ikev1: add metadata to alerts

4 years ago · 37940180a8
parent e2dbdd7fd5
commit 37940180a8
3 changed files with 22 additions and 0 deletions
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@ -71,6 +71,7 @@
 #include "output-json-sip.h"
 #include "output-json-rfb.h"
 #include "output-json-mqtt.h"
+#include "output-json-ike.h"

 #include "util-byte.h"
 #include "util-privs.h"
@ -530,6 +531,12 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
        case ALPROTO_DNS:
            AlertJsonDns(p->flow, tx_id, jb);
            break;
+        case ALPROTO_IKE:
+            jb_get_mark(jb, &mark);
+            if (!EveIKEAddMetadata(p->flow, tx_id, jb)) {
+                jb_restore_mark(jb, &mark);
+            }
+            break;
        case ALPROTO_MQTT:
            jb_get_mark(jb, &mark);
            if (!JsonMQTTAddMetadata(p->flow, tx_id, jb)) {
--- a/src/output-json-ike.c
+++ b/src/output-json-ike.c
@ -64,6 +64,19 @@ typedef struct LogIKELogThread_ {
    MemBuffer *buffer;
 } LogIKELogThread;

+bool EveIKEAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
+{
+    IKEState *state = FlowGetAppState(f);
+    if (state) {
+        IKETransaction *tx = AppLayerParserGetTx(f->proto, ALPROTO_IKE, state, tx_id);
+        if (tx) {
+            return rs_ike_logger_log(state, tx, LOG_IKE_EXTENDED, js);
+        }
+    }
+
+    return false;
+}
+
 static int JsonIKELogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state,
        void *tx, uint64_t tx_id)
 {
--- a/src/output-json-ike.h
+++ b/src/output-json-ike.h
@ -26,4 +26,6 @@

 void JsonIKELogRegister(void);

+bool EveIKEAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js);
+
 #endif /* __OUTPUT_JSON_IKE_H__ */