eve-drop: allow logging all drops

- drop: alerts: yes # log alerts that caused drops flows: all # start or all: 'start' logs only a single drop # per flow direction. All logs each dropped pkt.
9 years ago · 2997d086be
parent 1cc5f9825d
commit 2997d086be
2 changed files with 32 additions and 2 deletions
--- a/src/output-json-drop.c
+++ b/src/output-json-drop.c
@ -71,6 +71,9 @@ typedef struct JsonDropLogThread_ {
    MemBuffer *buffer;
 } JsonDropLogThread;

+/* default to true as this has been the default behavior for a long time */
+static int g_droplog_flows_start = 1;
+
 /**
 * \brief   Log the dropped packets in netfilter format when engine is running
 *          in inline mode
@ -282,6 +285,17 @@ static OutputCtx *JsonDropLogInitCtx(ConfNode *conf)
                drop_ctx->flags = LOG_DROP_ALERTS;
            }
        }
+        extended = ConfNodeLookupChildValue(conf, "flows");
+        if (extended != NULL) {
+            if (strcasecmp(extended, "start") == 0) {
+                g_droplog_flows_start = 1;
+            } else if (strcasecmp(extended, "all") == 0) {
+                g_droplog_flows_start = 0;
+            } else {
+                SCLogWarning(SC_ERR_CONF_YAML_ERROR, "valid options for "
+                        "'flow' are 'start' and 'all'");
+            }
+        }
    }

    output_ctx->data = drop_ctx;
@ -316,6 +330,17 @@ static OutputCtx *JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
                drop_ctx->flags = LOG_DROP_ALERTS;
            }
        }
+        extended = ConfNodeLookupChildValue(conf, "flows");
+        if (extended != NULL) {
+            if (strcasecmp(extended, "start") == 0) {
+                g_droplog_flows_start = 1;
+            } else if (strcasecmp(extended, "all") == 0) {
+                g_droplog_flows_start = 0;
+            } else {
+                SCLogWarning(SC_ERR_CONF_YAML_ERROR, "valid options for "
+                        "'flow' are 'start' and 'all'");
+            }
+        }
    }

    drop_ctx->file_ctx = ajt->file_ctx;
@ -341,6 +366,9 @@ static int JsonDropLogger(ThreadVars *tv, void *thread_data, const Packet *p)
    if (r < 0)
        return -1;

+    if (!g_droplog_flows_start)
+        return 0;
+
    if (p->flow) {
        FLOWLOCK_RDLOCK(p->flow);
        if (p->flow->flags & FLOW_ACTION_DROP) {
@ -374,7 +402,7 @@ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
        return FALSE;
    }

-    if (p->flow != NULL) {
+    if (g_droplog_flows_start && p->flow != NULL) {
        int ret = FALSE;

        /* for a flow that will be dropped fully, log just once per direction */
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -204,7 +204,9 @@ outputs:
            force-magic: no   # force logging magic on all logged files
            force-md5: no     # force logging of md5 checksums
        #- drop:
-        #    alerts: no       # log alerts that caused drops
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
        - smtp:
            #extended: yes # enable this for extended logging information
            # this includes: bcc, message-id, subject, x_mailer, user-agent