From fd5d8b78d02a9584cbea10ce4b102856611e6f63 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 4 Aug 2020 16:27:30 -0600 Subject: [PATCH] alert/eve: add snmp metadata for rdp alerts Redmine issue: https://redmine.openinfosecfoundation.org/issues/3441 --- src/output-json-alert.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/output-json-alert.c b/src/output-json-alert.c index ca8e3ba635..a6dfe1142f 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -233,6 +233,22 @@ static void AlertJsonSNMP(const Flow *f, const uint64_t tx_id, JsonBuilder *js) } } +static void AlertJsonRDP(const Flow *f, const uint64_t tx_id, JsonBuilder *js) +{ + void *rdp_state = (void *)FlowGetAppState(f); + if (rdp_state != NULL) { + void *tx = AppLayerParserGetTx(f->proto, ALPROTO_RDP, rdp_state, + tx_id); + if (tx != NULL) { + JsonBuilderMark mark = { 0, 0, 0 }; + jb_get_mark(js, &mark); + if (!rs_rdp_to_json(tx, js)) { + jb_restore_mark(js, &mark); + } + } + } +} + static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa, JsonBuilder *js, JsonAddrInfo *addr) { @@ -500,6 +516,9 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb, case ALPROTO_SNMP: AlertJsonSNMP(p->flow, tx_id, jb); break; + case ALPROTO_RDP: + AlertJsonRDP(p->flow, tx_id, jb); + break; default: break; }