -2740,9 +2744,6 @@ int PostConfLoadedSetup(SCInstance *suri) FeatureTrackingRegister(); /* must occur prior to output mod registration */ RegisterAllModules(); -#ifdef HAVE_PLUGINS - SCPluginsLoad(suri->capture_plugin_name, suri->capture_plugin_args); -#endif AppLayerHtpNeedFileInspection(); StorageFinalize(); diff --git a/src/util-plugin.c b/src/util-plugin.c index 3a08aa8876ad..182f3da9ff77 100644 --- a/src/util-plugin.c +++ b/src/util-plugin.c @@ -22,6 +22,7 @@ #include "output-eve-syslog.h" #include "util-plugin.h" #include "util-debug.h" +#include "app-layer-protos.h" #ifdef HAVE_PLUGINS @@ -211,4 +212,32 @@ SCCapturePlugin *SCPluginFindCaptureByName(const char *name) } return plugin; } + +#ifdef ALPROTO_DYNAMIC_NB +static SCAppLayerPlugin *app_layer_plugins[ALPROTO_DYNAMIC_NB]; +static size_t app_layer_plugins_nb = 0; +#endif + +int SCPluginRegisterAppLayer(SCAppLayerPlugin *plugin) +{ +#ifdef ALPROTO_DYNAMIC_NB + if (app_layer_plugins_nb < ALPROTO_DYNAMIC_NB) { + app_layer_plugins[app_layer_plugins_nb] = plugin; + RegisterAppProtoString((AppProto)(ALPROTO_MAX_STATIC + app_layer_plugins_nb), plugin->name); + app_layer_plugins_nb++; + return 0; + } +#endif + return 1; +} + +SCAppLayerPlugin *SCPluginFindAppLayerByIndex(size_t i) +{ +#ifdef ALPROTO_DYNAMIC_NB + if (i < ALPROTO_DYNAMIC_NB) { + return app_layer_plugins[i]; + } +#endif + return NULL; +} #endif diff --git a/src/util-plugin.h b/src/util-plugin.h index c958f2d79ccd..d187a25f1203 100644 --- a/src/util-plugin.h +++ b/src/util-plugin.h @@ -26,4 +26,6 @@ SCCapturePlugin *SCPluginFindCaptureByName(const char *name); bool RegisterPlugin(SCPlugin *, void *); +SCAppLayerPlugin *SCPluginFindAppLayerByIndex(size_t i); + #endif /* __UTIL_PLUGIN_H__ */