From: Alexander Gozman Date: Fri, 18 Jul 2014 09:38:03 +0000 (+0400) Subject: Fixed variables names in suricata.yaml.in Changed logging logic - now it's possible... X-Git-Tag: suricata-2.1beta1~78 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54193e89d5699680a92e6ad815fec9b0d7adf62a;p=thirdparty%2Fsuricata.git Fixed variables names in suricata.yaml.in Changed logging logic - now it's possible to enable different payload dumping modes separately Fixed bug in dumping packet without stream segments Fixed indents --- diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 8684b8e8d1..4e87615935 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -139,56 +139,60 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) json_object_set_new(js, "alert", ajs); /* payload */ - if (aft->file_ctx->flags & LOG_JSON_PAYLOAD) { - int stream = (p->proto == IPPROTO_TCP) ? - (pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_STREAM_MATCH) ? - 1 : 0) : 0; - - /* Is this a stream? If so, pack part of it into the payload field */ - if (stream) { - uint8_t flag; - - MemBufferReset(payload); - - if (p->flowflags & FLOW_PKT_TOSERVER) { - flag = FLOW_PKT_TOCLIENT; - } else { - flag = FLOW_PKT_TOSERVER; - } - - StreamSegmentForEach((const Packet *)p, flag, - AlertJsonPrintStreamSegmentCallback, - (void *)payload); - - if (aft->file_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { - unsigned long len = JSON_STREAM_BUFFER_SIZE * 2; - unsigned char encoded[len]; - Base64Encode((unsigned char *)payload, payload->offset, encoded, &len); - json_object_set_new(js, "payload", json_string((char *)encoded)); - } else { - json_object_set_new(js, "payload_printable", - json_string((char *)payload->buffer)); - } + if (aft->file_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) { + int stream = (p->proto == IPPROTO_TCP) ? + (pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_STREAM_MATCH) ? + 1 : 0) : 0; + + /* Is this a stream? If so, pack part of it into the payload field */ + if (stream) { + uint8_t flag; + + MemBufferReset(payload); + + if (p->flowflags & FLOW_PKT_TOSERVER) { + flag = FLOW_PKT_TOCLIENT; } else { - /* This is a single packet and not a stream */ - unsigned char packet_buf[p->payload_len + 1]; - uint32_t offset = 0; - - PrintStringsToBuffer(packet_buf, &offset, - p->payload_len + 1, - p->payload, p->payload_len); - - if (aft->file_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { - unsigned long len = sizeof(payload) * 2; - unsigned char encoded[len]; - Base64Encode(packet_buf, offset, encoded, &len); - json_object_set_new(js, "payload", json_string((char *)encoded)); - } else { - json_object_set_new(js, "payload_printable", json_string((char *)packet_buf)); - } + flag = FLOW_PKT_TOSERVER; + } + + StreamSegmentForEach((const Packet *)p, flag, + AlertJsonPrintStreamSegmentCallback, + (void *)payload); + + if (aft->file_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { + unsigned long len = JSON_STREAM_BUFFER_SIZE * 2; + unsigned char encoded[len]; + Base64Encode((unsigned char *)payload, payload->offset, encoded, &len); + json_object_set_new(js, "payload", json_string((char *)encoded)); + } + + if (aft->file_ctx->flags & LOG_JSON_PAYLOAD) { + json_object_set_new(js, "payload_printable", + json_string((char *)payload->buffer)); } + } else { + /* This is a single packet and not a stream */ + unsigned char packet_buf[p->payload_len + 1]; + uint32_t offset = 0; + + PrintStringsToBuffer(packet_buf, &offset, + p->payload_len + 1, + p->payload, p->payload_len); + + if (aft->file_ctx->flags & LOG_JSON_PAYLOAD_BASE64) { + unsigned long len = sizeof(packet_buf) * 2; + unsigned char encoded[len]; + Base64Encode(packet_buf, offset, encoded, &len); + json_object_set_new(js, "payload", json_string((char *)encoded)); + } + + if (aft->file_ctx->flags & LOG_JSON_PAYLOAD) { + json_object_set_new(js, "payload_printable", json_string((char *)packet_buf)); + } + } - json_object_set_new(js, "stream", json_integer(stream)); + json_object_set_new(js, "stream", json_integer(stream)); } /* base64-encoded full packet */ @@ -403,15 +407,15 @@ static OutputCtx *JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx) if (conf) { const char *payload = ConfNodeLookupChildValue(conf, "payload"); const char *packet = ConfNodeLookupChildValue(conf, "packet"); - const char *payload_base64 = ConfNodeLookupChildValue(conf, "payload-base64"); + const char *payload_printable = ConfNodeLookupChildValue(conf, "payload-printable"); - if (payload != NULL) { - if (ConfValIsTrue(payload)) { + if (payload_printable != NULL) { + if (ConfValIsTrue(payload_printable)) { ajt->file_ctx->flags |= LOG_JSON_PAYLOAD; } } - if (payload_base64 != NULL) { - if (ConfValIsTrue(payload_base64)) { + if (payload != NULL) { + if (ConfValIsTrue(payload)) { ajt->file_ctx->flags |= LOG_JSON_PAYLOAD_BASE64; } } diff --git a/suricata.yaml.in b/suricata.yaml.in index a8075079c0..df9e4e3015 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -94,9 +94,9 @@ outputs: ## Error, Warning, Notice, Info, Debug types: - alert: - # payload: yes # enable dumping payload - # payload-base64: yes # if payload dumping is enabled, dumps it in Base64 - # packet: yes # enable dumping of packet (loses payload in stream segments) + # payload: yes # enable dumping payload in Base64 + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) - http: extended: yes # enable this for extended logging information # custom allows additional http fields to be included in eve-log