aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

eve/alert: move app-layer logic into a util func

Browse Source
pull/5164/head
Victor Julien 5 years ago
parent 537fb7a1c6
commit 3dacbcddef
1 changed files with 94 additions and 87 deletions
Show Stats Download Patch File Download Diff File

165
src/output-json-alert.c
Unescape Escape View File

@ -409,82 +409,21 @@ static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, JsonBuilder *js
}
}
static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
const uint64_t tx_id, const uint16_t option_flags)
{
MemBuffer *payload = aft->payload_buffer;
AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
int i;
if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
return TM_ECODE_OK;
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
/* First initialize the address info (5-tuple). */
JsonAddrInfo addr = json_addr_info_zero;
JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
/* Check for XFF, overwriting address info if needed. */
HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ?
json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;
int have_xff_ip = 0;
char xff_buffer[XFF_MAXLEN];
if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
if (pa->flags & PACKET_ALERT_FLAG_TX) {
have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg,
xff_buffer, XFF_MAXLEN);
} else {
have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, xff_buffer,
XFF_MAXLEN);
}
}
if (have_xff_ip && xff_cfg->flags & XFF_OVERWRITE) {
if (p->flowflags & FLOW_PKT_TOCLIENT) {
strlcpy(addr.dst_ip, xff_buffer, JSON_ADDR_LEN);
} else {
strlcpy(addr.src_ip, xff_buffer, JSON_ADDR_LEN);
}
/* Clear have_xff_ip so the xff field does not get
* logged below. */
have_xff_ip = false;
}
}
JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "alert", &addr);
if (unlikely(jb == NULL))
return TM_ECODE_OK;
EveAddCommonOptions(&json_output_ctx->cfg, p, p->flow, jb);
MemBufferReset(aft->json_buffer);
/* alert */
AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags,
&addr);
if (IS_TUNNEL_PKT(p)) {
AlertJsonTunnel(p, jb);
}
if (json_output_ctx->flags & LOG_JSON_APP_LAYER && p->flow != NULL) {
const AppProto proto = FlowGetAppProtocol(p->flow);
JsonBuilderMark mark = { 0, 0, 0 };
switch (proto) {
case ALPROTO_HTTP:
// TODO: Could result in an empty http object being logged.
jb_open_object(jb, "http");
if (EveHttpAddMetadata(p->flow, pa->tx_id, jb)) {
if (json_output_ctx->flags & LOG_JSON_HTTP_BODY) {
EveHttpLogJSONBodyPrintable(jb, p->flow, pa->tx_id);
if (EveHttpAddMetadata(p->flow, tx_id, jb)) {
if (option_flags & LOG_JSON_HTTP_BODY) {
EveHttpLogJSONBodyPrintable(jb, p->flow, tx_id);
}
if (json_output_ctx->flags & LOG_JSON_HTTP_BODY_BASE64) {
EveHttpLogJSONBodyBase64(jb, p->flow, pa->tx_id);
if (option_flags & LOG_JSON_HTTP_BODY_BASE64) {
EveHttpLogJSONBodyBase64(jb, p->flow, tx_id);
}
}
jb_close(jb);
@ -498,14 +437,14 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
case ALPROTO_SMTP:
jb_get_mark(jb, &mark);
jb_open_object(jb, "smtp");
if (EveSMTPAddMetadata(p->flow, pa->tx_id, jb)) {
if (EveSMTPAddMetadata(p->flow, tx_id, jb)) {
jb_close(jb);
} else {
jb_restore_mark(jb, &mark);
}
jb_get_mark(jb, &mark);
jb_open_object(jb, "email");
if (EveEmailAddMetadata(p->flow, pa->tx_id, jb)) {
if (EveEmailAddMetadata(p->flow, tx_id, jb)) {
jb_close(jb);
} else {
jb_restore_mark(jb, &mark);
@ -515,7 +454,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
/* rpc */
jb_get_mark(jb, &mark);
jb_open_object(jb, "rpc");
if (EveNFSAddMetadataRPC(p->flow, pa->tx_id, jb)) {
if (EveNFSAddMetadataRPC(p->flow, tx_id, jb)) {
jb_close(jb);
} else {
jb_restore_mark(jb, &mark);
@ -523,7 +462,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
/* nfs */
jb_get_mark(jb, &mark);
jb_open_object(jb, "nfs");
if (EveNFSAddMetadata(p->flow, pa->tx_id, jb)) {
if (EveNFSAddMetadata(p->flow, tx_id, jb)) {
jb_close(jb);
} else {
jb_restore_mark(jb, &mark);
@ -532,36 +471,104 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
case ALPROTO_SMB:
jb_get_mark(jb, &mark);
jb_open_object(jb, "smb");
if (EveSMBAddMetadata(p->flow, pa->tx_id, jb)) {
if (EveSMBAddMetadata(p->flow, tx_id, jb)) {
jb_close(jb);
} else {
jb_restore_mark(jb, &mark);
}
break;
case ALPROTO_SIP:
JsonSIPAddMetadata(jb, p->flow, pa->tx_id);
JsonSIPAddMetadata(jb, p->flow, tx_id);
break;
case ALPROTO_RFB: {
case ALPROTO_RFB:
jb_get_mark(jb, &mark);
if (!JsonRFBAddMetadata(p->flow, pa->tx_id, jb)) {
if (!JsonRFBAddMetadata(p->flow, tx_id, jb)) {
jb_restore_mark(jb, &mark);
}
break;
}
case ALPROTO_FTPDATA:
EveFTPDataAddMetadata(p->flow, jb);
break;
case ALPROTO_DNP3:
AlertJsonDnp3(p->flow, pa->tx_id, jb);
AlertJsonDnp3(p->flow, tx_id, jb);
break;
case ALPROTO_DNS:
AlertJsonDns(p->flow, pa->tx_id, jb);
AlertJsonDns(p->flow, tx_id, jb);
break;
default:
break;
}
}
static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
{
MemBuffer *payload = aft->payload_buffer;
AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
int i;
if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
return TM_ECODE_OK;
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
/* First initialize the address info (5-tuple). */
JsonAddrInfo addr = json_addr_info_zero;
JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
/* Check for XFF, overwriting address info if needed. */
HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ?
json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;
int have_xff_ip = 0;
char xff_buffer[XFF_MAXLEN];
if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
if (pa->flags & PACKET_ALERT_FLAG_TX) {
have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg,
xff_buffer, XFF_MAXLEN);
} else {
have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, xff_buffer,
XFF_MAXLEN);
}
}
if (have_xff_ip && xff_cfg->flags & XFF_OVERWRITE) {
if (p->flowflags & FLOW_PKT_TOCLIENT) {
strlcpy(addr.dst_ip, xff_buffer, JSON_ADDR_LEN);
} else {
strlcpy(addr.src_ip, xff_buffer, JSON_ADDR_LEN);
}
/* Clear have_xff_ip so the xff field does not get
* logged below. */
have_xff_ip = false;
}
}
JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_PACKET, "alert", &addr);
if (unlikely(jb == NULL))
return TM_ECODE_OK;
EveAddCommonOptions(&json_output_ctx->cfg, p, p->flow, jb);
MemBufferReset(aft->json_buffer);
/* alert */
AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags,
&addr);
if (IS_TUNNEL_PKT(p)) {
AlertJsonTunnel(p, jb);
}
if (p->flow != NULL) {
if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {
AlertAddAppLayer(p, jb, pa->tx_id, json_output_ctx->flags);
}
}
/* including fileinfo data is configured by the metadata setting */
if (json_output_ctx->flags & LOG_JSON_RULE_METADATA && p->flow != NULL) {
FileContainer *ffc = AppLayerParserGetFiles(p->flow,

Write Preview
Loading…
Cancel
Save