From: Jason Ish <ish@unx.ca>
Date: Tue, 30 Jan 2018 21:40:26 +0000 (-0600)
Subject: eve/alert: new metadata configuration (sane defaults)
X-Git-Tag: suricata-4.1.0-beta1~236
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=45a38c043154f1d6c145c4efc05727e9c2aea13f;p=thirdparty%2Fsuricata.git

eve/alert: new metadata configuration (sane defaults)

Under eve/alert, introduce a new metadata configuration
section. If no provided, or simply yes defaults will be used.
Otherwise this a map with fields that can be toggled on and
off. The defaults are:

outputs:
  - eve-log:
      types:
        - alert:
            metadata:
              app-layer: true
              flow: true
              rule:
                raw: false
                metadata: true

To enable something that is disabled by default, or to disable
something that is enabled by default, only that key need to
be changed, everything else will keep its default value.
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 60127ffc55..adffedcdb4 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -89,7 +89,9 @@
 #define LOG_JSON_RULE_METADATA     BIT_U16(8)
 #define LOG_JSON_RULE              BIT_U16(9)
 
-#define LOG_JSON_METADATA (LOG_JSON_APP_LAYER | LOG_JSON_FLOW)
+#define METADATA_DEFAULTS ( LOG_JSON_FLOW |                        \
+            LOG_JSON_APP_LAYER  |                                  \
+            LOG_JSON_RULE_METADATA)
 
 #define JSON_STREAM_BUFFER_SIZE 4096
 
@@ -801,41 +803,48 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
     json_output_ctx->xff_cfg = xff_cfg;
 
     uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
-    uint16_t flags = 0;
-
-    if (conf == NULL) {
-        /* Enable metadata by default. */
-        flags |= LOG_JSON_METADATA;
-    } else {
-        /* If metadata not set, default to yes. */
-        if (ConfNodeLookupChildValue(conf, "metadata") == NULL) {
-            flags |= LOG_JSON_METADATA;
-        } else {
-            SetFlag(conf, "metadata", LOG_JSON_METADATA, &flags);
-            SetFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags);
-            SetFlag(conf, "flow", LOG_JSON_FLOW, &flags);
+    uint16_t flags = METADATA_DEFAULTS;
+
+    if (conf != NULL) {
+        /* Check for metadata to enable/disable. */
+        ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
+        if (metadata != NULL) {
+            if (metadata->val != NULL && ConfValIsFalse(metadata->val)) {
+                flags &= ~METADATA_DEFAULTS;
+            } else if (ConfNodeHasChildren(metadata)) {
+                ConfNode *rule_metadata = ConfNodeLookupChild(metadata, "rule");
+                if (rule_metadata) {
+                    SetFlag(rule_metadata, "raw", LOG_JSON_RULE, &flags);
+                    SetFlag(rule_metadata, "metadata", LOG_JSON_RULE_METADATA,
+                            &flags);
+                }
+                SetFlag(metadata, "flow", LOG_JSON_FLOW, &flags);
+                SetFlag(metadata, "app-layer", LOG_JSON_APP_LAYER, &flags);
+            }
         }
 
+        /* Non-metadata toggles. */
         SetFlag(conf, "payload", LOG_JSON_PAYLOAD_BASE64, &flags);
         SetFlag(conf, "packet", LOG_JSON_PACKET, &flags);
         SetFlag(conf, "tagged-packets", LOG_JSON_TAGGED_PACKETS, &flags);
         SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
         SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
         SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
-        SetFlag(conf, "rule", LOG_JSON_RULE, &flags);
-
-        ConfNode *rmetadata = ConfNodeLookupChild(conf, "rule-metadata");
-        if (rmetadata != NULL) {
-            int enabled = 0, ret;
-            ret = ConfGetChildValueBool(rmetadata, "enabled", &enabled);
-            if (ret && enabled) {
-                json_output_ctx->flags |= LOG_JSON_RULE_METADATA;
-            }
-        }
 
-        if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
-            DetectEngineSetParseMetadata();
-        }
+        /* Check for obsolete configuration flags to enable specific
+         * protocols. These are now just aliases for enabling
+         * app-layer logging. */
+        SetFlag(conf, "http", LOG_JSON_APP_LAYER, &flags);
+        SetFlag(conf, "tls",  LOG_JSON_APP_LAYER,  &flags);
+        SetFlag(conf, "ssh",  LOG_JSON_APP_LAYER,  &flags);
+        SetFlag(conf, "smtp", LOG_JSON_APP_LAYER, &flags);
+        SetFlag(conf, "dnp3", LOG_JSON_APP_LAYER, &flags);
+
+        /* And check for obsolete configuration flags for enabling
+         * app-layer and flow as these have been moved under the
+         * metadata key. */
+        SetFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags);
+        SetFlag(conf, "flow", LOG_JSON_FLOW, &flags);
 
         const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
 
@@ -855,6 +864,10 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
         HttpXFFGetCfg(conf, xff_cfg);
     }
 
+    if (flags & LOG_JSON_RULE_METADATA) {
+        DetectEngineSetParseMetadata();
+    }
+
     json_output_ctx->flags |= flags;
 }
 
diff --git a/suricata.yaml.in b/suricata.yaml.in
index f49a13cfeb..0a8936b005 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -176,11 +176,6 @@ outputs:
             # http-body: yes           # enable dumping of http body in Base64
             # http-body-printable: yes # enable dumping of http body in printable format
 
-            rule-metadata:             # dumping of key/value pairs defined by metadata keyword of rule
-              enabled: no              # set to yes to enable
-
-            # rule: yes                # enable dumping of signature definition
-
             # Enable the logging of tagged packets for rules using the
             # "tag" keyword.
             tagged-packets: yes