suricata

Commit Graph

Author	SHA1	Message	Date
Victor Julien	bddb2c3bdc	dns json: log TXT response data Log TXT data in the rdata field.	11 years ago
Tom DeCanio	11ca25ddca	eve-log: swap ip/port pairs in dns answers	11 years ago
Victor Julien	7ee3b456a3	dns-json: fix cleanup Use specialized cleanup function for sub-module case. Freeing the LogFileCtx is not the responsibility of a sub-module.	11 years ago
Victor Julien	4ce1fd347e	json dns: fix tx logic The JSON DNS logger would still have some conditions in the main Logger function. This led to some transactions not beeing logged.	12 years ago
Victor Julien	a3b0577a1f	output: add TM_FLAG_LOGAPI_TM thread module flag The TM_FLAG_LOGAPI_TM flag indicates that a module is run by the log api, not by the 'regular' thread module call functions. Set flag in all all Log API users' registration code. Purpose of this flag is in profiling. In profiling output it will be used to list log api thread modules separately.	12 years ago
Victor Julien	74fb60c010	Replace remaining SCStrndup calls Replace them with BytesToString().	12 years ago
Eric Leblond	6fd9b4b255	json: add event_type key This patch adds an event_type key to the generated events. Current value is one of "dns", "alert, "file", "tls", "http", "drop". It is then easy to differentiate in log analysis tools the events based on source inside Suricata.	12 years ago
Eric Leblond	93a84180dc	json dns: do not use array to output answer Without this patch DNS answers for a single query are stored in a single json event. The result is an array in the object like this one: {"type":"answer","id":45084,"rrname":"s-static.ak.facebook.com","rrtype":"CNAME","ttl":734}, {"type":"answer","id":45084,"rrname":"s-static.ak.facebook.com.edgekey.net","rrtype":"CNAME","ttl":1710}, This type of output is not well supported in logstash. It is displayed as it is written above and it is not possible to query the fields. I think the reason is that this is not logical if we consider search query. For example if we search for "rrname" equal "s-static.ak.facebook.com" we got one entry with two values in it. That's against the logic of event. Furthermore, if we want to get a complete query, we can used the id. This patch splits the answer part in mulitple message. The result is then accepted by logstash and fields can be queried easily.	12 years ago
Eric Leblond	eab0b7fae9	json-dns: sync field names with draft rfc2629 This patch updates DNS field name to be in sync with RFC 2629: https://github.com/adulau/pdns-qof This will allow to easily use Suricata with other passive DNS tools.	12 years ago
Victor Julien	6cecb4e4d2	json dns: rename output-dnslog -> output-json-dns	12 years ago

10 Commits (0857a60fcea10c4a947fefbd0059942b71dbf80d)