From: Jason Ish <ish@unx.ca>
Date: Mon, 1 Aug 2016 20:01:49 +0000 (-0600)
Subject: eve: log tag packets as packet events
X-Git-Tag: suricata-3.1.2~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=040660556eb1b4260c4998407baa48409e6f06df;p=thirdparty%2Fsuricata.git

eve: log tag packets as packet events

Create a new eve event type, "packet" for logging packets that
are tagged as part of an event. The packet is still at the top
level to keep it consistent with alert event types.

In addition to the packet being logged, a packet_info object
is created to hold the linktype and any future meta data
we may want to add about the packet.
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 7476fbd2bd..03202983eb 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -175,6 +175,23 @@ void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js)
     json_object_set_new(js, "alert", ajs);
 }
 
+static void AlertJsonPacket(const Packet *p, json_t *js)
+{
+    unsigned long len = GET_PKT_LEN(p) * 2;
+    uint8_t encoded_packet[len];
+    Base64Encode((unsigned char*) GET_PKT_DATA(p), GET_PKT_LEN(p),
+        encoded_packet, &len);
+    json_object_set_new(js, "packet", json_string((char *)encoded_packet));
+
+    /* Create packet info. */
+    json_t *packetinfo_js = json_object();
+    if (unlikely(packetinfo_js == NULL)) {
+        return;
+    }
+    json_object_set_new(packetinfo_js, "linktype", json_integer(p->datalink));
+    json_object_set_new(js, "packet_info", packetinfo_js);
+}
+
 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
 {
     MemBuffer *payload = aft->payload_buffer;
@@ -183,7 +200,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
 
     int i;
 
-    if (p->alerts.cnt == 0)
+    if (p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG))
         return TM_ECODE_OK;
 
     json_t *js = CreateJSONHeader((Packet *)p, 0, "alert");
@@ -325,10 +342,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
 
         /* base64-encoded full packet */
         if (json_output_ctx->flags & LOG_JSON_PACKET) {
-            unsigned long len = GET_PKT_LEN(p) * 2;
-            uint8_t encoded_packet[len];
-            Base64Encode((unsigned char*) GET_PKT_DATA(p), GET_PKT_LEN(p), encoded_packet, &len);
-            json_object_set_new(js, "packet", json_string((char *)encoded_packet));
+            AlertJsonPacket(p, js);
         }
 
         HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
@@ -368,6 +382,16 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
     json_object_clear(js);
     json_decref(js);
 
+    if (p->flags & PKT_HAS_TAG) {
+        MemBufferReset(aft->json_buffer);
+        json_t *packetjs = CreateJSONHeader((Packet *)p, 0, "packet");
+        if (unlikely(packetjs != NULL)) {
+            AlertJsonPacket(p, packetjs);
+            OutputJSONBuffer(packetjs, aft->file_ctx, &aft->json_buffer);
+            json_decref(packetjs);
+        }
+    }
+
     return TM_ECODE_OK;
 }
 
@@ -457,7 +481,10 @@ static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p)
 
 static int JsonAlertLogCondition(ThreadVars *tv, const Packet *p)
 {
-    return (p->alerts.cnt ? TRUE : FALSE);
+    if (p->alerts.cnt || (p->flags & PKT_HAS_TAG)) {
+        return TRUE;
+    }
+    return FALSE;
 }
 
 #define OUTPUT_BUFFER_SIZE 65535