output-json-alert: output source and target

Use metadata provided information to output the Source and Target in the definition of IDMEF. The output is now the following: "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "connection to home", "category": "", "severity": 3, "source": { "ip": "2001:31d0:000a:f68a:0000:0000:0000:0001", "port": 80 }, "target": { "ip": "2a01:0e34:ee97:b130:c685:08ff:dab3:c9c8", "port": 48390 }
8 years ago · 6af529d0c6
parent 97b89c0a54
commit 6af529d0c6
1 changed files with 52 additions and 0 deletions
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@ -174,6 +174,54 @@ static void AlertJsonDnp3(const Flow *f, json_t *js)
    return;
 }

+static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
+                                  json_t *js, json_t* ajs)
+{
+    json_t *sjs = json_object();
+    if (sjs == NULL) {
+        return;
+    }
+
+    json_t *tjs = json_object();
+    if (tjs == NULL) {
+        json_decref(sjs);
+        return;
+    }
+
+    if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
+        json_object_set(sjs, "ip", json_object_get(js, "src_ip"));
+        json_object_set(tjs, "ip", json_object_get(js, "dest_ip"));
+        switch (p->proto) {
+            case IPPROTO_ICMP:
+            case IPPROTO_ICMPV6:
+                break;
+            case IPPROTO_UDP:
+            case IPPROTO_TCP:
+            case IPPROTO_SCTP:
+                json_object_set(sjs, "port", json_object_get(js, "src_port"));
+                json_object_set(tjs, "port", json_object_get(js, "dest_port"));
+                break;
+        }
+    } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
+        json_object_set(sjs, "ip", json_object_get(js, "dest_ip"));
+        json_object_set(tjs, "ip", json_object_get(js, "src_ip"));
+        switch (p->proto) {
+            case IPPROTO_ICMP:
+            case IPPROTO_ICMPV6:
+                break;
+            case IPPROTO_UDP:
+            case IPPROTO_TCP:
+            case IPPROTO_SCTP:
+                json_object_set(sjs, "port", json_object_get(js, "dest_port"));
+                json_object_set(tjs, "port", json_object_get(js, "src_port"));
+                break;
+        }
+    }
+    json_object_set_new(ajs, "source", sjs);
+    json_object_set_new(ajs, "target", tjs);
+}
+
+
 void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js)
 {
    const char *action = "allowed";
@ -215,6 +263,10 @@ void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js)
    if (p->tenant_id > 0)
        json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));

+    if (pa->s->flags & SIG_FLAG_HAS_TARGET) {
+        AlertJsonSourceTarget(p, pa, js, ajs);
+    }
+
    /* alert */
    json_object_set_new(js, "alert", ajs);
 }