aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

alert json: move alert info into function

Browse Source 
Move adding the alert info (sid,rev,gid,etc) into it's own function,
so it can be called from other outputs as well.
pull/1365/head
Victor Julien 11 years ago
parent e9857200b3
commit 8a97bb0d04
2 changed files with 36 additions and 27 deletions
Show Stats Download Patch File Download Diff File

60
src/output-json-alert.c
Unescape Escape View File

@ -161,6 +161,38 @@ static void AlertJsonSsh(const Flow *f, json_t *js)
return;
}
void AlertJsonHeader(const PacketAlert *pa, json_t *js)
{
char *action = "allowed";
if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) {
action = "blocked";
} else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "blocked";
}
json_t *ajs = json_object();
if (ajs == NULL) {
json_decref(js);
return;
}
json_object_set_new(ajs, "action", json_string(action));
json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
json_object_set_new(ajs, "signature",
json_string((pa->s->msg) ? pa->s->msg : ""));
json_object_set_new(ajs, "category",
json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
if (pa->flags & PACKET_ALERT_FLAG_TX)
json_object_set_new(ajs, "tx_id", json_integer(pa->tx_id));
/* alert */
json_object_set_new(js, "alert", ajs);
}
static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
{
MemBuffer *payload = aft->payload_buffer;
@ -181,36 +213,10 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
continue;
}
char *action = "allowed";
if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) {
action = "blocked";
} else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "blocked";
}
json_t *ajs = json_object();
if (ajs == NULL) {
json_decref(js);
return TM_ECODE_OK;
}
MemBufferReset(aft->json_buffer);
json_object_set_new(ajs, "action", json_string(action));
json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
json_object_set_new(ajs, "signature",
json_string((pa->s->msg) ? pa->s->msg : ""));
json_object_set_new(ajs, "category",
json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
if (pa->flags & PACKET_ALERT_FLAG_TX)
json_object_set_new(ajs, "tx_id", json_integer(pa->tx_id));
/* alert */
json_object_set_new(js, "alert", ajs);
AlertJsonHeader(pa, js);
if (json_output_ctx->flags & LOG_JSON_HTTP) {
if (p->flow != NULL) {

3
src/output-json-alert.h
Unescape Escape View File

@ -28,6 +28,9 @@
#define __OUTPUT_JSON_ALERT_H__
void TmModuleJsonAlertLogRegister (void);
#ifdef HAVE_LIBJANSSON
void AlertJsonHeader(const PacketAlert *pa, json_t *js);
#endif /* HAVE_LIBJANSSON */
#endif /* __OUTPUT_JSON_ALERT_H__ */

Write Preview
Loading…
Cancel
Save