eve-drop: allow logging all drops

- drop:
    alerts: yes      # log alerts that caused drops
    flows: all       # start or all: 'start' logs only a single drop
                     # per flow direction. All logs each dropped pkt.

diff --git a/src/output-json-drop.c b/src/output-json-drop.c
index 5c866809b8b42ca43f6bec9aa8a28fae6b244396..fd7f513ead0f47164fa9dd908d29284e2f614b83 100644 (file)
--- a/src/output-json-drop.c
+++ b/src/output-json-drop.c
@@ -71,6 +71,9 @@ typedef struct JsonDropLogThread_ {
     MemBuffer *buffer;
 } JsonDropLogThread;
 
+/* default to true as this has been the default behavior for a long time */
+static int g_droplog_flows_start = 1;
+
 /**
  * \brief   Log the dropped packets in netfilter format when engine is running
  *          in inline mode
@@ -282,6 +285,17 @@ static OutputCtx *JsonDropLogInitCtx(ConfNode *conf)
                 drop_ctx->flags = LOG_DROP_ALERTS;
             }
         }
+        extended = ConfNodeLookupChildValue(conf, "flows");
+        if (extended != NULL) {
+            if (strcasecmp(extended, "start") == 0) {
+                g_droplog_flows_start = 1;
+            } else if (strcasecmp(extended, "all") == 0) {
+                g_droplog_flows_start = 0;
+            } else {
+                SCLogWarning(SC_ERR_CONF_YAML_ERROR, "valid options for "
+                        "'flow' are 'start' and 'all'");
+            }
+        }
     }
 
     output_ctx->data = drop_ctx;
@@ -316,6 +330,17 @@ static OutputCtx *JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
                 drop_ctx->flags = LOG_DROP_ALERTS;
             }
         }
+        extended = ConfNodeLookupChildValue(conf, "flows");
+        if (extended != NULL) {
+            if (strcasecmp(extended, "start") == 0) {
+                g_droplog_flows_start = 1;
+            } else if (strcasecmp(extended, "all") == 0) {
+                g_droplog_flows_start = 0;
+            } else {
+                SCLogWarning(SC_ERR_CONF_YAML_ERROR, "valid options for "
+                        "'flow' are 'start' and 'all'");
+            }
+        }
     }
 
     drop_ctx->file_ctx = ajt->file_ctx;
@@ -341,6 +366,9 @@ static int JsonDropLogger(ThreadVars *tv, void *thread_data, const Packet *p)
     if (r < 0)
         return -1;
 
+    if (!g_droplog_flows_start)
+        return 0;
+
     if (p->flow) {
         FLOWLOCK_RDLOCK(p->flow);
         if (p->flow->flags & FLOW_ACTION_DROP) {
@@ -374,7 +402,7 @@ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
         return FALSE;
     }
 
-    if (p->flow != NULL) {
+    if (g_droplog_flows_start && p->flow != NULL) {
         int ret = FALSE;
 
         /* for a flow that will be dropped fully, log just once per direction */

diff --git a/suricata.yaml.in b/suricata.yaml.in
index d2fb45f7583d7cf092c4f68db2628b4ce230c6f2..351261962770f4746bf056e802390b5664f6966f 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -204,7 +204,9 @@ outputs:
             force-magic: no   # force logging magic on all logged files
             force-md5: no     # force logging of md5 checksums
         #- drop:
-        #    alerts: no       # log alerts that caused drops
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
         - smtp:
             #extended: yes # enable this for extended logging information
             # this includes: bcc, message-id, subject, x_mailer, user-agent