From 7a9efd74e4d88e39c6671f6a0dda28ac931ffe10 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Thu, 30 Jan 2014 23:33:45 +0100 Subject: [PATCH] json: sync key name with CIM This patch is synchronizing key name with Common Information Model. It updates key name following what is proposed in: http://docs.splunk.com/Documentation/PCI/2.0/DataSource/CommonInformationModelFieldReference The interest of these modifications is that using the same key name as other software will provide an easy to correlate and improve data. For example, geoip setting in logstash can be applied on all src_ip fields allowing geoip tagging of data. --- src/output-json-alert.c | 16 ++++++++-------- src/output-json-http.c | 12 ++++++------ src/output-json.c | 10 +++++----- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 1ee191b1ff..71ba88066f 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -108,13 +108,13 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) json_object_set_new(ajs, "action", json_string(action)); json_object_set_new(ajs, "gid", json_integer(pa->s->gid)); - json_object_set_new(ajs, "id", json_integer(pa->s->id)); + json_object_set_new(ajs, "signature_id", json_integer(pa->s->id)); json_object_set_new(ajs, "rev", json_integer(pa->s->rev)); - json_object_set_new(ajs, "msg", + json_object_set_new(ajs, "signature", json_string((pa->s->msg) ? pa->s->msg : "")); - json_object_set_new(ajs, "class", + json_object_set_new(ajs, "category", json_string((pa->s->class_msg) ? pa->s->class_msg : "")); - json_object_set_new(ajs, "pri", json_integer(pa->s->prio)); + json_object_set_new(ajs, "severity", json_integer(pa->s->prio)); /* alert */ json_object_set_new(js, "alert", ajs); @@ -180,13 +180,13 @@ static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const json_object_set_new(ajs, "action", json_string(action)); json_object_set_new(ajs, "gid", json_integer(pa->s->gid)); - json_object_set_new(ajs, "id", json_integer(pa->s->id)); + json_object_set_new(ajs, "signature_id", json_integer(pa->s->id)); json_object_set_new(ajs, "rev", json_integer(pa->s->rev)); - json_object_set_new(ajs, "msg", + json_object_set_new(ajs, "signature", json_string((pa->s->msg) ? pa->s->msg : "")); - json_object_set_new(ajs, "class", + json_object_set_new(ajs, "category", json_string((pa->s->class_msg) ? pa->s->class_msg : "")); - json_object_set_new(ajs, "pri", json_integer(pa->s->prio)); + json_object_set_new(ajs, "severity", json_integer(pa->s->prio)); /* alert */ json_object_set_new(js, "alert", ajs); diff --git a/src/output-json-http.c b/src/output-json-http.c index fc5028a66f..7c41ea7edf 100644 --- a/src/output-json-http.c +++ b/src/output-json-http.c @@ -99,7 +99,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx) c = SCStrndup((char *)bstr_ptr(tx->request_uri), bstr_len(tx->request_uri)); if (c != NULL) { - json_object_set_new(hjs, "uri", json_string(c)); + json_object_set_new(hjs, "url", json_string(c)); SCFree(c); } } @@ -113,11 +113,11 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx) c = SCStrndup((char *)bstr_ptr(h_user_agent->value), bstr_len(h_user_agent->value)); if (c != NULL) { - json_object_set_new(hjs, "user-agent", json_string(c)); + json_object_set_new(hjs, "http_user_agent", json_string(c)); SCFree(c); } } else { - json_object_set_new(hjs, "user-agent", json_string("")); + json_object_set_new(hjs, "http_user_agent", json_string("")); } /* x-forwarded-for */ @@ -146,7 +146,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx) if (c != NULL) { p = strchrnul(c, ';'); *p = '\0'; - json_object_set_new(hjs, "content-type", json_string(c)); + json_object_set_new(hjs, "http_content_type", json_string(c)); SCFree(c); } } @@ -161,7 +161,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx) c = SCStrndup((char *)bstr_ptr(h_referer->value), bstr_len(h_referer->value)); if (c != NULL) { - json_object_set_new(hjs, "referer", json_string(c)); + json_object_set_new(hjs, "http_refer", json_string(c)); SCFree(c); } } @@ -171,7 +171,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx) c = SCStrndup((char *)bstr_ptr(tx->request_method), bstr_len(tx->request_method)); if (c != NULL) { - json_object_set_new(hjs, "method", json_string(c)); + json_object_set_new(hjs, "http_method", json_string(c)); SCFree(c); } } diff --git a/src/output-json.c b/src/output-json.c index c3ba9a97d2..55647e2694 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -208,7 +208,7 @@ json_t *CreateJSONHeader(Packet *p, int direction_sensitive) /* sensor id */ if (sensor_id >= 0) - json_object_set_new(js, "sensor-id", json_integer(sensor_id)); + json_object_set_new(js, "sensor_id", json_integer(sensor_id)); /* pcap_cnt */ if (p->pcap_cnt != 0) { @@ -240,24 +240,24 @@ json_t *CreateJSONHeader(Packet *p, int direction_sensitive) } /* tuple */ - json_object_set_new(js, "srcip", json_string(srcip)); + json_object_set_new(js, "src_ip", json_string(srcip)); switch(p->proto) { case IPPROTO_ICMP: break; case IPPROTO_UDP: case IPPROTO_TCP: case IPPROTO_SCTP: - json_object_set_new(js, "sp", json_integer(sp)); + json_object_set_new(js, "src_port", json_integer(sp)); break; } - json_object_set_new(js, "dstip", json_string(dstip)); + json_object_set_new(js, "dest_ip", json_string(dstip)); switch(p->proto) { case IPPROTO_ICMP: break; case IPPROTO_UDP: case IPPROTO_TCP: case IPPROTO_SCTP: - json_object_set_new(js, "dp", json_integer(dp)); + json_object_set_new(js, "dest_port", json_integer(dp)); break; } json_object_set_new(js, "proto", json_string(proto));