aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DNP3: Log DNP3 info with DNP3 alert.

Browse Source
pull/2391/head
Jason Ish 10 years ago committed by Victor Julien
parent 1c3f373543
commit 44a69f6355
1 changed files with 63 additions and 9 deletions
Show Stats Download Patch File Download Diff File

72
src/output-json-alert.c
Unescape Escape View File

@ -44,6 +44,7 @@
#include "detect-engine-mpm.h"
#include "detect-reference.h"
#include "app-layer-parser.h"
#include "app-layer-dnp3.h"
#include "app-layer-htp.h"
#include "app-layer-htp-xff.h"
#include "util-classification-config.h"
@ -52,6 +53,7 @@
#include "output.h"
#include "output-json.h"
#include "output-json-dnp3.h"
#include "output-json-http.h"
#include "output-json-tls.h"
#include "output-json-ssh.h"
@ -70,20 +72,21 @@
#ifdef HAVE_LIBJANSSON
#define LOG_JSON_PAYLOAD 0x01
#define LOG_JSON_PACKET 0x02
#define LOG_JSON_PAYLOAD_BASE64 0x04
#define LOG_JSON_HTTP 0x08
#define LOG_JSON_TLS 0x10
#define LOG_JSON_SSH 0x20
#define LOG_JSON_SMTP 0x40
#define LOG_JSON_TAGGED_PACKETS 0x80
#define LOG_JSON_PAYLOAD 0x001
#define LOG_JSON_PACKET 0x002
#define LOG_JSON_PAYLOAD_BASE64 0x004
#define LOG_JSON_HTTP 0x008
#define LOG_JSON_TLS 0x010
#define LOG_JSON_SSH 0x020
#define LOG_JSON_SMTP 0x040
#define LOG_JSON_TAGGED_PACKETS 0x080
#define LOG_JSON_DNP3 0x100
#define JSON_STREAM_BUFFER_SIZE 4096
typedef struct AlertJsonOutputCtx_ {
LogFileCtx* file_ctx;
uint8_t flags;
uint16_t flags;
uint32_t payload_buffer_size;
HttpXFFCfg *xff_cfg;
} AlertJsonOutputCtx;
@ -139,6 +142,42 @@ static void AlertJsonSsh(const Flow *f, json_t *js)
return;
}
static void AlertJsonDnp3(const Flow *f, json_t *js)
{
DNP3State *dnp3_state = (DNP3State *)FlowGetAppState(f);
json_t *dnp3js = NULL;
if (dnp3_state) {
uint64_t tx_id = AppLayerParserGetTransactionLogId(f->alparser);
DNP3Transaction *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_DNP3,
dnp3_state, tx_id);
if (tx) {
json_t *dnp3js = json_object();
if (unlikely(dnp3js == NULL)) {
goto error;
}
if (tx->has_request && tx->request_done) {
json_t *request = JsonDNP3LogRequest(tx);
if (request != NULL) {
json_object_set_new(dnp3js, "request", request);
}
}
if (tx->has_response && tx->response_done) {
json_t *response = JsonDNP3LogResponse(tx);
if (response != NULL) {
json_object_set_new(dnp3js, "response", response);
}
}
json_object_set_new(js, "dnp3", dnp3js);
}
}
return;
error:
if (dnp3js != NULL) {
json_decref(dnp3js);
}
}
void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js)
{
char *action = "allowed";
@ -277,6 +316,15 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
}
}
if (json_output_ctx->flags & LOG_JSON_DNP3) {
if (p->flow != NULL) {
uint16_t proto = FlowGetAppProtocol(p->flow);
if (proto == ALPROTO_DNP3) {
AlertJsonDnp3(p->flow, js);
}
}
}
/* payload */
if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
int stream = (p->proto == IPPROTO_TCP) ?
@ -592,6 +640,7 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
const char *ssh = ConfNodeLookupChildValue(conf, "ssh");
const char *smtp = ConfNodeLookupChildValue(conf, "smtp");
const char *tagged_packets = ConfNodeLookupChildValue(conf, "tagged-packets");
const char *dnp3 = ConfNodeLookupChildValue(conf, "dnp3");
if (ssh != NULL) {
if (ConfValIsTrue(ssh)) {
@ -644,6 +693,11 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
json_output_ctx->flags |= LOG_JSON_TAGGED_PACKETS;
}
}
if (dnp3 != NULL) {
if (ConfValIsTrue(dnp3)) {
json_output_ctx->flags |= LOG_JSON_DNP3;
}
}
json_output_ctx->payload_buffer_size = payload_buffer_size;
HttpXFFGetCfg(conf, xff_cfg);

Write Preview
Loading…
Cancel
Save