output-json-alert: add dns info

author Giuseppe Longo <glongo@stamus-networks.com>

Mon, 7 Aug 2017 08:31:16 +0000 (10:31 +0200)

committer Victor Julien <victor@inliniac.net>

Wed, 14 Mar 2018 21:29:39 +0000 (22:29 +0100)
author Giuseppe Longo <glongo@stamus-networks.com>
Mon, 7 Aug 2017 08:31:16 +0000 (10:31 +0200)
committer Victor Julien <victor@inliniac.net>
Wed, 14 Mar 2018 21:29:39 +0000 (22:29 +0100)
diff --git a/src/output-json-alert.c b/src/output-json-alert.c

index 5013171befa01204cdcbd490d2b357952860d341..f8b36097c5fba289ca9439de2b2a7917799c53f6 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -46,6 +46,7 @@
  #include "detect-metadata.h"
  #include "app-layer-parser.h"
  #include "app-layer-dnp3.h"
+#include "app-layer-dns-common.h"
  #include "app-layer-htp.h"
  #include "app-layer-htp-xff.h"
  #include "app-layer-ftp.h"
@@ -57,6 +58,7 @@
  #include "output-json.h"
  #include "output-json-alert.h"
  #include "output-json-dnp3.h"
+#include "output-json-dns.h"
  #include "output-json-http.h"
  #include "output-json-tls.h"
  #include "output-json-ssh.h"
@@ -185,6 +187,35 @@ static void AlertJsonDnp3(const Flow *f, json_t *js)
      return;
  }
  
+static void AlertJsonDns(const Flow *f, json_t *js)
+{
+#ifndef HAVE_RUST
+    DNSState *dns_state = (DNSState *)FlowGetAppState(f);
+    if (dns_state) {
+        uint64_t tx_id = AppLayerParserGetTransactionLogId(f->alparser);
+        DNSTransaction *tx = AppLayerParserGetTx(f->proto, ALPROTO_DNS,
+                                                 dns_state, tx_id);
+        if (tx) {
+            json_t *dnsjs = json_object();
+            if (unlikely(dnsjs == NULL)) {
+                return;
+            }
+
+            json_t *qjs = JsonDNSLogQuery(tx, tx_id);
+            if (qjs != NULL) {
+                json_object_set_new(dnsjs, "query", qjs);
+            }
+            json_t *ajs = JsonDNSLogAnswer(tx, tx_id);
+            if (ajs != NULL) {
+                json_object_set_new(dnsjs, "answer", ajs);
+            }
+            json_object_set_new(js, "dns", dnsjs);
+        }
+    }
+#endif
+    return;
+}
+
  static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
                                    json_t *js, json_t* ajs)
  {
@@ -478,6 +509,9 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
                  AlertJsonDnp3(p->flow, js);
              }
  
+            if (proto == ALPROTO_DNS) {
+                AlertJsonDns(p->flow, js);
+            }
          }
  
          if (p->flow) {
@@ -493,7 +527,6 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
              }
          }
  
-
          /* payload */
          if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
              int stream = (p->proto == IPPROTO_TCP) ?
author	Giuseppe Longo <glongo@stamus-networks.com>
	Mon, 7 Aug 2017 08:31:16 +0000 (10:31 +0200)
committer	Victor Julien <victor@inliniac.net>
	Wed, 14 Mar 2018 21:29:39 +0000 (22:29 +0100)