aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

eve: make logging of tagged packets optional

Browse Source 
But it is enabled in the default configuration.
pull/2205/head
Jason Ish 9 years ago committed by Victor Julien
parent 040660556e
commit 1691c10681
2 changed files with 20 additions and 8 deletions
Show Stats Download Patch File Download Diff File

24
src/output-json-alert.c
Unescape Escape View File

@ -70,13 +70,14 @@
#ifdef HAVE_LIBJANSSON #ifdef HAVE_LIBJANSSON
#define LOG_JSON_PAYLOAD 1 #define LOG_JSON_PAYLOAD 0x01
#define LOG_JSON_PACKET 2 #define LOG_JSON_PACKET 0x02
#define LOG_JSON_PAYLOAD_BASE64 4 #define LOG_JSON_PAYLOAD_BASE64 0x04
#define LOG_JSON_HTTP 8 #define LOG_JSON_HTTP 0x08
#define LOG_JSON_TLS 16 #define LOG_JSON_TLS 0x10
#define LOG_JSON_SSH 32 #define LOG_JSON_SSH 0x20
#define LOG_JSON_SMTP 64 #define LOG_JSON_SMTP 0x40
#define LOG_JSON_TAGGED_PACKETS 0x80
#define JSON_STREAM_BUFFER_SIZE 4096 #define JSON_STREAM_BUFFER_SIZE 4096
@ -382,7 +383,8 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
json_object_clear(js); json_object_clear(js);
json_decref(js); json_decref(js);
if (p->flags & PKT_HAS_TAG) { if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags &
LOG_JSON_TAGGED_PACKETS)) {
MemBufferReset(aft->json_buffer); MemBufferReset(aft->json_buffer);
json_t *packetjs = CreateJSONHeader((Packet *)p, 0, "packet"); json_t *packetjs = CreateJSONHeader((Packet *)p, 0, "packet");
if (unlikely(packetjs != NULL)) { if (unlikely(packetjs != NULL)) {
@ -595,6 +597,7 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
const char *tls = ConfNodeLookupChildValue(conf, "tls"); const char *tls = ConfNodeLookupChildValue(conf, "tls");
const char *ssh = ConfNodeLookupChildValue(conf, "ssh"); const char *ssh = ConfNodeLookupChildValue(conf, "ssh");
const char *smtp = ConfNodeLookupChildValue(conf, "smtp"); const char *smtp = ConfNodeLookupChildValue(conf, "smtp");
const char *tagged_packets = ConfNodeLookupChildValue(conf, "tagged-packets");
if (ssh != NULL) { if (ssh != NULL) {
if (ConfValIsTrue(ssh)) { if (ConfValIsTrue(ssh)) {
@ -642,6 +645,11 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
json_output_ctx->flags |= LOG_JSON_PACKET; json_output_ctx->flags |= LOG_JSON_PACKET;
} }
} }
if (tagged_packets != NULL) {
if (ConfValIsTrue(tagged_packets)) {
json_output_ctx->flags |= LOG_JSON_TAGGED_PACKETS;
}
}
json_output_ctx->payload_buffer_size = payload_buffer_size; json_output_ctx->payload_buffer_size = payload_buffer_size;
HttpXFFGetCfg(conf, xff_cfg); HttpXFFGetCfg(conf, xff_cfg);

4
suricata.yaml.in
Unescape Escape View File

@ -164,6 +164,10 @@ outputs:
ssh: yes # enable dumping of ssh fields ssh: yes # enable dumping of ssh fields
smtp: yes # enable dumping of smtp fields smtp: yes # enable dumping of smtp fields
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
# HTTP X-Forwarded-For support by adding an extra field or overwriting # HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction) # the source or destination IP address (depending on flow direction)
# with the one reported in the X-Forwarded-For HTTP header. This is # with the one reported in the X-Forwarded-For HTTP header. This is

Write Preview
Loading…
Cancel
Save