From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Fri, 27 Jan 2017 11:50:08 +0000 (+0100)
Subject: output-json-alert: print 'tunnel' JSON object if tunnel
X-Git-Tag: suricata-4.0.0-beta1~299
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=234a3a890bb16141d5fb67b12e239ad52c7edf4c;p=thirdparty%2Fsuricata.git

output-json-alert: print 'tunnel' JSON object if tunnel

Log src_ip, dst_ip and proto for root packet (p->root) if the
packet that triggered is inside a tunnel, as JSON object
'tunnel'. Also log recursion depth to indicate the depth of
the tunnel.
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 031bebb17d..135ee618ed 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -218,6 +218,29 @@ void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js)
     json_object_set_new(js, "alert", ajs);
 }
 
+static void AlertJsonTunnel(const Packet *p, json_t *js)
+{
+    json_t *tunnel = json_object();
+    if (tunnel == NULL)
+        return;
+
+    if (p->root == NULL) {
+        json_decref(tunnel);
+        return;
+    }
+
+    /* get a lock to access root packet fields */
+    SCMutex *m = &p->root->tunnel_mutex;
+
+    SCMutexLock(m);
+    JsonFiveTuple((const Packet *)p->root, 0, tunnel);
+    SCMutexUnlock(m);
+
+    json_object_set_new(tunnel, "depth", json_integer(p->recursion_level));
+
+    json_object_set_new(js, "tunnel", tunnel);
+}
+
 static void AlertJsonPacket(const Packet *p, json_t *js)
 {
     unsigned long len = GET_PKT_LEN(p) * 2;
@@ -261,6 +284,10 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
         /* alert */
         AlertJsonHeader(p, pa, js);
 
+        if (IS_TUNNEL_PKT(p)) {
+            AlertJsonTunnel(p, js);
+        }
+
         if (json_output_ctx->flags & LOG_JSON_HTTP) {
             if (p->flow != NULL) {
                 uint16_t proto = FlowGetAppProtocol(p->flow);