git.ipfire.org Git - thirdparty/suricata.git/commit

author	Eric Leblond <el@stamus-networks.com>
	Sun, 2 Oct 2022 12:42:21 +0000 (14:42 +0200)
committer	Victor Julien <vjulien@oisf.net>
	Mon, 3 Oct 2022 09:03:09 +0000 (11:03 +0200)
commit	f1300e68c96713166f1d2855aae188ce5f276a59
tree	6257f49dfb1035e9e92c017344c455a0939601f9	tree
parent	bb93d67dddec6f8908c67c22deab23b111e59ab1	commit \| diff

eve/alert: add src and dest info to flow in alert

When looking at an alert event, it was impossible to determine which
side from src or dest IP in the alert was the client and wich side
was the server with regards to the underlying flow. This was a problem
when you try to known who belongs a metadata property such as a HTTP
hostname or a TLS JA3.

This patch updates the code to add src and dest IP in the flow
subobject as well as src and dst port. This way, we can now which
side is the client and which side is the server.

The result is looking like:

{
  "event_type": "alert",
  "src_ip": "22.47.184.196",
  "src_port": 81,
  "dest_ip": "192.168.1.47",
  "dest_port": 1063,
  "proto": "TCP",
  "tx_id": 0,
  "alert": {
    "signature_id": 2018959,
    "rev": 3,
  },
  "app_proto": "http",
  "flow": {
    "pkts_toserver": 22,
    "pkts_toclient": 35,
    "bytes_toserver": 1370,
    "bytes_toclient": 48852,
    "start": "2009-10-28T10:01:46.755232+0100",
    "src_ip": "192.168.1.47",
    "dest_ip": "22.47.184.196",
    "src_port": 1063,
    "dest_port": 81
  }
}