alert/eve: add snmp metadata for rdp alerts

Redmine issue: https://redmine.openinfosecfoundation.org/issues/3441
5 years ago · fd5d8b78d0
parent ef0ebc9550
commit fd5d8b78d0
1 changed files with 19 additions and 0 deletions
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@ -233,6 +233,22 @@ static void AlertJsonSNMP(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
    }
 }

+static void AlertJsonRDP(const Flow *f, const uint64_t tx_id, JsonBuilder *js)
+{
+    void *rdp_state = (void *)FlowGetAppState(f);
+    if (rdp_state != NULL) {
+        void *tx = AppLayerParserGetTx(f->proto, ALPROTO_RDP, rdp_state,
+                tx_id);
+        if (tx != NULL) {
+            JsonBuilderMark mark = { 0, 0, 0 };
+            jb_get_mark(js, &mark);
+            if (!rs_rdp_to_json(tx, js)) {
+                jb_restore_mark(js, &mark);
+            }
+        }
+    }
+}
+
 static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
                                  JsonBuilder *js, JsonAddrInfo *addr)
 {
@ -500,6 +516,9 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
        case ALPROTO_SNMP:
            AlertJsonSNMP(p->flow, tx_id, jb);
            break;
+        case ALPROTO_RDP:
+            AlertJsonRDP(p->flow, tx_id, jb);
+            break;
        default:
            break;
    }