eve/flow/netflow: log correct tulpe on reversed flows

diff --git a/src/output-json-flow.c b/src/output-json-flow.c
index e59f7c86985a6df3d7023ba035976e0c0d9c276e..2cb862d087ee1400d01d67a336ce11cd3f57b70d 100644 (file)
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@@ -66,7 +66,7 @@ typedef struct JsonFlowLogThread_ {
 static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type)
 {
     char timebuf[64];
-    char srcip[46], dstip[46];
+    char srcip[46] = {0}, dstip[46] = {0};
     Port sp, dp;
 
     json_t *js = json_object();
@@ -79,19 +79,28 @@ static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type)
 
     CreateIsoTimeString(&tv, timebuf, sizeof(timebuf));
 
-    srcip[0] = '\0';
-    dstip[0] = '\0';
-    if (FLOW_IS_IPV4(f)) {
-        PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip));
-        PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip));
-    } else if (FLOW_IS_IPV6(f)) {
-        PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip));
-        PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip));
+    if ((f->flags & FLOW_DIR_REVERSED) == 0) {
+        if (FLOW_IS_IPV4(f)) {
+            PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip));
+            PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip));
+        } else if (FLOW_IS_IPV6(f)) {
+            PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip));
+            PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip));
+        }
+        sp = f->sp;
+        dp = f->dp;
+    } else {
+        if (FLOW_IS_IPV4(f)) {
+            PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), srcip, sizeof(srcip));
+            PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), dstip, sizeof(dstip));
+        } else if (FLOW_IS_IPV6(f)) {
+            PrintInet(AF_INET6, (const void *)&(f->dst.address), srcip, sizeof(srcip));
+            PrintInet(AF_INET6, (const void *)&(f->src.address), dstip, sizeof(dstip));
+        }
+        sp = f->dp;
+        dp = f->sp;
     }
 
-    sp = f->sp;
-    dp = f->dp;
-
     char proto[16];
     if (SCProtoNameValid(f->proto) == TRUE) {
         strlcpy(proto, known_proto[f->proto], sizeof(proto));

diff --git a/src/output-json-netflow.c b/src/output-json-netflow.c
index 13bc7a6024093f521c225c88028a2def16b22518..ef86c3abe359cfbae76f77289df0befd3495bd0b 100644 (file)
--- a/src/output-json-netflow.c
+++ b/src/output-json-netflow.c
@@ -67,7 +67,7 @@ typedef struct JsonNetFlowLogThread_ {
 static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type, int dir)
 {
     char timebuf[64];
-    char srcip[46], dstip[46];
+    char srcip[46] = {0}, dstip[46] = {0};
     Port sp, dp;
 
     json_t *js = json_object();
@@ -80,8 +80,9 @@ static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type, i
 
     CreateIsoTimeString(&tv, timebuf, sizeof(timebuf));
 
-    srcip[0] = '\0';
-    dstip[0] = '\0';
+    /* reverse header direction if the flow started out wrong */
+    dir ^= ((f->flags & FLOW_DIR_REVERSED) != 0);
+
     if (FLOW_IS_IPV4(f)) {
         if (dir == 0) {
             PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip));

diff --git a/src/output-json.c b/src/output-json.c
index ab488b9c7085a15f41a8e18395f522a4cc88f44f..a91d6eb9824ec1e0db70f97974ae05c1a9b6302f 100644 (file)
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -430,7 +430,7 @@ void JsonTcpFlags(uint8_t flags, json_t *js)
  */
 void JsonFiveTuple(const Packet *p, enum OutputJsonLogDirection dir, json_t *js)
 {
-    char srcip[46] = "", dstip[46] = "";
+    char srcip[46] = {0}, dstip[46] = {0};
     Port sp, dp;
     char proto[16];