diff --git a/src/detect-engine-profile.c b/src/detect-engine-profile.c index fb2603234a..e89a5804fa 100644 --- a/src/detect-engine-profile.c +++ b/src/detect-engine-profile.c @@ -59,7 +59,7 @@ SCMutex g_rule_dump_write_m = SCMUTEX_INITIALIZER; void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p) { - json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "inspectedrules"); + json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "inspectedrules", NULL); if (js == NULL) return; json_t *ir = json_object(); diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 55b61626dc..497d09b230 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -411,7 +411,39 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) continue; } - json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "alert"); + /* First initialize the address info (5-tuple). */ + JsonAddrInfo addr; + JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr); + + /* Check for XFF, overwriting address info if needed. */ + HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ? + json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;; + int have_xff_ip = 0; + char xff_buffer[XFF_MAXLEN]; + if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) { + if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) { + if (pa->flags & PACKET_ALERT_FLAG_TX) { + have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg, + xff_buffer, XFF_MAXLEN); + } else { + have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, xff_buffer, + XFF_MAXLEN); + } + } + + if (have_xff_ip && xff_cfg->flags & XFF_OVERWRITE) { + if (p->flowflags & FLOW_PKT_TOCLIENT) { + strlcpy(addr.dst_ip, xff_buffer, JSON_ADDR_LEN); + } else { + strlcpy(addr.src_ip, xff_buffer, JSON_ADDR_LEN); + } + /* Clear have_xff_ip so the xff field does not get + * logged below. */ + have_xff_ip = false; + } + } + + json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "alert", &addr); if (unlikely(js == NULL)) return TM_ECODE_OK; @@ -565,34 +597,8 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) JsonPacket(p, js, 0); } - HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ? - json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;; - - /* xff header */ - if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) { - int have_xff_ip = 0; - char buffer[XFF_MAXLEN]; - - if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) { - if (pa->flags & PACKET_ALERT_FLAG_TX) { - have_xff_ip = HttpXFFGetIPFromTx(p->flow, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN); - } else { - have_xff_ip = HttpXFFGetIP(p->flow, xff_cfg, buffer, XFF_MAXLEN); - } - } - - if (have_xff_ip) { - if (xff_cfg->flags & XFF_EXTRADATA) { - json_object_set_new(js, "xff", json_string(buffer)); - } - else if (xff_cfg->flags & XFF_OVERWRITE) { - if (p->flowflags & FLOW_PKT_TOCLIENT) { - json_object_set(js, "dest_ip", json_string(buffer)); - } else { - json_object_set(js, "src_ip", json_string(buffer)); - } - } - } + if (have_xff_ip && xff_cfg->flags & XFF_EXTRADATA) { + json_object_set_new(js, "xff", json_string(xff_buffer)); } OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer); @@ -602,7 +608,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) if ((p->flags & PKT_HAS_TAG) && (json_output_ctx->flags & LOG_JSON_TAGGED_PACKETS)) { MemBufferReset(aft->json_buffer); - json_t *packetjs = CreateJSONHeader(p, LOG_DIR_PACKET, "packet"); + json_t *packetjs = CreateJSONHeader(p, LOG_DIR_PACKET, "packet", NULL); if (unlikely(packetjs != NULL)) { JsonPacket(p, packetjs, 0); OutputJSONBuffer(packetjs, aft->file_ctx, &aft->json_buffer); diff --git a/src/output-json-anomaly.c b/src/output-json-anomaly.c index 6351fed9a6..1c8b66c2f7 100644 --- a/src/output-json-anomaly.c +++ b/src/output-json-anomaly.c @@ -105,7 +105,7 @@ static int AnomalyDecodeEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft, MemBufferReset(aft->json_buffer); - json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, ANOMALY_EVENT_TYPE); + json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, ANOMALY_EVENT_TYPE, NULL); if (unlikely(js == NULL)) { return TM_ECODE_OK; } @@ -167,7 +167,7 @@ static int AnomalyAppLayerDecoderEventJson(JsonAnomalyLogThread *aft, js = CreateJSONHeaderWithTxId(p, LOG_DIR_PACKET, ANOMALY_EVENT_TYPE, tx_id); } else { - js = CreateJSONHeader(p, LOG_DIR_PACKET, ANOMALY_EVENT_TYPE); + js = CreateJSONHeader(p, LOG_DIR_PACKET, ANOMALY_EVENT_TYPE, NULL); } if (unlikely(js == NULL)) { return TM_ECODE_OK; diff --git a/src/output-json-dhcp.c b/src/output-json-dhcp.c index 8174cc4f0c..98b8b69ebf 100644 --- a/src/output-json-dhcp.c +++ b/src/output-json-dhcp.c @@ -64,7 +64,7 @@ static int JsonDHCPLogger(ThreadVars *tv, void *thread_data, LogDHCPLogThread *thread = thread_data; LogDHCPFileCtx *ctx = thread->dhcplog_ctx; - json_t *js = CreateJSONHeader((Packet *)p, 0, "dhcp"); + json_t *js = CreateJSONHeader((Packet *)p, 0, "dhcp", NULL); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } diff --git a/src/output-json-dnp3.c b/src/output-json-dnp3.c index dfa6ba054b..b48ec30211 100644 --- a/src/output-json-dnp3.c +++ b/src/output-json-dnp3.c @@ -309,7 +309,7 @@ static int JsonDNP3LoggerToServer(ThreadVars *tv, void *thread_data, MemBufferReset(buffer); if (tx->has_request && tx->request_done) { - json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "dnp3"); + json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "dnp3", NULL); if (unlikely(js == NULL)) { return TM_ECODE_OK; } @@ -338,7 +338,7 @@ static int JsonDNP3LoggerToClient(ThreadVars *tv, void *thread_data, MemBufferReset(buffer); if (tx->has_response && tx->response_done) { - json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "dnp3"); + json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "dnp3", NULL); if (unlikely(js == NULL)) { return TM_ECODE_OK; } diff --git a/src/output-json-dns.c b/src/output-json-dns.c index 46eb5a3cf5..62c4a915de 100644 --- a/src/output-json-dns.c +++ b/src/output-json-dns.c @@ -307,7 +307,7 @@ static int JsonDnsLoggerToServer(ThreadVars *tv, void *thread_data, } for (uint16_t i = 0; i < 0xffff; i++) { - js = CreateJSONHeader(p, LOG_DIR_FLOW, "dns"); + js = CreateJSONHeader(p, LOG_DIR_FLOW, "dns", NULL); if (unlikely(js == NULL)) { return TM_ECODE_OK; } @@ -339,7 +339,7 @@ static int JsonDnsLoggerToClient(ThreadVars *tv, void *thread_data, return TM_ECODE_OK; } - json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "dns"); + json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "dns", NULL); if (unlikely(js == NULL)) return TM_ECODE_OK; diff --git a/src/output-json-drop.c b/src/output-json-drop.c index 51e8ad41a4..f9ef9d260c 100644 --- a/src/output-json-drop.c +++ b/src/output-json-drop.c @@ -87,7 +87,7 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p) { JsonDropOutputCtx *drop_ctx = aft->drop_ctx; - json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "drop"); + json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "drop", NULL); if (unlikely(js == NULL)) return TM_ECODE_OK; diff --git a/src/output-json-file.c b/src/output-json-file.c index 17134a477a..d29d78e96a 100644 --- a/src/output-json-file.c +++ b/src/output-json-file.c @@ -98,7 +98,7 @@ json_t *JsonBuildFileInfoRecord(const Packet *p, const File *ff, break; } - json_t *js = CreateJSONHeader(p, fdir, "fileinfo"); + json_t *js = CreateJSONHeader(p, fdir, "fileinfo", NULL); if (unlikely(js == NULL)) return NULL; diff --git a/src/output-json-ikev2.c b/src/output-json-ikev2.c index 54ac2d63b1..b2ab36125c 100644 --- a/src/output-json-ikev2.c +++ b/src/output-json-ikev2.c @@ -66,7 +66,7 @@ static int JsonIKEv2Logger(ThreadVars *tv, void *thread_data, LogIKEv2LogThread *thread = thread_data; json_t *js, *ikev2js; - js = CreateJSONHeader((Packet *)p, LOG_DIR_PACKET, "ikev2"); + js = CreateJSONHeader((Packet *)p, LOG_DIR_PACKET, "ikev2", NULL); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } diff --git a/src/output-json-krb5.c b/src/output-json-krb5.c index fb16855a24..fe79478c53 100644 --- a/src/output-json-krb5.c +++ b/src/output-json-krb5.c @@ -66,7 +66,7 @@ static int JsonKRB5Logger(ThreadVars *tv, void *thread_data, LogKRB5LogThread *thread = thread_data; json_t *js, *krb5js; - js = CreateJSONHeader(p, LOG_DIR_PACKET, "krb5"); + js = CreateJSONHeader(p, LOG_DIR_PACKET, "krb5", NULL); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } diff --git a/src/output-json-metadata.c b/src/output-json-metadata.c index 27d2223323..344cd7d2a6 100644 --- a/src/output-json-metadata.c +++ b/src/output-json-metadata.c @@ -81,7 +81,7 @@ typedef struct JsonMetadataLogThread_ { static int MetadataJson(ThreadVars *tv, JsonMetadataLogThread *aft, const Packet *p) { - json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "metadata"); + json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "metadata", NULL); if (unlikely(js == NULL)) return TM_ECODE_OK; diff --git a/src/output-json-nfs.c b/src/output-json-nfs.c index b3830981a3..c7d60ec1d6 100644 --- a/src/output-json-nfs.c +++ b/src/output-json-nfs.c @@ -83,7 +83,7 @@ static int JsonNFSLogger(ThreadVars *tv, void *thread_data, if (rs_nfs_tx_logging_is_filtered(state, nfstx)) return TM_ECODE_OK; - json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "nfs"); + json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "nfs", NULL); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } diff --git a/src/output-json-rdp.c b/src/output-json-rdp.c index d1daa17b6e..bb80464378 100644 --- a/src/output-json-rdp.c +++ b/src/output-json-rdp.c @@ -59,7 +59,7 @@ static int JsonRdpLogger(ThreadVars *tv, void *thread_data, { LogRdpLogThread *thread = thread_data; - json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "rdp"); + json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "rdp", NULL); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } diff --git a/src/output-json-rfb.c b/src/output-json-rfb.c index 1067b0a653..b38aecdc2b 100644 --- a/src/output-json-rfb.c +++ b/src/output-json-rfb.c @@ -75,7 +75,7 @@ static int JsonRFBLogger(ThreadVars *tv, void *thread_data, { LogRFBLogThread *thread = thread_data; - json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "rfb"); + json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "rfb", NULL); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } diff --git a/src/output-json-sip.c b/src/output-json-sip.c index ca8491bc2f..bc8e066de0 100644 --- a/src/output-json-sip.c +++ b/src/output-json-sip.c @@ -79,7 +79,7 @@ static int JsonSIPLogger(ThreadVars *tv, void *thread_data, LogSIPLogThread *thread = thread_data; json_t *js, *sipjs; - js = CreateJSONHeader(p, LOG_DIR_PACKET, "sip"); + js = CreateJSONHeader(p, LOG_DIR_PACKET, "sip", NULL); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } diff --git a/src/output-json-smb.c b/src/output-json-smb.c index 61db3fd3b2..783c8d584e 100644 --- a/src/output-json-smb.c +++ b/src/output-json-smb.c @@ -66,7 +66,7 @@ static int JsonSMBLogger(ThreadVars *tv, void *thread_data, OutputJsonThreadCtx *thread = thread_data; json_t *js, *smbjs; - js = CreateJSONHeader(p, LOG_DIR_FLOW, "smb"); + js = CreateJSONHeader(p, LOG_DIR_FLOW, "smb", NULL); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } diff --git a/src/output-json-snmp.c b/src/output-json-snmp.c index a7e7630481..86dc2d8325 100644 --- a/src/output-json-snmp.c +++ b/src/output-json-snmp.c @@ -66,7 +66,7 @@ static int JsonSNMPLogger(ThreadVars *tv, void *thread_data, LogSNMPLogThread *thread = thread_data; json_t *js, *snmpjs; - js = CreateJSONHeader(p, LOG_DIR_PACKET, "snmp"); + js = CreateJSONHeader(p, LOG_DIR_PACKET, "snmp", NULL); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } diff --git a/src/output-json-ssh.c b/src/output-json-ssh.c index 9906e88cc9..fb66d059f8 100644 --- a/src/output-json-ssh.c +++ b/src/output-json-ssh.c @@ -75,7 +75,7 @@ static int JsonSshLogger(ThreadVars *tv, void *thread_data, const Packet *p, return 0; } - json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "ssh"); + json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "ssh", NULL); if (unlikely(js == NULL)) return 0; diff --git a/src/output-json-template-rust.c b/src/output-json-template-rust.c index 73c0bfde81..87aa213d58 100644 --- a/src/output-json-template-rust.c +++ b/src/output-json-template-rust.c @@ -71,7 +71,7 @@ static int JsonTemplateLogger(ThreadVars *tv, void *thread_data, SCLogNotice("JsonTemplateLogger"); LogTemplateLogThread *thread = thread_data; - json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "template-rust"); + json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "template-rust", NULL); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } diff --git a/src/output-json-template.c b/src/output-json-template.c index c91563307a..998f21b0a2 100644 --- a/src/output-json-template.c +++ b/src/output-json-template.c @@ -72,7 +72,7 @@ static int JsonTemplateLogger(ThreadVars *tv, void *thread_data, SCLogNotice("Logging template transaction %"PRIu64".", templatetx->tx_id); - json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "template"); + json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "template", NULL); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } diff --git a/src/output-json-tftp.c b/src/output-json-tftp.c index a1dd2a5681..182962b866 100644 --- a/src/output-json-tftp.c +++ b/src/output-json-tftp.c @@ -66,7 +66,7 @@ static int JsonTFTPLogger(ThreadVars *tv, void *thread_data, { LogTFTPLogThread *thread = thread_data; - json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "tftp"); + json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "tftp", NULL); if (unlikely(js == NULL)) { return TM_ECODE_FAILED; } diff --git a/src/output-json-tls.c b/src/output-json-tls.c index 2bd08c8c08..cae854c2f9 100644 --- a/src/output-json-tls.c +++ b/src/output-json-tls.c @@ -411,7 +411,7 @@ static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p, return 0; } - json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "tls"); + json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "tls", NULL); if (unlikely(js == NULL)) { return 0; } diff --git a/src/output-json.c b/src/output-json.c index 710c0015f6..d30966670d 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -445,6 +445,132 @@ void JsonTcpFlags(uint8_t flags, json_t *js) json_object_set_new(js, "cwr", json_true()); } +void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr) +{ + char srcip[46] = {0}, dstip[46] = {0}; + Port sp, dp; + char proto[16]; + + switch (dir) { + case LOG_DIR_PACKET: + if (PKT_IS_IPV4(p)) { + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), + dstip, sizeof(dstip)); + } else if (PKT_IS_IPV6(p)) { + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), + dstip, sizeof(dstip)); + } else { + /* Not an IP packet so don't do anything */ + return; + } + sp = p->sp; + dp = p->dp; + break; + case LOG_DIR_FLOW: + case LOG_DIR_FLOW_TOSERVER: + if ((PKT_IS_TOSERVER(p))) { + if (PKT_IS_IPV4(p)) { + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), + dstip, sizeof(dstip)); + } else if (PKT_IS_IPV6(p)) { + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), + dstip, sizeof(dstip)); + } + sp = p->sp; + dp = p->dp; + } else { + if (PKT_IS_IPV4(p)) { + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), + dstip, sizeof(dstip)); + } else if (PKT_IS_IPV6(p)) { + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), + dstip, sizeof(dstip)); + } + sp = p->dp; + dp = p->sp; + } + break; + case LOG_DIR_FLOW_TOCLIENT: + if ((PKT_IS_TOCLIENT(p))) { + if (PKT_IS_IPV4(p)) { + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), + dstip, sizeof(dstip)); + } else if (PKT_IS_IPV6(p)) { + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), + dstip, sizeof(dstip)); + } + sp = p->sp; + dp = p->dp; + } else { + if (PKT_IS_IPV4(p)) { + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), + dstip, sizeof(dstip)); + } else if (PKT_IS_IPV6(p)) { + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), + dstip, sizeof(dstip)); + } + sp = p->dp; + dp = p->sp; + } + break; + default: + DEBUG_VALIDATE_BUG_ON(1); + return; + } + + if (SCProtoNameValid(IP_GET_IPPROTO(p)) == TRUE) { + strlcpy(proto, known_proto[IP_GET_IPPROTO(p)], sizeof(proto)); + } else { + snprintf(proto, sizeof(proto), "%03" PRIu32, IP_GET_IPPROTO(p)); + } + + strlcpy(addr->src_ip, srcip, JSON_ADDR_LEN); + + switch(p->proto) { + case IPPROTO_ICMP: + break; + case IPPROTO_UDP: + case IPPROTO_TCP: + case IPPROTO_SCTP: + addr->sp = sp; + break; + } + + strlcpy(addr->dst_ip, dstip, JSON_ADDR_LEN); + + switch(p->proto) { + case IPPROTO_ICMP: + break; + case IPPROTO_UDP: + case IPPROTO_TCP: + case IPPROTO_SCTP: + addr->dp = dp; + break; + } + + strlcpy(addr->proto, proto, JSON_PROTO_LEN); +} + /** * \brief Add five tuple from packet to JSON object * @@ -708,7 +834,7 @@ void CreateJSONFlowId(json_t *js, const Flow *f) } json_t *CreateJSONHeader(const Packet *p, enum OutputJsonLogDirection dir, - const char *event_type) + const char *event_type, JsonAddrInfo *addr) { char timebuf[64]; const Flow *f = (const Flow *)p->flow; @@ -755,7 +881,16 @@ json_t *CreateJSONHeader(const Packet *p, enum OutputJsonLogDirection dir, } /* 5-tuple */ - JsonFiveTuple(p, dir, js); + JsonAddrInfo addr_info = {0}; + if (addr == NULL) { + JsonAddrInfoInit(p, dir, &addr_info); + addr = &addr_info; + } + json_object_set_new(js, "src_ip", json_string(addr->src_ip)); + json_object_set_new(js, "src_port", json_integer(addr->sp)); + json_object_set_new(js, "dest_ip", json_string(addr->dst_ip)); + json_object_set_new(js, "dest_port", json_integer(addr->dp)); + json_object_set_new(js, "proto", json_string(addr->proto)); /* icmp */ switch (p->proto) { @@ -783,7 +918,7 @@ json_t *CreateJSONHeader(const Packet *p, enum OutputJsonLogDirection dir, json_t *CreateJSONHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, uint64_t tx_id) { - json_t *js = CreateJSONHeader(p, dir, event_type); + json_t *js = CreateJSONHeader(p, dir, event_type, NULL); if (unlikely(js == NULL)) return NULL; diff --git a/src/output-json.h b/src/output-json.h index 34bde321d8..9b694e39e4 100644 --- a/src/output-json.h +++ b/src/output-json.h @@ -40,6 +40,21 @@ enum OutputJsonLogDirection { LOG_DIR_FLOW_TOSERVER, }; +#define JSON_ADDR_LEN 46 +#define JSON_PROTO_LEN 16 + +/* A struct to contain address info for rendering to JSON. */ +typedef struct JsonAddrInfo_ { + char src_ip[JSON_ADDR_LEN]; + char dst_ip[JSON_ADDR_LEN]; + Port sp; + Port dp; + char proto[JSON_PROTO_LEN]; +} JsonAddrInfo; + +void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir, + JsonAddrInfo *addr); + /* Suggested output buffer size */ #define JSON_OUTPUT_BUFFER_SIZE 65535 @@ -56,7 +71,8 @@ void JsonTcpFlags(uint8_t flags, json_t *js); void JsonPacket(const Packet *p, json_t *js, unsigned long max_length); void JsonFiveTuple(const Packet *, enum OutputJsonLogDirection, json_t *); json_t *CreateJSONHeader(const Packet *p, - enum OutputJsonLogDirection dir, const char *event_type); + enum OutputJsonLogDirection dir, const char *event_type, + JsonAddrInfo *addr); json_t *CreateJSONHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, uint64_t tx_id); int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer);