logging: Ensure all anomalous events have an event_type

author Jeff Lucovsky <jeff@lucovsky.org>

Tue, 16 Apr 2019 23:27:51 +0000 (16:27 -0700)

committer Jeff Lucovsky <jeff@lucovsky.org>

Sat, 27 Apr 2019 12:30:56 +0000 (05:30 -0700)
author Jeff Lucovsky <jeff@lucovsky.org>
Tue, 16 Apr 2019 23:27:51 +0000 (16:27 -0700)
committer Jeff Lucovsky <jeff@lucovsky.org>
Sat, 27 Apr 2019 12:30:56 +0000 (05:30 -0700)
diff --git a/src/output-json-anomaly.c b/src/output-json-anomaly.c

index abe444538e11da623d194625381311e0d6a0f7d8..9648c2381437e9db4f176ec7007e89d2af4ad1d1 100644 (file)
--- a/src/output-json-anomaly.c
+++ b/src/output-json-anomaly.c
@@ -84,12 +84,7 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *
      for (int i = 0; i < p->events.cnt; i++) {
          MemBufferReset(aft->json_buffer);
  
-        json_t *js;
-        if (is_IP_pkt) {
-            js = CreateJSONHeader(p, LOG_DIR_PACKET, "anomaly");
-        } else {
-            js = json_object();
-        }
+        json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "anomaly");
  
          if (unlikely(js == NULL)) {
              return TM_ECODE_OK;
@@ -118,15 +113,19 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *
          }
  
          uint8_t event_code = p->events.events[i];
-        if (EVENT_IS_DECODER_PACKET_ERROR(event_code)) {
+        if (event_code < DECODE_EVENT_MAX) {
              const char *event = DEvents[event_code].event_name;
+            json_object_set_new(ajs, "type",
+                                EVENT_IS_DECODER_PACKET_ERROR(event_code) ? 
+                                    json_string("packet") : json_string("stream"));
              json_object_set_new(ajs, "event", json_string(event));
          } else {
              /* include event code with unrecognized events */
              uint32_t offset = 0;
-            char unknown_event_buf[32];
-            PrintBufferData(unknown_event_buf, &offset, 32, "%s(%d)", "Unknown", event_code);
-            json_object_set_new(ajs, "event", json_string(unknown_event_buf));
+            char unknown_event_buf[16];
+            json_object_set_new(ajs, "type", json_string("unknown"));
+            PrintBufferData(unknown_event_buf, &offset, 16, "%d", event_code);
+            json_object_set_new(ajs, "code", json_string(unknown_event_buf));
          }
  
          /* anomaly */
diff --git a/src/output-json.c b/src/output-json.c

index 64d5b44220e30238894440130e0029bb484cdbff..9892b0d197d82192969f8dc57a525703e68b0404 100644 (file)
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -446,6 +446,9 @@ void JsonFiveTuple(const Packet *p, enum OutputJsonLogDirection dir, json_t *js)
                          srcip, sizeof(srcip));
                  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
                          dstip, sizeof(dstip));
+            } else {
+                /* Not an IP packet so don't do anything */
+                return;
              }
              sp = p->sp;
              dp = p->dp;
author	Jeff Lucovsky <jeff@lucovsky.org>
	Tue, 16 Apr 2019 23:27:51 +0000 (16:27 -0700)
committer	Jeff Lucovsky <jeff@lucovsky.org>
	Sat, 27 Apr 2019 12:30:56 +0000 (05:30 -0700)
src/output-json-anomaly.c		patch \| blob \| blame \| history
src/output-json.c		patch \| blob \| blame \| history