aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

eve/alert: log ts_progress/tc_progress

Browse Source 
This is mostly to help with debugging firewall rules, but
can be useful in other places.
pull/12979/head
Victor Julien 6 months ago committed by Victor Julien
parent 6f5fd77cb9
commit 7c8a55de54
2 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File

6
etc/schema.json
Unescape Escape View File

@ -66,6 +66,12 @@
"payload": { "payload": {
"type": "string" "type": "string"
}, },
"ts_progress": {
"type": "string"
},
"tc_progress": {
"type": "string"
},
"payload_length": { "payload_length": {
"type": "integer" "type": "integer"
}, },

23
src/output-json-alert.c
Unescape Escape View File

@ -323,6 +323,14 @@ static void AlertAddAppLayer(
if (state) { if (state) {
void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id); void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
if (tx) { if (tx) {
const int ts =
AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
const int tc =
AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
SCJbSetString(jb, "ts_progress",
AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
SCJbSetString(jb, "tc_progress",
AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
SCJbGetMark(jb, &mark); SCJbGetMark(jb, &mark);
switch (proto) { switch (proto) {
// first check some protocols need special options for alerts logging // first check some protocols need special options for alerts logging
@ -345,6 +353,20 @@ static void AlertAddAppLayer(
} }
return; return;
} }
void *state = FlowGetAppState(p->flow);
if (state) {
void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
if (tx) {
const int ts =
AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
const int tc =
AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
SCJbSetString(jb, "ts_progress",
AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
SCJbSetString(jb, "tc_progress",
AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
}
}
switch (proto) { switch (proto) {
case ALPROTO_HTTP1: case ALPROTO_HTTP1:
// TODO: Could result in an empty http object being logged. // TODO: Could result in an empty http object being logged.
@ -409,7 +431,6 @@ static void AlertAddAppLayer(
} }
break; break;
case ALPROTO_DCERPC: { case ALPROTO_DCERPC: {
void *state = FlowGetAppState(p->flow);
if (state) { if (state) {
void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id); void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
if (tx) { if (tx) {

Write Preview
Loading…
Cancel
Save