aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

logging: Ensure all anomalous events have an event_type

Browse Source 
This change ensures that each anomaly is tagged with an
event type to support querying.

Each anomalous event will include `"event_type": "anomaly"`
in the log record.
pull/3819/head
Jeff Lucovsky 6 years ago
parent 5e222129d5
commit 7d28c19f05
2 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File

19
src/output-json-anomaly.c
Unescape Escape View File

@ -84,12 +84,7 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *
for (int i = 0; i < p->events.cnt; i++) { for (int i = 0; i < p->events.cnt; i++) {
MemBufferReset(aft->json_buffer); MemBufferReset(aft->json_buffer);
json_t *js; json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "anomaly");
if (is_IP_pkt) {
js = CreateJSONHeader(p, LOG_DIR_PACKET, "anomaly");
} else {
js = json_object();
}
if (unlikely(js == NULL)) { if (unlikely(js == NULL)) {
return TM_ECODE_OK; return TM_ECODE_OK;
@ -118,15 +113,19 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *
} }
uint8_t event_code = p->events.events[i]; uint8_t event_code = p->events.events[i];
if (EVENT_IS_DECODER_PACKET_ERROR(event_code)) { if (event_code < DECODE_EVENT_MAX) {
const char *event = DEvents[event_code].event_name; const char *event = DEvents[event_code].event_name;
json_object_set_new(ajs, "type",
EVENT_IS_DECODER_PACKET_ERROR(event_code) ?
json_string("packet") : json_string("stream"));
json_object_set_new(ajs, "event", json_string(event)); json_object_set_new(ajs, "event", json_string(event));
} else { } else {
/* include event code with unrecognized events */ /* include event code with unrecognized events */
uint32_t offset = 0; uint32_t offset = 0;
char unknown_event_buf[32]; char unknown_event_buf[16];
PrintBufferData(unknown_event_buf, &offset, 32, "%s(%d)", "Unknown", event_code); json_object_set_new(ajs, "type", json_string("unknown"));
json_object_set_new(ajs, "event", json_string(unknown_event_buf)); PrintBufferData(unknown_event_buf, &offset, 16, "%d", event_code);
json_object_set_new(ajs, "code", json_string(unknown_event_buf));
} }
/* anomaly */ /* anomaly */

3
src/output-json.c
Unescape Escape View File

@ -446,6 +446,9 @@ void JsonFiveTuple(const Packet *p, enum OutputJsonLogDirection dir, json_t *js)
srcip, sizeof(srcip)); srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
dstip, sizeof(dstip)); dstip, sizeof(dstip));
} else {
/* Not an IP packet so don't do anything */
return;
} }
sp = p->sp; sp = p->sp;
dp = p->dp; dp = p->dp;

Write Preview
Loading…
Cancel
Save