eve/http: add tx->request_port_number as http_port

Add the port specified in the hostname (if any) to the http object in eve. The port may be different from the dest_port used by the TCP flow.
7 years ago · bce7c2dd87
parent 2938f797f2
commit bce7c2dd87
2 changed files with 27 additions and 0 deletions
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@ -180,6 +180,21 @@ Event with non-extended logging:
      "http_content_type": "application\/x-gzip"
  }

+In case the hostname shows a port number, such as in case there is a header "Host: www.test.org:1337":
+
+::
+
+
+  "http": {
+      "http_port": 1337,
+      "hostname": "www.test.org",
+      "url" :"\/this\/is\/test.tar.gz",
+      "http_user_agent": "<User-Agent>",
+      "http_content_type": "application\/x-gzip"
+  }
+
+
+
 Event with extended logging:

 ::
--- a/src/output-json-http.c
+++ b/src/output-json-http.c
@ -202,6 +202,18 @@ static void JsonHttpLogJSONBasic(json_t *js, htp_tx_t *tx)
        }
    }

+    /* port */
+    /* NOTE: this field will be set ONLY if the port is present in the
+     * hostname. It may be present in the header "Host" or in the URL.
+     * There is no connection (from the suricata point of view) between this
+     * port and the TCP destination port of the flow.
+     */
+    if (tx->request_port_number >= 0)
+    {
+        json_object_set_new(js, "http_port",
+                json_integer(tx->request_port_number));
+    }
+
    /* uri */
    if (tx->request_uri != NULL)
    {