aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

json-vars: rename to metadata and use new metadata format

Browse Source
pull/3201/head
Jason Ish 8 years ago committed by Victor Julien
parent a23d54ce3e
commit 34811cf69e
6 changed files with 28 additions and 127 deletions
Show Stats Download Patch File Download Diff File

29
src/output-json-vars.c
Unescape Escape View File

@ -63,7 +63,7 @@
#include "util-buffer.h"
#include "util-crypt.h"
#define MODULE_NAME "JsonVarsLog"
#define MODULE_NAME "JsonMetadataLog"
#ifdef HAVE_LIBJANSSON
@ -82,13 +82,13 @@ typedef struct JsonVarsLogThread_ {
static int VarsJson(ThreadVars *tv, JsonVarsLogThread *aft, const Packet *p)
{
json_t *js = CreateJSONHeader((Packet *)p, 0, "vars");
json_t *js = CreateJSONHeader((Packet *)p, 0, "metadata");
if (unlikely(js == NULL))
return TM_ECODE_OK;
JsonAddVars(p, p->flow, js);
JsonAddMetadata(p, p->flow, js);
OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer);
json_object_del(js, "vars");
json_object_del(js, "metadata");
json_object_clear(js);
json_decref(js);
@ -177,7 +177,7 @@ static void JsonVarsLogDeInitCtxSub(OutputCtx *output_ctx)
SCFree(output_ctx);
}
#define DEFAULT_LOG_FILENAME "vars.json"
#define DEFAULT_LOG_FILENAME "metadata.json"
/**
* \brief Create a new LogFileCtx for "fast" output style.
@ -266,10 +266,21 @@ error:
void JsonVarsLogRegister (void)
{
OutputRegisterPacketModule(LOGGER_JSON_VARS, MODULE_NAME, "vars-json-log",
JsonVarsLogInitCtx, JsonVarsLogger, JsonVarsLogCondition,
JsonVarsLogThreadInit, JsonVarsLogThreadDeinit, NULL);
OutputRegisterPacketSubModule(LOGGER_JSON_VARS, "eve-log", MODULE_NAME,
OutputRegisterPacketModule(LOGGER_JSON_METADATA, MODULE_NAME,
"metadata-json-log", JsonVarsLogInitCtx, JsonVarsLogger,
JsonVarsLogCondition, JsonVarsLogThreadInit,
JsonVarsLogThreadDeinit, NULL);
OutputRegisterPacketSubModule(LOGGER_JSON_METADATA, "eve-log", MODULE_NAME,
"eve-log.metadata", JsonVarsLogInitCtxSub, JsonVarsLogger,
JsonVarsLogCondition, JsonVarsLogThreadInit, JsonVarsLogThreadDeinit,
NULL);
/* Kept for compatibility. */
OutputRegisterPacketModule(LOGGER_JSON_METADATA, MODULE_NAME,
"vars-json-log", JsonVarsLogInitCtx, JsonVarsLogger,
JsonVarsLogCondition, JsonVarsLogThreadInit, JsonVarsLogThreadDeinit,
NULL);
OutputRegisterPacketSubModule(LOGGER_JSON_METADATA, "eve-log", MODULE_NAME,
"eve-log.vars", JsonVarsLogInitCtxSub, JsonVarsLogger,
JsonVarsLogCondition, JsonVarsLogThreadInit, JsonVarsLogThreadDeinit,
NULL);

114
src/output-json.c
Unescape Escape View File

@ -155,13 +155,10 @@ static void JsonAddPacketvars(const Packet *p, json_t *js_vars)
}
/**
* \brief "New" Add flow variables to a json object.
* \brief Add flow variables to a json object.
*
* Adds "flowvars" (map), "flowints" (map) and "flowbits" (array) to
* the json object provided as js_root.
*
* This is the "new" method for doing this as flowbits is an array of
* strings instead of a map of boolean values.
*/
static void JsonAddFlowVars(const Flow *f, json_t *js_root)
{
@ -259,115 +256,6 @@ static void JsonAddFlowVars(const Flow *f, json_t *js_root)
}
}
static void JsonAddFlowvars(const Flow *f, json_t *js_vars)
{
if (f == NULL || f->flowvar == NULL) {
return;
}
json_t *js_flowvars = NULL;
json_t *js_flowints = NULL;
json_t *js_flowbits = NULL;
GenericVar *gv = f->flowvar;
while (gv != NULL) {
if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) {
FlowVar *fv = (FlowVar *)gv;
if (fv->datatype == FLOWVAR_TYPE_STR && fv->key == NULL) {
const char *varname = VarNameStoreLookupById(fv->idx, VAR_TYPE_FLOW_VAR);
if (varname) {
if (js_flowvars == NULL) {
js_flowvars = json_object();
if (js_flowvars == NULL)
break;
}
uint32_t len = fv->data.fv_str.value_len;
uint8_t printable_buf[len + 1];
uint32_t offset = 0;
PrintStringsToBuffer(printable_buf, &offset,
sizeof(printable_buf),
fv->data.fv_str.value, fv->data.fv_str.value_len);
json_object_set_new(js_flowvars, varname,
json_string((char *)printable_buf));
}
} else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) {
if (js_flowvars == NULL) {
js_flowvars = json_object();
if (js_flowvars == NULL)
break;
}
uint8_t keybuf[fv->keylen + 1];
uint32_t offset = 0;
PrintStringsToBuffer(keybuf, &offset,
sizeof(keybuf),
fv->key, fv->keylen);
uint32_t len = fv->data.fv_str.value_len;
uint8_t printable_buf[len + 1];
offset = 0;
PrintStringsToBuffer(printable_buf, &offset,
sizeof(printable_buf),
fv->data.fv_str.value, fv->data.fv_str.value_len);
json_object_set_new(js_flowvars, (const char *)keybuf,
json_string((char *)printable_buf));
} else if (fv->datatype == FLOWVAR_TYPE_INT) {
const char *varname = VarNameStoreLookupById(fv->idx, VAR_TYPE_FLOW_INT);
if (varname) {
if (js_flowints == NULL) {
js_flowints = json_object();
if (js_flowints == NULL)
break;
}
json_object_set_new(js_flowints, varname, json_integer(fv->data.fv_int.value));
}
}
} else if (gv->type == DETECT_FLOWBITS) {
FlowBit *fb = (FlowBit *)gv;
const char *varname = VarNameStoreLookupById(fb->idx, VAR_TYPE_FLOW_BIT);
if (varname) {
if (js_flowbits == NULL) {
js_flowbits = json_object();
if (js_flowbits == NULL)
break;
}
json_object_set_new(js_flowbits, varname, json_boolean(1));
}
}
gv = gv->next;
}
if (js_flowbits) {
json_object_set_new(js_vars, "flowbits", js_flowbits);
}
if (js_flowints) {
json_object_set_new(js_vars, "flowints", js_flowints);
}
if (js_flowvars) {
json_object_set_new(js_vars, "flowvars", js_flowvars);
}
}
void JsonAddVars(const Packet *p, const Flow *f, json_t *js)
{
if ((p && p->pktvar) || (f && f->flowvar)) {
json_t *js_vars = json_object();
if (js_vars) {
if (f && f->flowvar) {
JsonAddFlowvars(f, js_vars);
}
if (p && p->pktvar) {
JsonAddPacketvars(p, js_vars);
}
json_object_set_new(js, "vars", js_vars);
}
}
}
/**
* \brief Add top-level metadata to the eve json object.
*/

1
src/output-json.h
Unescape Escape View File

@ -40,7 +40,6 @@ typedef struct OutputJSONMemBufferWrapper_ {
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);
void JsonAddVars(const Packet *p, const Flow *f, json_t *js);
void JsonAddMetadata(const Packet *p, const Flow *f, json_t *js);
void CreateJSONFlowId(json_t *js, const Flow *f);
void JsonTcpFlags(uint8_t flags, json_t *js);

2
src/suricata-common.h
Unescape Escape View File

@ -431,7 +431,7 @@ typedef enum {
LOGGER_JSON_STATS,
LOGGER_PRELUDE,
LOGGER_PCAP,
LOGGER_JSON_VARS,
LOGGER_JSON_METADATA,
LOGGER_SIZE,
} LoggerId;

2
src/util-profiling.c
Unescape Escape View File

@ -1265,7 +1265,7 @@ const char * PacketProfileLoggertIdToString(LoggerId id)
CASE_CODE (LOGGER_JSON_STATS);
CASE_CODE (LOGGER_PRELUDE);
CASE_CODE (LOGGER_PCAP);
CASE_CODE (LOGGER_JSON_VARS);
CASE_CODE (LOGGER_JSON_METADATA);
default:
return "UNKNOWN";
}

7
suricata.yaml.in
Unescape Escape View File

@ -253,8 +253,11 @@ outputs:
- flow
# uni-directional flows
#- netflow
# Vars log flowbits and other packet and flow vars
#- vars
# Metadata event type. Triggered whenever a pktvar is saved
# and will include the pktvars, flowvars, flowbits and
# flowints.
#- metadata
# alert output for use with Barnyard2
- unified2-alert:

Write Preview
Loading…
Cancel
Save