aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

output-json-alert: output source and target

Browse Source 
Use metadata provided information to output the Source and Target
in the definition of IDMEF.

The output is now the following:

  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1,
    "rev": 1,
    "signature": "connection to home",
    "category": "",
    "severity": 3,
    "source": {
      "ip": "2001:31d0:000a:f68a:0000:0000:0000:0001",
      "port": 80
    },
    "target": {
      "ip": "2a01:0e34:ee97:b130:c685:08ff:dab3:c9c8",
      "port": 48390
    }
pull/2776/head
Eric Leblond 8 years ago committed by Victor Julien
parent 97b89c0a54
commit 6af529d0c6
1 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File

52
src/output-json-alert.c
Unescape Escape View File

@ -174,6 +174,54 @@ static void AlertJsonDnp3(const Flow *f, json_t *js)
return; return;
} }
static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
json_t *js, json_t* ajs)
{
json_t *sjs = json_object();
if (sjs == NULL) {
return;
}
json_t *tjs = json_object();
if (tjs == NULL) {
json_decref(sjs);
return;
}
if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
json_object_set(sjs, "ip", json_object_get(js, "src_ip"));
json_object_set(tjs, "ip", json_object_get(js, "dest_ip"));
switch (p->proto) {
case IPPROTO_ICMP:
case IPPROTO_ICMPV6:
break;
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set(sjs, "port", json_object_get(js, "src_port"));
json_object_set(tjs, "port", json_object_get(js, "dest_port"));
break;
}
} else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
json_object_set(sjs, "ip", json_object_get(js, "dest_ip"));
json_object_set(tjs, "ip", json_object_get(js, "src_ip"));
switch (p->proto) {
case IPPROTO_ICMP:
case IPPROTO_ICMPV6:
break;
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set(sjs, "port", json_object_get(js, "dest_port"));
json_object_set(tjs, "port", json_object_get(js, "src_port"));
break;
}
}
json_object_set_new(ajs, "source", sjs);
json_object_set_new(ajs, "target", tjs);
}
void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js) void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js)
{ {
const char *action = "allowed"; const char *action = "allowed";
@ -215,6 +263,10 @@ void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js)
if (p->tenant_id > 0) if (p->tenant_id > 0)
json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id)); json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));
if (pa->s->flags & SIG_FLAG_HAS_TARGET) {
AlertJsonSourceTarget(p, pa, js, ajs);
}
/* alert */ /* alert */
json_object_set_new(js, "alert", ajs); json_object_set_new(js, "alert", ajs);
} }

Write Preview
Loading…
Cancel
Save