eve/http: use numeric status code by default

author Victor Julien <vjulien@oisf.net>

Mon, 8 Jan 2024 08:02:15 +0000 (09:02 +0100)

committer Victor Julien <victor@inliniac.net>

Mon, 8 Jan 2024 19:23:29 +0000 (20:23 +0100)
author Victor Julien <vjulien@oisf.net>
Mon, 8 Jan 2024 08:02:15 +0000 (09:02 +0100)
committer Victor Julien <victor@inliniac.net>
Mon, 8 Jan 2024 19:23:29 +0000 (20:23 +0100)
diff --git a/src/output-json-http.c b/src/output-json-http.c

index 5f44e955573d3084e525b852052a5c76a5eae9d1..e49eb5e8a74e82fcc74be51d80ba188960d0faa4 100644 (file)
--- a/src/output-json-http.c
+++ b/src/output-json-http.c
@@ -288,8 +288,13 @@ static void EveHttpLogJSONExtended(JsonBuilder *js, htp_tx_t *tx)
                  js, "protocol", bstr_ptr(tx->request_protocol), bstr_len(tx->request_protocol));
      }
  
-    /* response status */
-    if (tx->response_status != NULL) {
+    /* response status: from libhtp:
+     * "Response status code, available only if we were able to parse it, HTP_STATUS_INVALID
+     *  otherwise. HTP_STATUS_UNKNOWN until parsing is attempted" .*/
+    const int resp = tx->response_status_number;
+    if (resp > 0) {
+        jb_set_uint(js, "status", (uint32_t)resp);
+    } else if (tx->response_status != NULL) {
          const size_t status_size = bstr_len(tx->response_status) * 2 + 1;
          char status_string[status_size];
          BytesToStringBuffer(bstr_ptr(tx->response_status), bstr_len(tx->response_status),
author	Victor Julien <vjulien@oisf.net>
	Mon, 8 Jan 2024 08:02:15 +0000 (09:02 +0100)
committer	Victor Julien <victor@inliniac.net>
	Mon, 8 Jan 2024 19:23:29 +0000 (20:23 +0100)