When looking at an alert event, it was impossible to determine which
side from src or dest IP in the alert was the client and wich side
was the server with regards to the underlying flow. This was a problem
when you try to known who belongs a metadata property such as a HTTP
hostname or a TLS JA3.
This patch updates the code to add src and dest IP in the flow
subobject as well as src and dst port. This way, we can now which
side is the client and which side is the server.
The result is looking like:
{
"event_type": "alert",
"src_ip": "22.47.184.196",
"src_port": 81,
"dest_ip": "192.168.1.47",
"dest_port": 1063,
"proto": "TCP",
"tx_id": 0,
"alert": {
"signature_id":
2018959,
"rev": 3,
},
"app_proto": "http",
"flow": {
"pkts_toserver": 22,
"pkts_toclient": 35,
"bytes_toserver": 1370,
"bytes_toclient": 48852,
"start": "2009-10-28T10:01:46.755232+0100",
"src_ip": "192.168.1.47",
"dest_ip": "22.47.184.196",
"src_port": 1063,
"dest_port": 81
}
}
if (json_output_ctx->flags & LOG_JSON_FLOW) {
jb_open_object(jb, "flow");
EveAddFlow(p->flow, jb);
+ if (p->flowflags & FLOW_PKT_TOCLIENT) {
+ jb_set_string(jb, "src_ip", addr.dst_ip);
+ jb_set_string(jb, "dest_ip", addr.src_ip);
+ if (addr.sp > 0) {
+ jb_set_uint(jb, "src_port", addr.dp);
+ jb_set_uint(jb, "dest_port", addr.sp);
+ }
+ } else {
+ jb_set_string(jb, "src_ip", addr.src_ip);
+ jb_set_string(jb, "dest_ip", addr.dst_ip);
+ if (addr.sp > 0) {
+ jb_set_uint(jb, "src_port", addr.sp);
+ jb_set_uint(jb, "dest_port", addr.dp);
+ }
+ }
jb_close(jb);
}
}
projects / thirdparty / suricata.git / commitdiff
