Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http: move xff logging to alert object #7148

Closed
wants to merge 1 commit into from
Closed

http: move xff logging to alert object #7148

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions doc/userguide/upgrade.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ Logging changes
- IKEv2 Eve logging changed, the event_type has become ``ike``. The fields ``errors`` and ``notify`` have moved to
``ike.ikev2.errors`` and ``ike.ikev2.notify``.
- FTP DATA metadata for alerts are now logged in ``ftp_data`` instead of root.
- Alert ``xff`` field is now logged as ``alert.xff`` for alerts instead of at the root.

Other changes
~~~~~~~~~~~~~
Expand Down
21 changes: 12 additions & 9 deletions src/output-json-alert.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -338,8 +338,8 @@ static void AlertJsonMetadata(AlertJsonOutputCtx *json_output_ctx,
}
}

void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa,
JsonBuilder *js, uint16_t flags, JsonAddrInfo *addr)
void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js,
uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
{
AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *)ctx;
const char *action = "allowed";
Expand Down Expand Up @@ -390,6 +390,9 @@ void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa,
if (flags & LOG_JSON_RULE) {
jb_set_string(js, "rule", pa->s->sig_str);
}
if (xff_buffer && xff_buffer[0]) {
jb_set_string(js, "xff", xff_buffer);
}

jb_close(js);
}
Expand Down Expand Up @@ -650,6 +653,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;
int have_xff_ip = 0;
char xff_buffer[XFF_MAXLEN];
xff_buffer[0] = 0;
if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP1) {
if (pa->flags & PACKET_ALERT_FLAG_TX) {
Expand All @@ -671,6 +675,10 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
* logged below. */
have_xff_ip = false;
}
if (have_xff_ip && !(xff_cfg->flags & XFF_EXTRADATA)) {
// reset xff_buffer so as not to log it
xff_buffer[0] = 0;
}
}

JsonBuilder *jb =
Expand All @@ -680,8 +688,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)


/* alert */
AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags,
&addr);
AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, &addr, xff_buffer);

if (IS_TUNNEL_PKT(p)) {
AlertJsonTunnel(p, jb);
Expand Down Expand Up @@ -759,10 +766,6 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
EvePacket(p, jb, 0);
}

if (have_xff_ip && xff_cfg->flags & XFF_EXTRADATA) {
jb_set_string(jb, "xff", xff_buffer);
}

OutputJsonBuilderBuffer(jb, aft->ctx);
jb_free(jb);
}
Expand Down Expand Up @@ -805,7 +808,7 @@ static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const
/* just the timestamp, no tuple */
jb_set_string(jb, "timestamp", timebuf);

AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, NULL);
AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, NULL, NULL);

OutputJsonBuilderBuffer(jb, aft->ctx);
jb_free(jb);
Expand Down
2 changes: 1 addition & 1 deletion src/output-json-alert.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@

void JsonAlertLogRegister(void);
void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js,
uint16_t flags, JsonAddrInfo *addr);
uint16_t flags, JsonAddrInfo *addr, char *xff_buffer);

#endif /* __OUTPUT_JSON_ALERT_H__ */

4 changes: 2 additions & 2 deletions src/output-json-drop.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,15 +155,15 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
if ((pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) ||
((pa->action & ACTION_DROP) && EngineModeIsIPS()))
{
AlertJsonHeader(NULL, p, pa, js, 0, &addr);
AlertJsonHeader(NULL, p, pa, js, 0, &addr, NULL);
logged = 1;
break;
}
}
if (logged == 0) {
if (p->alerts.drop.action != 0) {
const PacketAlert *pa = &p->alerts.drop;
AlertJsonHeader(NULL, p, pa, js, 0, &addr);
AlertJsonHeader(NULL, p, pa, js, 0, &addr, NULL);
}
}
}
Expand Down