aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

output-json-alert: add app_proto or flow to events

Browse Source 
This patch adds a partial flow entry in the alert event
(if applayer or flow is selected) or simply app_proto if
it is not.

app_proto is useful as filter and aggregation field. And
the partial flow entry contains more information about the
proto as well as some volumetry info.
pull/2805/head
Eric Leblond 8 years ago committed by Victor Julien
parent 61d9f4bb0a
commit da9005c404
3 changed files with 45 additions and 15 deletions
Show Stats Download Patch File Download Diff File

24
src/output-json-alert.c
Unescape Escape View File

@ -61,6 +61,7 @@
#include "output-json-smtp.h"
#include "output-json-email-common.h"
#include "output-json-nfs.h"
#include "output-json-flow.h"
#include "util-byte.h"
#include "util-privs.h"
@ -85,8 +86,9 @@
#define LOG_JSON_DNP3 BIT_U16(8)
#define LOG_JSON_VARS BIT_U16(9)
#define LOG_JSON_APP_LAYER BIT_U16(10)
#define LOG_JSON_FLOW BIT_U16(11)
#define LOG_JSON_APP_LAYER_ALL (LOG_JSON_APP_LAYER|LOG_JSON_HTTP|LOG_JSON_TLS|LOG_JSON_SSH|LOG_JSON_SMTP|LOG_JSON_DNP3)
#define LOG_JSON_APP_LAYER_ALL (LOG_JSON_APP_LAYER|LOG_JSON_HTTP|LOG_JSON_TLS|LOG_JSON_SSH|LOG_JSON_SMTP|LOG_JSON_DNP3|LOG_JSON_FLOW)
#define JSON_STREAM_BUFFER_SIZE 4096
@ -442,6 +444,20 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
JsonAddVars(p, p->flow, js);
}
if (p->flow) {
if (json_output_ctx->flags & LOG_JSON_FLOW) {
hjs = json_object();
if (hjs != NULL) {
JsonAddFlow(p->flow, js, hjs);
json_object_set_new(js, "flow", hjs);
}
} else {
json_object_set_new(js, "app_proto",
json_string(AppProtoToString(p->flow->alproto)));
}
}
/* payload */
if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
int stream = (p->proto == IPPROTO_TCP) ?
@ -750,7 +766,13 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
const char *dnp3 = ConfNodeLookupChildValue(conf, "dnp3");
const char *vars = ConfNodeLookupChildValue(conf, "vars");
const char *applayer = ConfNodeLookupChildValue(conf, "applayer");
const char *flow = ConfNodeLookupChildValue(conf, "flow");
if (flow != NULL) {
if (ConfValIsTrue(flow)) {
json_output_ctx->flags |= LOG_JSON_FLOW;
}
}
if (vars != NULL) {
if (ConfValIsTrue(vars)) {
json_output_ctx->flags |= LOG_JSON_VARS;

33
src/output-json-flow.c
Unescape Escape View File

@ -177,17 +177,8 @@ static json_t *CreateJSONHeaderFromFlow(Flow *f, const char *event_type)
return js;
}
/* JSON format logging */
static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
void JsonAddFlow(Flow *f, json_t *js, json_t *hjs)
{
#if 0
LogJsonFileCtx *flow_ctx = aft->flowlog_ctx;
#endif
json_t *hjs = json_object();
if (hjs == NULL) {
return;
}
json_object_set_new(js, "app_proto",
json_string(AppProtoToString(f->alproto)));
if (f->alproto_ts != f->alproto) {
@ -216,12 +207,26 @@ static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
json_object_set_new(hjs, "bytes_toclient",
json_integer(f->tosrcbytecnt));
char timebuf1[64], timebuf2[64];
char timebuf1[64];
CreateIsoTimeString(&f->startts, timebuf1, sizeof(timebuf1));
CreateIsoTimeString(&f->lastts, timebuf2, sizeof(timebuf2));
json_object_set_new(hjs, "start", json_string(timebuf1));
}
/* JSON format logging */
static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
{
#if 0
LogJsonFileCtx *flow_ctx = aft->flowlog_ctx;
#endif
json_t *hjs = json_object();
if (hjs == NULL) {
return;
}
JsonAddFlow(f, js, hjs);
char timebuf2[64];
CreateIsoTimeString(&f->lastts, timebuf2, sizeof(timebuf2));
json_object_set_new(hjs, "end", json_string(timebuf2));
int32_t age = f->lastts.tv_sec - f->startts.tv_sec;

3
src/output-json-flow.h
Unescape Escape View File

@ -25,5 +25,8 @@
#define __OUTPUT_JSON_FLOW_H__
void JsonFlowLogRegister(void);
#ifdef HAVE_LIBJANSSON
void JsonAddFlow(Flow *f, json_t *js, json_t *hjs);
#endif /* HAVE_LIBJANSSON */
#endif /* __OUTPUT_JSON_FLOW_H__ */

Write Preview
Loading…
Cancel
Save