From 0189b4d1ebf6f4834b2e3d2def1436dddaa624cc Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Fri, 31 Jan 2014 12:05:48 +0100 Subject: [PATCH] json file: separate http params This patch separates http keys from file to have a different value list: { "time":"01\/31\/2014-12:04:52.837245","event_type":"file","src_ip":"5.3.1.1","src_port":80,"dest_ip":"1.8.1.9","dest_port":9539,"proto":"TCP", "http":{"url":"/foo/","hostname":"bar.com","http_refer":"http:\/\/bar.org","http_user_agent":"Mozilla\/5.0"}, "file":{"filename":"bar","magic":"unknown","state":"CLOSED","stored":false,"size":21} } One interest of this modification is that it is possible to use the same key as the one used in http events. Thus correlating both type of events is trivial. On code side, this will permit to factorize the code by simply asking the underlying protocol to output its info in a json object. Second interest is that adding file extraction for a new protocol will result in only changing the protocol specific json list. --- src/output-json-file.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/src/output-json-file.c b/src/output-json-file.c index e7ff40bcf5..d86f2cbd3e 100644 --- a/src/output-json-file.c +++ b/src/output-json-file.c @@ -171,16 +171,25 @@ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const F /* reset */ MemBufferReset(buffer); + json_t *hjs = json_object(); + if (unlikely(hjs == NULL)) { + json_decref(js); + return; + } + + json_object_set_new(hjs, "url", LogFileMetaGetUri(p, ff)); + json_object_set_new(hjs, "hostname", LogFileMetaGetHost(p, ff)); + json_object_set_new(hjs, "http_refer", LogFileMetaGetReferer(p, ff)); + json_object_set_new(hjs, "http_user_agent", LogFileMetaGetUserAgent(p, ff)); + json_object_set_new(js, "http", hjs); + json_t *fjs = json_object(); if (unlikely(fjs == NULL)) { + json_decref(hjs); json_decref(js); return; } - json_object_set_new(fjs, "http_uri", LogFileMetaGetUri(p, ff)); - json_object_set_new(fjs, "http_host", LogFileMetaGetHost(p, ff)); - json_object_set_new(fjs, "http_referer", LogFileMetaGetReferer(p, ff)); - json_object_set_new(fjs, "http_user_agent", LogFileMetaGetUserAgent(p, ff)); char *s = SCStrndup((char *)ff->name, ff->name_len); json_object_set_new(fjs, "filename", json_string(s)); if (s != NULL) @@ -224,6 +233,7 @@ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const F json_object_set_new(js, "file", fjs); OutputJSONBuffer(js, aft->filelog_ctx->file_ctx, buffer); json_object_del(js, "file"); + json_object_del(js, "http"); json_object_clear(js); json_decref(js);