dcerpc: add app-layer metadata in alerts

Ticket: 6090

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index f7fc322bb367b30ef1c713636225e1bf5418cada..66d61f9155f761d0da57111cb111e1fe58fe338f 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -381,6 +381,26 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
                 jb_restore_mark(jb, &mark);
             }
             break;
+        case ALPROTO_DCERPC:
+            jb_get_mark(jb, &mark);
+            void *state = FlowGetAppState(p->flow);
+            if (state) {
+                void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
+                if (tx) {
+                    jb_open_object(jb, "dcerpc");
+                    if (p->proto == IPPROTO_TCP) {
+                        if (!rs_dcerpc_log_json_record_tcp(state, tx, jb)) {
+                            jb_restore_mark(jb, &mark);
+                        }
+                    } else {
+                        if (!rs_dcerpc_log_json_record_udp(state, tx, jb)) {
+                            jb_restore_mark(jb, &mark);
+                        }
+                    }
+                    jb_close(jb);
+                }
+            }
+            break;
         default:
             break;
     }

diff --git a/src/output.c b/src/output.c
index df58af4dc8e572ead5cac7ab448e886dcffd6c03..7b13913c831bb5d611ae1911bbe02dd8b91a049b 100644 (file)
--- a/src/output.c
+++ b/src/output.c
@@ -1126,7 +1126,7 @@ static EveJsonSimpleAppLayerLogger simple_json_applayer_loggers[ALPROTO_MAX] = {
     { ALPROTO_IMAP, NULL },   // protocol detection only
     { ALPROTO_JABBER, NULL }, // no parser, no logging
     { ALPROTO_SMB, NULL },    // special: uses state
-    { ALPROTO_DCERPC, NULL }, // TODO missing
+    { ALPROTO_DCERPC, NULL }, // special: uses state
     { ALPROTO_IRC, NULL },    // no parser, no logging
     { ALPROTO_DNS, AlertJsonDns },
     { ALPROTO_MODBUS, (EveJsonSimpleTxLogFunc)rs_modbus_to_json },