eve: log tag packets as packet events

Create a new eve event type, "packet" for logging packets that are tagged as part of an event. The packet is still at the top level to keep it consistent with alert event types. In addition to the packet being logged, a packet_info object is created to hold the linktype and any future meta data we may want to add about the packet.
9 years ago · 040660556e
parent 305b1b90fd
commit 040660556e
1 changed files with 33 additions and 6 deletions
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@ -175,6 +175,23 @@ void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js)
    json_object_set_new(js, "alert", ajs);
 }

+static void AlertJsonPacket(const Packet *p, json_t *js)
+{
+    unsigned long len = GET_PKT_LEN(p) * 2;
+    uint8_t encoded_packet[len];
+    Base64Encode((unsigned char*) GET_PKT_DATA(p), GET_PKT_LEN(p),
+        encoded_packet, &len);
+    json_object_set_new(js, "packet", json_string((char *)encoded_packet));
+
+    /* Create packet info. */
+    json_t *packetinfo_js = json_object();
+    if (unlikely(packetinfo_js == NULL)) {
+        return;
+    }
+    json_object_set_new(packetinfo_js, "linktype", json_integer(p->datalink));
+    json_object_set_new(js, "packet_info", packetinfo_js);
+}
+
 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
 {
    MemBuffer *payload = aft->payload_buffer;
@ -183,7 +200,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)

    int i;

-    if (p->alerts.cnt == 0)
+    if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
        return TM_ECODE_OK;

    json_t *js = CreateJSONHeader((Packet *)p, 0, "alert");
@ -325,10 +342,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)

        /* base64-encoded full packet */
        if (json_output_ctx->flags & LOG_JSON_PACKET) {
-            unsigned long len = GET_PKT_LEN(p) * 2;
-            uint8_t encoded_packet[len];
-            Base64Encode((unsigned char*) GET_PKT_DATA(p), GET_PKT_LEN(p), encoded_packet, &len);
-            json_object_set_new(js, "packet", json_string((char *)encoded_packet));
+            AlertJsonPacket(p, js);
        }

        HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
@ -368,6 +382,16 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
    json_object_clear(js);
    json_decref(js);

+    if (p->flags & PKT_HAS_TAG) {
+        MemBufferReset(aft->json_buffer);
+        json_t *packetjs = CreateJSONHeader((Packet *)p, 0, "packet");
+        if (unlikely(packetjs != NULL)) {
+            AlertJsonPacket(p, packetjs);
+            OutputJSONBuffer(packetjs, aft->file_ctx, &aft->json_buffer);
+            json_decref(packetjs);
+        }
+    }
+
    return TM_ECODE_OK;
 }

@ -457,7 +481,10 @@ static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)

 static int JsonAlertLogCondition(ThreadVars *tv, const Packet *p)
 {
-    return (p->alerts.cnt ? TRUE : FALSE);
+    if (p->alerts.cnt || (p->flags & PKT_HAS_TAG)) {
+        return TRUE;
+    }
+    return FALSE;
 }

 #define OUTPUT_BUFFER_SIZE 65535