From 6231ffc110dcc4b05186e6f49877082c4606faf5 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Thu, 10 Aug 2017 14:21:56 +0200 Subject: [PATCH] output-json-dns: add json logging functions This adds some public functions needed to add dns information when an alert is logged. --- src/output-json-dns.c | 96 +++++++++++++++++++++++++++++++++++-------- src/output-json-dns.h | 7 ++++ 2 files changed, 86 insertions(+), 17 deletions(-) diff --git a/src/output-json-dns.c b/src/output-json-dns.c index dca4c7fff9..251e704bd1 100644 --- a/src/output-json-dns.c +++ b/src/output-json-dns.c @@ -438,6 +438,23 @@ static json_t *OutputQuery(DNSTransaction *tx, uint64_t tx_id, DNSQueryEntry *en return djs; } +json_t *JsonDNSLogQuery(DNSTransaction *tx, uint64_t tx_id) +{ + DNSQueryEntry *entry = NULL; + json_t *queryjs = json_array(); + if (queryjs == NULL) + return NULL; + + TAILQ_FOREACH(entry, &tx->query_list, next) { + json_t *qjs = OutputQuery(tx, tx_id, entry); + if (qjs != NULL) { + json_array_append_new(queryjs, qjs); + } + } + + return queryjs; +} + static void LogQuery(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx, uint64_t tx_id, DNSQueryEntry *entry) { @@ -797,16 +814,20 @@ static void OutputAnswerV1(LogDnsLogThread *aft, json_t *djs, return; } -static void OutputAnswerV2(LogDnsLogThread *aft, json_t *djs, - DNSTransaction *tx, DNSAnswerEntry *entry) +static json_t *BuildAnswer(DNSTransaction *tx, DNSAnswerEntry *entry, + uint64_t tx_id, uint64_t flags, + DnsVersion version) { - if (!DNSRRTypeEnabled(entry->type, aft->dnslog_ctx->flags)) { - return; - } - json_t *js = json_object(); if (js == NULL) - return; + return NULL; + + /* version */ + if (version == DNS_VERSION_2) { + json_object_set_new(js, "version", json_integer(DNS_VERSION_2)); + } else { + json_object_set_new(js, "version", json_integer(DNS_VERSION_1)); + } /* type */ json_object_set_new(js, "type", json_string("answer")); @@ -814,32 +835,73 @@ static void OutputAnswerV2(LogDnsLogThread *aft, json_t *djs, /* id */ json_object_set_new(js, "id", json_integer(tx->tx_id)); + /* flags */ + char dns_flags[7] = ""; + snprintf(dns_flags, sizeof(dns_flags), "%4x", tx->flags); + json_object_set_new(js, "flags", json_string(dns_flags)); + if (tx->flags & 0x8000) + json_object_set_new(js, "qr", json_true()); + if (tx->flags & 0x0400) + json_object_set_new(js, "aa", json_true()); + if (tx->flags & 0x0200) + json_object_set_new(js, "tc", json_true()); + if (tx->flags & 0x0100) + json_object_set_new(js, "rd", json_true()); + if (tx->flags & 0x0080) + json_object_set_new(js, "ra", json_true()); + /* rcode */ char rcode[16] = ""; DNSCreateRcodeString(tx->rcode, rcode, sizeof(rcode)); json_object_set_new(js, "rcode", json_string(rcode)); - if (aft->dnslog_ctx->flags & LOG_FORMAT_DETAILED) { + if (flags & LOG_FORMAT_DETAILED) { json_t *jarray = json_array(); - if (jarray == NULL) - return; + if (jarray == NULL) { + json_decref(js); + return NULL; + } OutputAnswerDetailed(entry, jarray); json_object_set_new(js, "answers", jarray); } - if (aft->dnslog_ctx->flags & LOG_FORMAT_GROUPED) { + if (flags & LOG_FORMAT_GROUPED) { OutputAnswerGrouped(entry, js); } - /* reset */ - MemBufferReset(aft->buffer); - json_object_set_new(djs, "dns", js); - OutputJSONBuffer(djs, aft->dnslog_ctx->file_ctx, &aft->buffer); - json_object_del(djs, "dns"); + return js; +} - return; +static void OutputAnswerV2(LogDnsLogThread *aft, json_t *djs, + DNSTransaction *tx, DNSAnswerEntry *entry) +{ + if (!DNSRRTypeEnabled(entry->type, aft->dnslog_ctx->flags)) { + return; + } + + json_t *dnsjs = BuildAnswer(tx, entry, tx->tx_id, aft->dnslog_ctx->flags, + aft->dnslog_ctx->version); + if (dnsjs != NULL) { + /* reset */ + MemBufferReset(aft->buffer); + json_object_set_new(djs, "dns", dnsjs); + OutputJSONBuffer(djs, aft->dnslog_ctx->file_ctx, &aft->buffer); + } } + +json_t *JsonDNSLogAnswer(DNSTransaction *tx, uint64_t tx_id) +{ + DNSAnswerEntry *entry = TAILQ_FIRST(&tx->answer_list); + json_t *js = NULL; + + if (entry) { + js = BuildAnswer(tx, entry, tx_id, LOG_FORMAT_DETAILED, DNS_VERSION_2); + } + + return js; +} + #endif #ifndef HAVE_RUST diff --git a/src/output-json-dns.h b/src/output-json-dns.h index 9c3e880115..1d3bddff73 100644 --- a/src/output-json-dns.h +++ b/src/output-json-dns.h @@ -26,4 +26,11 @@ void JsonDnsLogRegister(void); +#ifdef HAVE_LIBJANSSON +#include "app-layer-dns-common.h" + +json_t *JsonDNSLogQuery(DNSTransaction *tx, uint64_t tx_id) __attribute__((nonnull)); +json_t *JsonDNSLogAnswer(DNSTransaction *tx, uint64_t tx_id) __attribute__((nonnull)); +#endif + #endif /* __OUTPUT_JSON_DNS_H__ */