From 8a97bb0d042ea25c445872e142de406aa432ca1e Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Mon, 20 Oct 2014 13:59:28 +0200 Subject: [PATCH] alert json: move alert info into function Move adding the alert info (sid,rev,gid,etc) into it's own function, so it can be called from other outputs as well. --- src/output-json-alert.c | 60 ++++++++++++++++++++++------------------- src/output-json-alert.h | 3 +++ 2 files changed, 36 insertions(+), 27 deletions(-) diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 60dbf1fdb6..3d567c0c6e 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -161,6 +161,38 @@ static void AlertJsonSsh(const Flow *f, json_t *js) return; } +void AlertJsonHeader(const PacketAlert *pa, json_t *js) +{ + char *action = "allowed"; + if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) { + action = "blocked"; + } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) { + action = "blocked"; + } + + json_t *ajs = json_object(); + if (ajs == NULL) { + json_decref(js); + return; + } + + json_object_set_new(ajs, "action", json_string(action)); + json_object_set_new(ajs, "gid", json_integer(pa->s->gid)); + json_object_set_new(ajs, "signature_id", json_integer(pa->s->id)); + json_object_set_new(ajs, "rev", json_integer(pa->s->rev)); + json_object_set_new(ajs, "signature", + json_string((pa->s->msg) ? pa->s->msg : "")); + json_object_set_new(ajs, "category", + json_string((pa->s->class_msg) ? pa->s->class_msg : "")); + json_object_set_new(ajs, "severity", json_integer(pa->s->prio)); + + if (pa->flags & PACKET_ALERT_FLAG_TX) + json_object_set_new(ajs, "tx_id", json_integer(pa->tx_id)); + + /* alert */ + json_object_set_new(js, "alert", ajs); +} + static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) { MemBuffer *payload = aft->payload_buffer; @@ -181,36 +213,10 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) continue; } - char *action = "allowed"; - if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) { - action = "blocked"; - } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) { - action = "blocked"; - } - - json_t *ajs = json_object(); - if (ajs == NULL) { - json_decref(js); - return TM_ECODE_OK; - } - MemBufferReset(aft->json_buffer); - json_object_set_new(ajs, "action", json_string(action)); - json_object_set_new(ajs, "gid", json_integer(pa->s->gid)); - json_object_set_new(ajs, "signature_id", json_integer(pa->s->id)); - json_object_set_new(ajs, "rev", json_integer(pa->s->rev)); - json_object_set_new(ajs, "signature", - json_string((pa->s->msg) ? pa->s->msg : "")); - json_object_set_new(ajs, "category", - json_string((pa->s->class_msg) ? pa->s->class_msg : "")); - json_object_set_new(ajs, "severity", json_integer(pa->s->prio)); - - if (pa->flags & PACKET_ALERT_FLAG_TX) - json_object_set_new(ajs, "tx_id", json_integer(pa->tx_id)); - /* alert */ - json_object_set_new(js, "alert", ajs); + AlertJsonHeader(pa, js); if (json_output_ctx->flags & LOG_JSON_HTTP) { if (p->flow != NULL) { diff --git a/src/output-json-alert.h b/src/output-json-alert.h index ec8abb7e4e..55313fbb55 100644 --- a/src/output-json-alert.h +++ b/src/output-json-alert.h @@ -28,6 +28,9 @@ #define __OUTPUT_JSON_ALERT_H__ void TmModuleJsonAlertLogRegister (void); +#ifdef HAVE_LIBJANSSON +void AlertJsonHeader(const PacketAlert *pa, json_t *js); +#endif /* HAVE_LIBJANSSON */ #endif /* __OUTPUT_JSON_ALERT_H__ */