|
|
|
|
@ -88,13 +88,10 @@ static int AnomalyDecodeEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft,
|
|
|
|
|
const Packet *p)
|
|
|
|
|
{
|
|
|
|
|
const bool is_ip_pkt = PKT_IS_IPV4(p) || PKT_IS_IPV6(p);
|
|
|
|
|
|
|
|
|
|
char timebuf[64];
|
|
|
|
|
CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf));
|
|
|
|
|
|
|
|
|
|
const uint16_t log_type = aft->json_output_ctx->flags;
|
|
|
|
|
const bool log_stream = log_type & LOG_JSON_STREAM_TYPE;
|
|
|
|
|
const bool log_decode = log_type & LOG_JSON_DECODE_TYPE;
|
|
|
|
|
|
|
|
|
|
for (int i = 0; i < p->events.cnt; i++) {
|
|
|
|
|
uint8_t event_code = p->events.events[i];
|
|
|
|
|
bool is_decode = EVENT_IS_DECODER_PACKET_ERROR(event_code);
|
|
|
|
|
@ -112,16 +109,14 @@ static int AnomalyDecodeEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft,
|
|
|
|
|
|
|
|
|
|
jb_open_object(js, ANOMALY_EVENT_TYPE);
|
|
|
|
|
|
|
|
|
|
if (!is_ip_pkt) {
|
|
|
|
|
jb_set_string(js, "timestamp", timebuf);
|
|
|
|
|
} else {
|
|
|
|
|
if (is_ip_pkt) {
|
|
|
|
|
EveAddCommonOptions(&aft->json_output_ctx->cfg, p, p->flow, js);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (event_code < DECODE_EVENT_MAX) {
|
|
|
|
|
const char *event = DEvents[event_code].event_name;
|
|
|
|
|
jb_set_string(js, "type",
|
|
|
|
|
EVENT_IS_DECODER_PACKET_ERROR(event_code) ?
|
|
|
|
|
EVENT_IS_DECODER_PACKET_ERROR(event_code) ?
|
|
|
|
|
"decode" : "stream");
|
|
|
|
|
jb_set_string(js, "event", event);
|
|
|
|
|
} else {
|
|
|
|
|
|
Victor Julien
5 years ago