aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f80d26db0b'
${ noResults }
suricata/examples/plugins/c-json-filetype
History
Jason Ish d2b25af3f4 examples: add an example plugin of an eve filetype 
This is an example of what adding plugin examples to the Suricata repo
could look like.

This plugin is an example plugin for an EVE filetype. It could be
extended to support outputs like Redis, syslog, etc.

There is one issue with adding plugins like this to an autotools
project, the project can't be built with --disable-shared, which is
more of an autotools limitation, and not really a Suricata issue.
Suricata built with --disable-shared will load plugins just fine.

Note that the examples directory was added as DIST_SUBDIRS as we don't
want normal builds to recurse into it and attempt to build the plugin,
its just an example, but we still need to keep distcheck happy.
 		1 year ago
..
.gitignore
Makefile.am
Makefile.example
README.md
filetype.c

README.md

Example EVE Filetype Plugin

Building

If in the Suricata source directory, this plugin can be built by running make and installed with make install.

Note that Suricata must have been built without --disable-shared.

Building Standalone

The file Makefile.example is an example of how you might build a plugin that is distributed separately from the Suricata source code.

It has the following dependencies:

  • Suricata is installed
  • The Suricata library is installed: make install-library
  • The Suricata development headers are installed: make install-headers
  • The program libsuricata-config is in your path (installed with make install-library)

The run: make -f Makefile.example

Before building this plugin you will need to build and install Suricata from the git master branch and install the development tools and headers:

  • make install-library
  • make install-headers

then make sure the newly installed tool libsuricata-config can be found in your path, for example:

libsuricata-config --cflags

Then a simple make should build this plugin.

Or if the Suricata installation is not in the path, a command like the following can be used:

PATH=/opt/suricata/bin:$PATH make

Usage

To run the plugin, first add the path to the plugin you just compiled to your suricata.yaml, for example:

plugins:
  - /usr/lib/suricata/plugins/json-filetype.so

Then add an output for the plugin:

outputs:
  - eve-log:
      enabled: yes
      filetype: json-filetype-plugin
      threaded: true
      types:
        - dns
        - tls
        - http

In the example above we use the name specified in the plugin as the filetype and specify that all dns, tls and http log entries should be sent to the plugin.

Details

This plugin demonstrates a Suricata JSON/EVE output plugin (file-type). The idea of a Suricata EVE output plugin is to provide a file like interface for the handling of rendered JSON logs. This is useful for custom destinations not builtin to Suricata or if the formatted JSON requires some post-processing.

Note: EVE output plugins are not that useful just for reformatting the JSON output as the plugin does need to handle writing to a file once the file type has been delegated to the plugin.

Registering a Plugin

All Suricata plugins make themselves known to Suricata by using a function named SCPluginRegister which is called after Suricata loads the plugin shared object file. This function must return a SCPlugin struct which contains basic information about the plugin. For example:

const SCPlugin PluginRegistration = {
    .name = "eve-filetype",
    .author = "Jason Ish",
    .license = "GPLv2",
    .Init = TemplateInit,
};

const SCPlugin *SCPluginRegister() {
    return &PluginRegistration;
}

Initializing a Plugin

After the plugin has been registered, the Init callback will be called. This is where the plugin will set itself up as a specific type of plugin such as an EVE output, or a capture method.

This plugins registers itself as an EVE file type using the SCRegisterEveFileType struct. To register as an EVE file type the following must be provided:

  • name: This is the name of the output which will be used in the eve filetype field in suricata.yaml to enable this output.
  • Init: The callback called when the output is "opened".
  • Deinit: The callback called the output is "closed".
  • ThreadInit: Callback called to initialize per thread data (if threaded).
  • ThreadDeinit: Callback called to deinitialize per thread data (if threaded).
  • Write: The callback called when an EVE record is to be "written".

Please see the code in filetype.c for more details about this functions.