eve/flow/netflow: log correct tulpe on reversed flows

7 years ago · 00beeef031
parent 9c241fa32c
commit 00beeef031
3 changed files with 26 additions and 16 deletions
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@ -66,7 +66,7 @@ typedef struct JsonFlowLogThread_ {
 static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type)
 {
    char timebuf[64];
-    char srcip[46], dstip[46];
+    char srcip[46] = {0}, dstip[46] = {0};
    Port sp, dp;

    json_t *js = json_object();
@ -79,19 +79,28 @@ static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type)

    CreateIsoTimeString(&tv, timebuf, sizeof(timebuf));

-    srcip[0] = '\0';
-    dstip[0] = '\0';
-    if (FLOW_IS_IPV4(f)) {
-        PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip));
-        PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip));
-    } else if (FLOW_IS_IPV6(f)) {
-        PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip));
-        PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip));
+    if ((f->flags & FLOW_DIR_REVERSED) == 0) {
+        if (FLOW_IS_IPV4(f)) {
+            PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip));
+            PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip));
+        } else if (FLOW_IS_IPV6(f)) {
+            PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip));
+            PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip));
+        }
+        sp = f->sp;
+        dp = f->dp;
+    } else {
+        if (FLOW_IS_IPV4(f)) {
+            PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), srcip, sizeof(srcip));
+            PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), dstip, sizeof(dstip));
+        } else if (FLOW_IS_IPV6(f)) {
+            PrintInet(AF_INET6, (const void *)&(f->dst.address), srcip, sizeof(srcip));
+            PrintInet(AF_INET6, (const void *)&(f->src.address), dstip, sizeof(dstip));
+        }
+        sp = f->dp;
+        dp = f->sp;
    }

-    sp = f->sp;
-    dp = f->dp;
-
    char proto[16];
    if (SCProtoNameValid(f->proto) == TRUE) {
        strlcpy(proto, known_proto[f->proto], sizeof(proto));
--- a/src/output-json-netflow.c
+++ b/src/output-json-netflow.c
@ -67,7 +67,7 @@ typedef struct JsonNetFlowLogThread_ {
 static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type, int dir)
 {
    char timebuf[64];
-    char srcip[46], dstip[46];
+    char srcip[46] = {0}, dstip[46] = {0};
    Port sp, dp;

    json_t *js = json_object();
@ -80,8 +80,9 @@ static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type, i

    CreateIsoTimeString(&tv, timebuf, sizeof(timebuf));

-    srcip[0] = '\0';
-    dstip[0] = '\0';
+    /* reverse header direction if the flow started out wrong */
+    dir ^= ((f->flags & FLOW_DIR_REVERSED) != 0);
+
    if (FLOW_IS_IPV4(f)) {
        if (dir == 0) {
            PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip));
--- a/src/output-json.c
+++ b/src/output-json.c
@ -430,7 +430,7 @@ void JsonTcpFlags(uint8_t flags, json_t *js)
 */
 void JsonFiveTuple(const Packet *p, enum OutputJsonLogDirection dir, json_t *js)
 {
-    char srcip[46] = "", dstip[46] = "";
+    char srcip[46] = {0}, dstip[46] = {0};
    Port sp, dp;
    char proto[16];