output: configurable payload_length field for alerts

Ticket: 7098
1 year ago · c9ce43b31e
parent a21232828e
commit c9ce43b31e
5 changed files with 16 additions and 1 deletions
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@ -68,6 +68,7 @@ Metadata::
            #payload: yes             # enable dumping payload in Base64
            #payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
            #payload-printable: yes   # enable dumping payload in printable (lossy) format
+            #payload-length: yes      # enable dumping payload length
            #packet: yes              # enable dumping of packet (without stream segments)
            #http-body: yes           # Requires metadata; enable dumping of http body in Base64
            #http-body-printable: yes # Requires metadata; enable dumping of http body in printable format
--- a/doc/userguide/partials/eve-log.yaml
+++ b/doc/userguide/partials/eve-log.yaml
@ -37,6 +37,7 @@ outputs:
            # payload: yes             # enable dumping payload in Base64
            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
            # payload-printable: yes   # enable dumping payload in printable (lossy) format
+            # payload-length: yes      # enable dumping payload length
            # packet: yes              # enable dumping of packet (without stream segments)
            # http-body: yes           # Requires metadata; enable dumping of http body in Base64
            # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format
--- a/etc/schema.json
+++ b/etc/schema.json
@ -66,6 +66,9 @@
        "payload": {
            "type": "string"
        },
+        "payload_length": {
+            "type": "integer"
+        },
        "payload_printable": {
            "type": "string"
        },
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@ -87,6 +87,7 @@
 #define LOG_JSON_VERDICT           BIT_U16(10)
 #define LOG_JSON_WEBSOCKET_PAYLOAD        BIT_U16(11)
 #define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64 BIT_U16(12)
+#define LOG_JSON_PAYLOAD_LENGTH           BIT_U16(13)

 #define METADATA_DEFAULTS ( LOG_JSON_FLOW |                        \
            LOG_JSON_APP_LAYER  |                                  \
@ -273,6 +274,9 @@ static void AlertAddPayload(AlertJsonOutputCtx *json_output_ctx, JsonBuilder *js
    if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
        jb_set_base64(js, "payload", p->payload, p->payload_len);
    }
+    if (json_output_ctx->flags & LOG_JSON_PAYLOAD_LENGTH) {
+        jb_set_uint(js, "payload_length", p->payload_len);
+    }

    if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
        uint8_t printable_buf[p->payload_len + 1];
@ -569,6 +573,9 @@ static bool AlertJsonStreamData(const AlertJsonOutputCtx *json_output_ctx, JsonA
        if (json_output_ctx->flags & LOG_JSON_PAYLOAD_BASE64) {
            jb_set_base64(jb, "payload", cbd.payload->buffer, cbd.payload->offset);
        }
+        if (json_output_ctx->flags & LOG_JSON_PAYLOAD_LENGTH) {
+            jb_set_uint(jb, "payload_length", cbd.payload->offset);
+        }

        if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
            uint8_t printable_buf[cbd.payload->offset + 1];
@ -687,7 +694,8 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
        }

        /* payload */
-        if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
+        if (json_output_ctx->flags &
+                (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64 | LOG_JSON_PAYLOAD_LENGTH)) {
            int stream = (p->proto == IPPROTO_TCP) ?
                         (pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_STREAM_MATCH) ?
                         1 : 0) : 0;
@ -914,6 +922,7 @@ static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
        SetFlag(conf, "websocket-payload-printable", LOG_JSON_WEBSOCKET_PAYLOAD, &flags);
        SetFlag(conf, "websocket-payload", LOG_JSON_WEBSOCKET_PAYLOAD_BASE64, &flags);
        SetFlag(conf, "verdict", LOG_JSON_VERDICT, &flags);
+        SetFlag(conf, "payload-length", LOG_JSON_PAYLOAD_LENGTH, &flags);

        /* Check for obsolete flags and warn that they have no effect. */
        static const char *deprecated_flags[] = { "http", "tls", "ssh", "smtp", "dnp3", "app-layer",
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -164,6 +164,7 @@ outputs:
            # payload: yes             # enable dumping payload in Base64
            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
            # payload-printable: yes   # enable dumping payload in printable (lossy) format
+            # payload-length: yes      # enable dumping payload length
            # packet: yes              # enable dumping of packet (without stream segments)
            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
            # http-body: yes           # Requires metadata; enable dumping of HTTP body in Base64