eve/alert: log metadata be default

By default log metadata.

Remove toggles for individual protocol types and just use a
single toggle to control including the app-layer with the
alert.

The metadata (currently app-layer and flow) can be disabled
by setting metadata to a falsey value, but its removed
from the default configuration (but wil be in docs)

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 8a0ef7a26676b013d1b987d5b6e651d7c4dfc683..6b095c5fd510c461a1387e44faf68878fbfd0552 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -80,18 +80,13 @@
 #define LOG_JSON_PAYLOAD           BIT_U16(0)
 #define LOG_JSON_PACKET            BIT_U16(1)
 #define LOG_JSON_PAYLOAD_BASE64    BIT_U16(2)
-#define LOG_JSON_HTTP              BIT_U16(3)
-#define LOG_JSON_TLS               BIT_U16(4)
-#define LOG_JSON_SSH               BIT_U16(5)
-#define LOG_JSON_SMTP              BIT_U16(6)
-#define LOG_JSON_TAGGED_PACKETS    BIT_U16(7)
-#define LOG_JSON_DNP3              BIT_U16(8)
-#define LOG_JSON_APP_LAYER         BIT_U16(9)
-#define LOG_JSON_FLOW              BIT_U16(10)
-#define LOG_JSON_HTTP_BODY         BIT_U16(11)
-#define LOG_JSON_HTTP_BODY_BASE64  BIT_U16(12)
-
-#define LOG_JSON_METADATA_ALL  (LOG_JSON_APP_LAYER|LOG_JSON_HTTP|LOG_JSON_TLS|LOG_JSON_SSH|LOG_JSON_SMTP|LOG_JSON_DNP3|LOG_JSON_FLOW)
+#define LOG_JSON_TAGGED_PACKETS    BIT_U16(3)
+#define LOG_JSON_APP_LAYER         BIT_U16(4)
+#define LOG_JSON_FLOW              BIT_U16(5)
+#define LOG_JSON_HTTP_BODY         BIT_U16(6)
+#define LOG_JSON_HTTP_BODY_BASE64  BIT_U16(7)
+
+#define LOG_JSON_METADATA (LOG_JSON_APP_LAYER | LOG_JSON_FLOW)
 
 #define JSON_STREAM_BUFFER_SIZE 4096
 
@@ -375,66 +370,48 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             AlertJsonTunnel(p, js);
         }
 
-        if (json_output_ctx->flags & LOG_JSON_HTTP) {
-            if (p->flow != NULL) {
-                uint16_t proto = FlowGetAppProtocol(p->flow);
-
-                /* http alert */
-                if (proto == ALPROTO_HTTP) {
-                    hjs = JsonHttpAddMetadata(p->flow, pa->tx_id);
-                    if (hjs) {
-                        if (json_output_ctx->flags & LOG_JSON_HTTP_BODY) {
-                            JsonHttpLogJSONBodyPrintable(hjs, p->flow, pa->tx_id);
-                        }
-                        if (json_output_ctx->flags & LOG_JSON_HTTP_BODY_BASE64) {
-                            JsonHttpLogJSONBodyBase64(hjs, p->flow, pa->tx_id);
-                        }
-                        json_object_set_new(js, "http", hjs);
+        if (json_output_ctx->flags & LOG_JSON_APP_LAYER && p->flow != NULL) {
+            uint16_t proto = FlowGetAppProtocol(p->flow);
+
+            /* http alert */
+            if (proto == ALPROTO_HTTP) {
+                hjs = JsonHttpAddMetadata(p->flow, pa->tx_id);
+                if (hjs) {
+                    if (json_output_ctx->flags & LOG_JSON_HTTP_BODY) {
+                        JsonHttpLogJSONBodyPrintable(hjs, p->flow, pa->tx_id);
+                    }
+                    if (json_output_ctx->flags & LOG_JSON_HTTP_BODY_BASE64) {
+                        JsonHttpLogJSONBodyBase64(hjs, p->flow, pa->tx_id);
                     }
+                    json_object_set_new(js, "http", hjs);
                 }
             }
-        }
-
-        if (json_output_ctx->flags & LOG_JSON_TLS) {
-            if (p->flow != NULL) {
-                uint16_t proto = FlowGetAppProtocol(p->flow);
 
-                /* tls alert */
-                if (proto == ALPROTO_TLS)
-                    AlertJsonTls(p->flow, js);
+            /* tls alert */
+            if (proto == ALPROTO_TLS) {
+                AlertJsonTls(p->flow, js);
             }
-        }
-
-        if (json_output_ctx->flags & LOG_JSON_SSH) {
-            if (p->flow != NULL) {
-                uint16_t proto = FlowGetAppProtocol(p->flow);
 
-                /* ssh alert */
-                if (proto == ALPROTO_SSH)
-                    AlertJsonSsh(p->flow, js);
+            /* ssh alert */
+            if (proto == ALPROTO_SSH) {
+                AlertJsonSsh(p->flow, js);
             }
-        }
 
-        if (json_output_ctx->flags & LOG_JSON_SMTP) {
-            if (p->flow != NULL) {
-                uint16_t proto = FlowGetAppProtocol(p->flow);
-
-                /* smtp alert */
-                if (proto == ALPROTO_SMTP) {
-                    hjs = JsonSMTPAddMetadata(p->flow, pa->tx_id);
-                    if (hjs)
-                        json_object_set_new(js, "smtp", hjs);
+            /* smtp alert */
+            if (proto == ALPROTO_SMTP) {
+                hjs = JsonSMTPAddMetadata(p->flow, pa->tx_id);
+                if (hjs) {
+                    json_object_set_new(js, "smtp", hjs);
+                }
 
-                    hjs = JsonEmailAddMetadata(p->flow, pa->tx_id);
-                    if (hjs)
-                        json_object_set_new(js, "email", hjs);
+                hjs = JsonEmailAddMetadata(p->flow, pa->tx_id);
+                if (hjs) {
+                    json_object_set_new(js, "email", hjs);
                 }
             }
-        }
-        if ((json_output_ctx->flags & LOG_JSON_APP_LAYER) && p->flow != NULL) {
-            uint16_t alproto = FlowGetAppProtocol(p->flow);
+
 #ifdef HAVE_RUST
-            if (alproto == ALPROTO_NFS) {
+            if (proto == ALPROTO_NFS) {
                 hjs = JsonNFSAddMetadataRPC(p->flow, pa->tx_id);
                 if (hjs)
                     json_object_set_new(js, "rpc", hjs);
@@ -443,21 +420,17 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
                     json_object_set_new(js, "nfs", hjs);
             }
 #endif
-            if (alproto == ALPROTO_FTPDATA) {
+            if (proto == ALPROTO_FTPDATA) {
                 hjs = JsonFTPDataAddMetadata(p->flow);
                 if (hjs)
                     json_object_set_new(js, "ftp-data", hjs);
             }
-        }
-        if (json_output_ctx->flags & LOG_JSON_DNP3) {
-            if (p->flow != NULL) {
-                uint16_t proto = FlowGetAppProtocol(p->flow);
 
-                /* dnp3 alert */
-                if (proto == ALPROTO_DNP3) {
-                    AlertJsonDnp3(p->flow, js);
-                }
+            /* dnp3 alert */
+            if (proto == ALPROTO_DNP3) {
+                AlertJsonDnp3(p->flow, js);
             }
+
         }
 
         if (p->flow) {
@@ -782,23 +755,27 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
     json_output_ctx->xff_cfg = xff_cfg;
 
     uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
+    uint16_t flags = 0;
 
-    if (conf != NULL) {
-        SetFlag(conf, "metadata", LOG_JSON_METADATA_ALL, &json_output_ctx->flags);
-        SetFlag(conf, "flow", LOG_JSON_FLOW, &json_output_ctx->flags);
-
-        SetFlag(conf, "http", LOG_JSON_HTTP, &json_output_ctx->flags);
-        SetFlag(conf, "tls",  LOG_JSON_TLS,  &json_output_ctx->flags);
-        SetFlag(conf, "ssh",  LOG_JSON_SSH,  &json_output_ctx->flags);
-        SetFlag(conf, "smtp", LOG_JSON_SMTP, &json_output_ctx->flags);
-        SetFlag(conf, "dnp3", LOG_JSON_DNP3, &json_output_ctx->flags);
+    if (conf == NULL) {
+        /* Enable metadata by default. */
+        flags |= LOG_JSON_METADATA;
+    } else {
+        /* If metadata not set, default to yes. */
+        if (ConfNodeLookupChildValue(conf, "metadata") == NULL) {
+            flags |= LOG_JSON_METADATA;
+        } else {
+            SetFlag(conf, "metadata", LOG_JSON_METADATA, &flags);
+            SetFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags);
+            SetFlag(conf, "flow", LOG_JSON_FLOW, &flags);
+        }
 
-        SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &json_output_ctx->flags);
-        SetFlag(conf, "packet", LOG_JSON_PACKET, &json_output_ctx->flags);
-        SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &json_output_ctx->flags);
-        SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &json_output_ctx->flags);
-        SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &json_output_ctx->flags);
-        SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &json_output_ctx->flags);
+        SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
+        SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
+        SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
+        SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
+        SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
+        SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
 
         const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
 
@@ -817,6 +794,8 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
         json_output_ctx->payload_buffer_size = payload_buffer_size;
         HttpXFFGetCfg(conf, xff_cfg);
     }
+
+    json_output_ctx->flags |= flags;
 }
 
 /**

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 20d12ada52ef40467ff0d07a53f7c1a8af9a05bc..0a8936b00523437e04b4ee710d3b67a1caeed7b8 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -175,7 +175,6 @@ outputs:
             # packet: yes              # enable dumping of packet (without stream segments)
             # http-body: yes           # enable dumping of http body in Base64
             # http-body-printable: yes # enable dumping of http body in printable format
-            metadata: yes              # add L7/applayer fields, flowbit and other vars to the alert
 
             # Enable the logging of tagged packets for rules using the
             # "tag" keyword.