aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

output: configurable payload_length field for alerts

Browse Source 
Ticket: 7098
pull/11353/head
Philippe Antoine 1 year ago committed by Victor Julien
parent a21232828e
commit c9ce43b31e
5 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File

1
doc/userguide/output/eve/eve-json-output.rst
Unescape Escape View File

@ -68,6 +68,7 @@ Metadata::
#payload: yes # enable dumping payload in Base64 #payload: yes # enable dumping payload in Base64
#payload-buffer-size: 4kb # max size of payload buffer to output in eve-log #payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
#payload-printable: yes # enable dumping payload in printable (lossy) format #payload-printable: yes # enable dumping payload in printable (lossy) format
#payload-length: yes # enable dumping payload length
#packet: yes # enable dumping of packet (without stream segments) #packet: yes # enable dumping of packet (without stream segments)
#http-body: yes # Requires metadata; enable dumping of http body in Base64 #http-body: yes # Requires metadata; enable dumping of http body in Base64
#http-body-printable: yes # Requires metadata; enable dumping of http body in printable format #http-body-printable: yes # Requires metadata; enable dumping of http body in printable format

1
doc/userguide/partials/eve-log.yaml
Unescape Escape View File

@ -37,6 +37,7 @@ outputs:
# payload: yes # enable dumping payload in Base64 # payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format # payload-printable: yes # enable dumping payload in printable (lossy) format
# payload-length: yes # enable dumping payload length
# packet: yes # enable dumping of packet (without stream segments) # packet: yes # enable dumping of packet (without stream segments)
# http-body: yes # Requires metadata; enable dumping of http body in Base64 # http-body: yes # Requires metadata; enable dumping of http body in Base64
# http-body-printable: yes # Requires metadata; enable dumping of http body in printable format # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format

3
etc/schema.json
Unescape Escape View File

@ -66,6 +66,9 @@
"payload": { "payload": {
"type": "string" "type": "string"
}, },
"payload_length": {
"type": "integer"
},
"payload_printable": { "payload_printable": {
"type": "string" "type": "string"
}, },

11
src/output-json-alert.c
Unescape Escape View File

@ -87,6 +87,7 @@
#define LOG_JSON_VERDICT BIT_U16(10) #define LOG_JSON_VERDICT BIT_U16(10)
#define LOG_JSON_WEBSOCKET_PAYLOAD BIT_U16(11) #define LOG_JSON_WEBSOCKET_PAYLOAD BIT_U16(11)
#define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64 BIT_U16(12) #define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64 BIT_U16(12)
#define LOG_JSON_PAYLOAD_LENGTH BIT_U16(13)
#define METADATA_DEFAULTS ( LOG_JSON_FLOW | \ #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \
LOG_JSON_APP_LAYER | \ LOG_JSON_APP_LAYER | \
@ -273,6 +274,9 @@ static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, JsonBuilder *js
if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
jb_set_base64(js, "payload", p->payload, p->payload_len); jb_set_base64(js, "payload", p->payload, p->payload_len);
} }
if (json_output_ctx->flags & LOG_JSON_PAYLOAD_LENGTH) {
jb_set_uint(js, "payload_length", p->payload_len);
}
if (json_output_ctx->flags & LOG_JSON_PAYLOAD) { if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
uint8_t printable_buf[p->payload_len + 1]; uint8_t printable_buf[p->payload_len + 1];
@ -569,6 +573,9 @@ static bool AlertJsonStreamData(const AlertJsonOutputCtx *json_output_ctx, JsonA
if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
jb_set_base64(jb, "payload", cbd.payload->buffer, cbd.payload->offset); jb_set_base64(jb, "payload", cbd.payload->buffer, cbd.payload->offset);
} }
if (json_output_ctx->flags & LOG_JSON_PAYLOAD_LENGTH) {
jb_set_uint(jb, "payload_length", cbd.payload->offset);
}
if (json_output_ctx->flags & LOG_JSON_PAYLOAD) { if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
uint8_t printable_buf[cbd.payload->offset + 1]; uint8_t printable_buf[cbd.payload->offset + 1];
@ -687,7 +694,8 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
} }
/* payload */ /* payload */
if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) { if (json_output_ctx->flags &
(LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64 | LOG_JSON_PAYLOAD_LENGTH)) {
int stream = (p->proto == IPPROTO_TCP) ? int stream = (p->proto == IPPROTO_TCP) ?
(pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_STREAM_MATCH) ? (pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_STREAM_MATCH) ?
1 : 0) : 0; 1 : 0) : 0;
@ -914,6 +922,7 @@ static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
SetFlag(conf, "websocket-payload-printable", LOG_JSON_WEBSOCKET_PAYLOAD, &flags); SetFlag(conf, "websocket-payload-printable", LOG_JSON_WEBSOCKET_PAYLOAD, &flags);
SetFlag(conf, "websocket-payload", LOG_JSON_WEBSOCKET_PAYLOAD_BASE64, &flags); SetFlag(conf, "websocket-payload", LOG_JSON_WEBSOCKET_PAYLOAD_BASE64, &flags);
SetFlag(conf, "verdict", LOG_JSON_VERDICT, &flags); SetFlag(conf, "verdict", LOG_JSON_VERDICT, &flags);
SetFlag(conf, "payload-length", LOG_JSON_PAYLOAD_LENGTH, &flags);
/* Check for obsolete flags and warn that they have no effect. */ /* Check for obsolete flags and warn that they have no effect. */
static const char *deprecated_flags[] = { "http", "tls", "ssh", "smtp", "dnp3", "app-layer", static const char *deprecated_flags[] = { "http", "tls", "ssh", "smtp", "dnp3", "app-layer",

1
suricata.yaml.in
Unescape Escape View File

@ -164,6 +164,7 @@ outputs:
# payload: yes # enable dumping payload in Base64 # payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format # payload-printable: yes # enable dumping payload in printable (lossy) format
# payload-length: yes # enable dumping payload length
# packet: yes # enable dumping of packet (without stream segments) # packet: yes # enable dumping of packet (without stream segments)
# metadata: no # enable inclusion of app layer metadata with alert. Default yes # metadata: no # enable inclusion of app layer metadata with alert. Default yes
# http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64

Write Preview
Loading…
Cancel
Save