diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 32f956dd7b..6de529ff90 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -60,6 +60,7 @@ #include "output-json-ssh.h" #include "output-json-smtp.h" #include "output-json-email-common.h" +#include "output-json-nfs.h" #include "util-byte.h" #include "util-privs.h" @@ -73,16 +74,19 @@ #ifdef HAVE_LIBJANSSON -#define LOG_JSON_PAYLOAD 0x001 -#define LOG_JSON_PACKET 0x002 -#define LOG_JSON_PAYLOAD_BASE64 0x004 -#define LOG_JSON_HTTP 0x008 -#define LOG_JSON_TLS 0x010 -#define LOG_JSON_SSH 0x020 -#define LOG_JSON_SMTP 0x040 -#define LOG_JSON_TAGGED_PACKETS 0x080 -#define LOG_JSON_DNP3 0x100 -#define LOG_JSON_VARS 0x200 +#define LOG_JSON_PAYLOAD BIT_U16(0) +#define LOG_JSON_PACKET BIT_U16(1) +#define LOG_JSON_PAYLOAD_BASE64 BIT_U16(2) +#define LOG_JSON_HTTP BIT_U16(3) +#define LOG_JSON_TLS BIT_U16(4) +#define LOG_JSON_SSH BIT_U16(5) +#define LOG_JSON_SMTP BIT_U16(6) +#define LOG_JSON_TAGGED_PACKETS BIT_U16(7) +#define LOG_JSON_DNP3 BIT_U16(8) +#define LOG_JSON_VARS BIT_U16(9) +#define LOG_JSON_APP_LAYER BIT_U16(10) + +#define LOG_JSON_APP_LAYER_ALL (LOG_JSON_APP_LAYER|LOG_JSON_HTTP|LOG_JSON_TLS|LOG_JSON_SSH|LOG_JSON_SMTP|LOG_JSON_DNP3) #define JSON_STREAM_BUFFER_SIZE 4096 @@ -389,7 +393,19 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) } } } - +#ifdef HAVE_RUST + if ((json_output_ctx->flags & LOG_JSON_APP_LAYER) && p->flow != NULL) { + uint16_t alproto = FlowGetAppProtocol(p->flow); + if (alproto == ALPROTO_NFS) { + hjs = JsonNFSAddMetadataRPC(p->flow, pa->tx_id); + if (hjs) + json_object_set_new(js, "rpc", hjs); + hjs = JsonNFSAddMetadata(p->flow, pa->tx_id); + if (hjs) + json_object_set_new(js, "nfs", hjs); + } + } +#endif if (json_output_ctx->flags & LOG_JSON_DNP3) { if (p->flow != NULL) { uint16_t proto = FlowGetAppProtocol(p->flow); @@ -724,12 +740,16 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf) const char *tagged_packets = ConfNodeLookupChildValue(conf, "tagged-packets"); const char *dnp3 = ConfNodeLookupChildValue(conf, "dnp3"); const char *vars = ConfNodeLookupChildValue(conf, "vars"); + const char *applayer = ConfNodeLookupChildValue(conf, "applayer"); if (vars != NULL) { if (ConfValIsTrue(vars)) { json_output_ctx->flags |= LOG_JSON_VARS; } } + if (applayer != NULL && ConfValIsTrue(applayer)) { + json_output_ctx->flags |= LOG_JSON_APP_LAYER_ALL; + } if (ssh != NULL) { if (ConfValIsTrue(ssh)) { json_output_ctx->flags |= LOG_JSON_SSH; diff --git a/suricata.yaml.in b/suricata.yaml.in index 9e401aee23..990d46e20c 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -164,11 +164,7 @@ outputs: # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log # payload-printable: yes # enable dumping payload in printable (lossy) format # packet: yes # enable dumping of packet (without stream segments) - http: yes # enable dumping of http fields - tls: yes # enable dumping of tls fields - ssh: yes # enable dumping of ssh fields - smtp: yes # enable dumping of smtp fields - dnp3: yes # enable dumping of DNP3 fields + applayer: yes # add L7/applayer fields to the alert vars: yes # enable dumping of flowbits and other vars # Enable the logging of tagged packets for rules using the