aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

json: sync key name with CIM

Browse Source 
This patch is synchronizing key name with Common Information Model.
It updates key name following what is proposed in:
 http://docs.splunk.com/Documentation/PCI/2.0/DataSource/CommonInformationModelFieldReference
The interest of these modifications is that using the same key name
as other software will provide an easy to correlate and improve
data. For example, geoip setting in logstash can be applied on
all src_ip fields allowing geoip tagging of data.
pull/810/head
Eric Leblond 12 years ago
parent 31a024c9b5
commit 7a9efd74e4
3 changed files with 19 additions and 19 deletions
Show Stats Download Patch File Download Diff File

16
src/output-json-alert.c
Unescape Escape View File

@ -108,13 +108,13 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
json_object_set_new(ajs, "action", json_string(action));
json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
json_object_set_new(ajs, "id", json_integer(pa->s->id));
json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
json_object_set_new(ajs, "msg",
json_object_set_new(ajs, "signature",
json_string((pa->s->msg) ? pa->s->msg : ""));
json_object_set_new(ajs, "class",
json_object_set_new(ajs, "category",
json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
json_object_set_new(ajs, "pri", json_integer(pa->s->prio));
json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
/* alert */
json_object_set_new(js, "alert", ajs);
@ -180,13 +180,13 @@ static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const
json_object_set_new(ajs, "action", json_string(action));
json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
json_object_set_new(ajs, "id", json_integer(pa->s->id));
json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
json_object_set_new(ajs, "msg",
json_object_set_new(ajs, "signature",
json_string((pa->s->msg) ? pa->s->msg : ""));
json_object_set_new(ajs, "class",
json_object_set_new(ajs, "category",
json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
json_object_set_new(ajs, "pri", json_integer(pa->s->prio));
json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
/* alert */
json_object_set_new(js, "alert", ajs);

12
src/output-json-http.c
Unescape Escape View File

@ -99,7 +99,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
c = SCStrndup((char *)bstr_ptr(tx->request_uri),
bstr_len(tx->request_uri));
if (c != NULL) {
json_object_set_new(hjs, "uri", json_string(c));
json_object_set_new(hjs, "url", json_string(c));
SCFree(c);
}
}
@ -113,11 +113,11 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
c = SCStrndup((char *)bstr_ptr(h_user_agent->value),
bstr_len(h_user_agent->value));
if (c != NULL) {
json_object_set_new(hjs, "user-agent", json_string(c));
json_object_set_new(hjs, "http_user_agent", json_string(c));
SCFree(c);
}
} else {
json_object_set_new(hjs, "user-agent", json_string("<useragent unknown>"));
json_object_set_new(hjs, "http_user_agent", json_string("<useragent unknown>"));
}
/* x-forwarded-for */
@ -146,7 +146,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
if (c != NULL) {
p = strchrnul(c, ';');
*p = '\0';
json_object_set_new(hjs, "content-type", json_string(c));
json_object_set_new(hjs, "http_content_type", json_string(c));
SCFree(c);
}
}
@ -161,7 +161,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
c = SCStrndup((char *)bstr_ptr(h_referer->value),
bstr_len(h_referer->value));
if (c != NULL) {
json_object_set_new(hjs, "referer", json_string(c));
json_object_set_new(hjs, "http_refer", json_string(c));
SCFree(c);
}
}
@ -171,7 +171,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
c = SCStrndup((char *)bstr_ptr(tx->request_method),
bstr_len(tx->request_method));
if (c != NULL) {
json_object_set_new(hjs, "method", json_string(c));
json_object_set_new(hjs, "http_method", json_string(c));
SCFree(c);
}
}

10
src/output-json.c
Unescape Escape View File

@ -208,7 +208,7 @@ json_t *CreateJSONHeader(Packet *p, int direction_sensitive)
/* sensor id */
if (sensor_id >= 0)
json_object_set_new(js, "sensor-id", json_integer(sensor_id));
json_object_set_new(js, "sensor_id", json_integer(sensor_id));
/* pcap_cnt */
if (p->pcap_cnt != 0) {
@ -240,24 +240,24 @@ json_t *CreateJSONHeader(Packet *p, int direction_sensitive)
}
/* tuple */
json_object_set_new(js, "srcip", json_string(srcip));
json_object_set_new(js, "src_ip", json_string(srcip));
switch(p->proto) {
case IPPROTO_ICMP:
break;
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set_new(js, "sp", json_integer(sp));
json_object_set_new(js, "src_port", json_integer(sp));
break;
}
json_object_set_new(js, "dstip", json_string(dstip));
json_object_set_new(js, "dest_ip", json_string(dstip));
switch(p->proto) {
case IPPROTO_ICMP:
break;
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
json_object_set_new(js, "dp", json_integer(dp));
json_object_set_new(js, "dest_port", json_integer(dp));
break;
}
json_object_set_new(js, "proto", json_string(proto));

Write Preview
Loading…
Cancel
Save