aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

output-json-alert: add dns info

Browse Source 
This changes LogQuery and LogAnswer functions
returning a json object instead of writing it in a log file.
In this way it's possible to reuse them to add dns info
into an alert.

The following is an alert record with dns:

{
  "timestamp": "2017-07-31T15:01:17.885281+0200",
  "event_type": "alert",
  "src_ip": "8.8.8.8",
  ...
  "dns": {
    "query": [
      {
        "type": "query",
        "id": 25394,
        "rrname": "notifications.google.com",
        "rrtype": "A",
        "tx_id": 0
      }
    ],
    "answer": {
      "type": "answer",
      "id": 25394,
      "rcode": "NOERROR",
      "answers": [
        {
          "rrname": "notifications.google.com",
          "rrtype": "CNAME",
          "ttl": 3599,
          "rdata": "plus.l.google.com"
        },
        {
          "rrname": "plus.l.google.com",
          "rrtype": "A",
          "ttl": 299,
          "rdata": "216.58.205.174"
        }
      ]
    }
  }
}
pull/3288/head
Giuseppe Longo 8 years ago committed by Victor Julien
parent 6231ffc110
commit 92db7be502
1 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File

35
src/output-json-alert.c
Unescape Escape View File

@ -46,6 +46,7 @@
#include "detect-metadata.h" #include "detect-metadata.h"
#include "app-layer-parser.h" #include "app-layer-parser.h"
#include "app-layer-dnp3.h" #include "app-layer-dnp3.h"
#include "app-layer-dns-common.h"
#include "app-layer-htp.h" #include "app-layer-htp.h"
#include "app-layer-htp-xff.h" #include "app-layer-htp-xff.h"
#include "app-layer-ftp.h" #include "app-layer-ftp.h"
@ -57,6 +58,7 @@
#include "output-json.h" #include "output-json.h"
#include "output-json-alert.h" #include "output-json-alert.h"
#include "output-json-dnp3.h" #include "output-json-dnp3.h"
#include "output-json-dns.h"
#include "output-json-http.h" #include "output-json-http.h"
#include "output-json-tls.h" #include "output-json-tls.h"
#include "output-json-ssh.h" #include "output-json-ssh.h"
@ -185,6 +187,35 @@ static void AlertJsonDnp3(const Flow *f, json_t *js)
return; return;
} }
static void AlertJsonDns(const Flow *f, json_t *js)
{
#ifndef HAVE_RUST
DNSState *dns_state = (DNSState *)FlowGetAppState(f);
if (dns_state) {
uint64_t tx_id = AppLayerParserGetTransactionLogId(f->alparser);
DNSTransaction *tx = AppLayerParserGetTx(f->proto, ALPROTO_DNS,
dns_state, tx_id);
if (tx) {
json_t *dnsjs = json_object();
if (unlikely(dnsjs == NULL)) {
return;
}
json_t *qjs = JsonDNSLogQuery(tx, tx_id);
if (qjs != NULL) {
json_object_set_new(dnsjs, "query", qjs);
}
json_t *ajs = JsonDNSLogAnswer(tx, tx_id);
if (ajs != NULL) {
json_object_set_new(dnsjs, "answer", ajs);
}
json_object_set_new(js, "dns", dnsjs);
}
}
#endif
return;
}
static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa, static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
json_t *js, json_t* ajs) json_t *js, json_t* ajs)
{ {
@ -478,6 +509,9 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
AlertJsonDnp3(p->flow, js); AlertJsonDnp3(p->flow, js);
} }
if (proto == ALPROTO_DNS) {
AlertJsonDns(p->flow, js);
}
} }
if (p->flow) { if (p->flow) {
@ -493,7 +527,6 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
} }
} }
/* payload */ /* payload */
if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) { if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
int stream = (p->proto == IPPROTO_TCP) ? int stream = (p->proto == IPPROTO_TCP) ?

Write Preview
Loading…
Cancel
Save