aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

eve: revert ethernet addresses when needed

Browse Source 
EVE logging has a direction parameter that can cause the logging
of an application layer to be done in a direction that is not linked
to the packet. As a result the source IP addres could be assigned the
MAC address of the destination IP and reverse.

This patch addresses this by propagating the direction to the ethernet
logging function and using it there to define the correct mapping.

Issue #6405
pull/11214/head
Eric Leblond 1 year ago committed by Victor Julien
parent a8217d288a
commit 21916b9743
4 changed files with 51 additions and 15 deletions
Show Stats Download Patch File Download Diff File

2
src/output-json-flow.c
Unescape Escape View File

@ -281,7 +281,7 @@ static void EveFlowLogJSON(OutputJsonThreadCtx *aft, JsonBuilder *jb, Flow *f)
/* Close flow. */ /* Close flow. */
jb_close(jb); jb_close(jb);
EveAddCommonOptions(&aft->ctx->cfg, NULL, f, jb); EveAddCommonOptions(&aft->ctx->cfg, NULL, f, jb, LOG_DIR_FLOW);
/* TCP */ /* TCP */
if (f->proto == IPPROTO_TCP) { if (f->proto == IPPROTO_TCP) {

4
src/output-json-netflow.c
Unescape Escape View File

@ -275,7 +275,7 @@ static int JsonNetFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)
if (unlikely(jb == NULL)) if (unlikely(jb == NULL))
return TM_ECODE_OK; return TM_ECODE_OK;
NetFlowLogEveToServer(jb, f); NetFlowLogEveToServer(jb, f);
EveAddCommonOptions(&jhl->ctx->cfg, NULL, f, jb); EveAddCommonOptions(&jhl->ctx->cfg, NULL, f, jb, LOG_DIR_FLOW_TOSERVER);
OutputJsonBuilderBuffer(jb, jhl); OutputJsonBuilderBuffer(jb, jhl);
jb_free(jb); jb_free(jb);
@ -285,7 +285,7 @@ static int JsonNetFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)
if (unlikely(jb == NULL)) if (unlikely(jb == NULL))
return TM_ECODE_OK; return TM_ECODE_OK;
NetFlowLogEveToClient(jb, f); NetFlowLogEveToClient(jb, f);
EveAddCommonOptions(&jhl->ctx->cfg, NULL, f, jb); EveAddCommonOptions(&jhl->ctx->cfg, NULL, f, jb, LOG_DIR_FLOW_TOCLIENT);
OutputJsonBuilderBuffer(jb, jhl); OutputJsonBuilderBuffer(jb, jhl);
jb_free(jb); jb_free(jb);
} }

52
src/output-json.c
Unescape Escape View File

@ -70,7 +70,8 @@
static void OutputJsonDeInitCtx(OutputCtx *); static void OutputJsonDeInitCtx(OutputCtx *);
static void CreateEveCommunityFlowId(JsonBuilder *js, const Flow *f, const uint16_t seed); static void CreateEveCommunityFlowId(JsonBuilder *js, const Flow *f, const uint16_t seed);
static int CreateJSONEther(JsonBuilder *parent, const Packet *p, const Flow *f); static int CreateJSONEther(
JsonBuilder *parent, const Packet *p, const Flow *f, enum OutputJsonLogDirection dir);
static const char *TRAFFIC_ID_PREFIX = "traffic/id/"; static const char *TRAFFIC_ID_PREFIX = "traffic/id/";
static const char *TRAFFIC_LABEL_PREFIX = "traffic/label/"; static const char *TRAFFIC_LABEL_PREFIX = "traffic/label/";
@ -404,14 +405,14 @@ void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js)
} }
} }
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f,
const Packet *p, const Flow *f, JsonBuilder *js) JsonBuilder *js, enum OutputJsonLogDirection dir)
{ {
if (cfg->include_metadata) { if (cfg->include_metadata) {
EveAddMetadata(p, f, js); EveAddMetadata(p, f, js);
} }
if (cfg->include_ethernet) { if (cfg->include_ethernet) {
CreateJSONEther(js, p, f); CreateJSONEther(js, p, f, dir);
} }
if (cfg->include_community_id && f != NULL) { if (cfg->include_community_id && f != NULL) {
CreateEveCommunityFlowId(js, f, cfg->community_id_seed); CreateEveCommunityFlowId(js, f, cfg->community_id_seed);
@ -735,15 +736,43 @@ static int MacSetIterateToJSON(uint8_t *val, MacSetSide side, void *data)
return 0; return 0;
} }
static int CreateJSONEther(JsonBuilder *js, const Packet *p, const Flow *f) static int CreateJSONEther(
JsonBuilder *js, const Packet *p, const Flow *f, enum OutputJsonLogDirection dir)
{ {
if (p != NULL) { if (p != NULL) {
/* this is a packet context, so we need to add scalar fields */ /* this is a packet context, so we need to add scalar fields */
if (PacketIsEthernet(p)) { if (PacketIsEthernet(p)) {
const EthernetHdr *ethh = PacketGetEthernet(p); const EthernetHdr *ethh = PacketGetEthernet(p);
jb_open_object(js, "ether"); jb_open_object(js, "ether");
const uint8_t *src = ethh->eth_src; const uint8_t *src;
const uint8_t *dst = ethh->eth_dst; const uint8_t *dst;
switch (dir) {
case LOG_DIR_FLOW_TOSERVER:
// fallthrough
case LOG_DIR_FLOW:
if (PKT_IS_TOCLIENT(p)) {
src = ethh->eth_dst;
dst = ethh->eth_src;
} else {
src = ethh->eth_src;
dst = ethh->eth_dst;
}
break;
case LOG_DIR_FLOW_TOCLIENT:
if (PKT_IS_TOSERVER(p)) {
src = ethh->eth_dst;
dst = ethh->eth_src;
} else {
src = ethh->eth_src;
dst = ethh->eth_dst;
}
break;
case LOG_DIR_PACKET:
default:
src = ethh->eth_src;
dst = ethh->eth_dst;
break;
}
JSONFormatAndAddMACAddr(js, "src_mac", src, false); JSONFormatAndAddMACAddr(js, "src_mac", src, false);
JSONFormatAndAddMACAddr(js, "dest_mac", dst, false); JSONFormatAndAddMACAddr(js, "dest_mac", dst, false);
jb_close(js); jb_close(js);
@ -767,8 +796,15 @@ static int CreateJSONEther(JsonBuilder *js, const Packet *p, const Flow *f)
} }
jb_close(info.dst); jb_close(info.dst);
jb_close(info.src); jb_close(info.src);
/* case is handling netflow too so may need to revert */
if (dir == LOG_DIR_FLOW_TOCLIENT) {
jb_set_object(js, "dest_macs", info.src);
jb_set_object(js, "src_macs", info.dst);
} else {
DEBUG_VALIDATE_BUG_ON(dir != LOG_DIR_FLOW_TOSERVER && dir != LOG_DIR_FLOW);
jb_set_object(js, "dest_macs", info.dst); jb_set_object(js, "dest_macs", info.dst);
jb_set_object(js, "src_macs", info.src); jb_set_object(js, "src_macs", info.src);
}
jb_free(info.dst); jb_free(info.dst);
jb_free(info.src); jb_free(info.src);
jb_close(js); jb_close(js);
@ -867,7 +903,7 @@ JsonBuilder *CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir,
jb_set_string(js, "pkt_src", PktSrcToString(p->pkt_src)); jb_set_string(js, "pkt_src", PktSrcToString(p->pkt_src));
if (eve_ctx != NULL) { if (eve_ctx != NULL) {
EveAddCommonOptions(&eve_ctx->cfg, p, f, js); EveAddCommonOptions(&eve_ctx->cfg, p, f, js, dir);
} }
return js; return js;

4
src/output-json.h
Unescape Escape View File

@ -110,8 +110,8 @@ OutputInitResult OutputJsonLogInitSub(ConfNode *conf, OutputCtx *parent_ctx);
TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data); TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data);
TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data); TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data);
void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f,
const Packet *p, const Flow *f, JsonBuilder *js); JsonBuilder *js, enum OutputJsonLogDirection dir);
void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js); void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js);
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data); int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);

Write Preview
Loading…
Cancel
Save