From: Jason Ish <jason.ish@oisf.net>
Date: Fri, 13 Mar 2020 19:38:02 +0000 (-0600)
Subject: alert/eve: use addr info struct for source/target (jsonbuilder prep)
X-Git-Tag: suricata-6.0.0-beta1~389
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e1b44ac713c657df58b61764bfb4514f67096d5;p=thirdparty%2Fsuricata.git

alert/eve: use addr info struct for source/target (jsonbuilder prep)

Update the source/target logging to use the cached address info
instead of fetching it from the constructed json_t object.

This is required for migration to JsonBuilder which does not
have the ability to retrieve already set fields.
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 2b955c050e..ee64fb151c 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -214,7 +214,7 @@ static void AlertJsonDns(const Flow *f, const uint64_t tx_id, json_t *js)
 }
 
 static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
-                                  json_t *js, json_t* ajs)
+                                  json_t* ajs, JsonAddrInfo *addr)
 {
     json_t *sjs = json_object();
     if (sjs == NULL) {
@@ -228,8 +228,8 @@ static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
     }
 
     if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
-        json_object_set(sjs, "ip", json_object_get(js, "src_ip"));
-        json_object_set(tjs, "ip", json_object_get(js, "dest_ip"));
+        json_object_set(sjs, "ip", json_string(addr->src_ip));
+        json_object_set(tjs, "ip", json_string(addr->dst_ip));
         switch (p->proto) {
             case IPPROTO_ICMP:
             case IPPROTO_ICMPV6:
@@ -237,13 +237,13 @@ static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
             case IPPROTO_UDP:
             case IPPROTO_TCP:
             case IPPROTO_SCTP:
-                json_object_set(sjs, "port", json_object_get(js, "src_port"));
-                json_object_set(tjs, "port", json_object_get(js, "dest_port"));
+                json_object_set(sjs, "port", json_integer(addr->sp));
+                json_object_set(tjs, "port", json_integer(addr->dp));
                 break;
         }
     } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
-        json_object_set(sjs, "ip", json_object_get(js, "dest_ip"));
-        json_object_set(tjs, "ip", json_object_get(js, "src_ip"));
+        json_object_set(sjs, "ip", json_string(addr->dst_ip));
+        json_object_set(tjs, "ip", json_string(addr->src_ip));
         switch (p->proto) {
             case IPPROTO_ICMP:
             case IPPROTO_ICMPV6:
@@ -251,8 +251,8 @@ static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
             case IPPROTO_UDP:
             case IPPROTO_TCP:
             case IPPROTO_SCTP:
-                json_object_set(sjs, "port", json_object_get(js, "dest_port"));
-                json_object_set(tjs, "port", json_object_get(js, "src_port"));
+                json_object_set(sjs, "port", json_integer(addr->dp));
+                json_object_set(tjs, "port", json_integer(addr->sp));
                 break;
         }
     }
@@ -293,7 +293,7 @@ static void AlertJsonMetadata(AlertJsonOutputCtx *json_output_ctx, const PacketA
 
 
 void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, json_t *js,
-                     uint16_t flags)
+                     uint16_t flags, JsonAddrInfo *addr)
 {
     AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *)ctx;
     const char *action = "allowed";
@@ -334,8 +334,8 @@ void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, json_t *
     if (p->tenant_id > 0)
         json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));
 
-    if (pa->s->flags & SIG_FLAG_HAS_TARGET) {
-        AlertJsonSourceTarget(p, pa, js, ajs);
+    if (addr && pa->s->flags & SIG_FLAG_HAS_TARGET) {
+        AlertJsonSourceTarget(p, pa, ajs, addr);
     }
 
     if ((json_output_ctx != NULL) && (flags & LOG_JSON_RULE_METADATA)) {
@@ -452,7 +452,8 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
         MemBufferReset(aft->json_buffer);
 
         /* alert */
-        AlertJsonHeader(json_output_ctx, p, pa, js, json_output_ctx->flags);
+        AlertJsonHeader(json_output_ctx, p, pa, js, json_output_ctx->flags,
+                &addr);
 
         if (IS_TUNNEL_PKT(p)) {
             AlertJsonTunnel(p, js);
diff --git a/src/output-json-alert.h b/src/output-json-alert.h
index c8d3f7f456..7db5be76fb 100644
--- a/src/output-json-alert.h
+++ b/src/output-json-alert.h
@@ -29,7 +29,7 @@
 
 void JsonAlertLogRegister(void);
 void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, json_t *js,
-                     uint16_t flags);
+                     uint16_t flags, JsonAddrInfo *addr);
 
 #endif /* __OUTPUT_JSON_ALERT_H__ */
 
diff --git a/src/output-json-drop.c b/src/output-json-drop.c
index f9ef9d260c..f41c8ed872 100644
--- a/src/output-json-drop.c
+++ b/src/output-json-drop.c
@@ -87,7 +87,10 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
 {
     JsonDropOutputCtx *drop_ctx = aft->drop_ctx;
 
-    json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "drop", NULL);
+    JsonAddrInfo addr = json_addr_info_zero;
+    JsonAddrInfoInit(p, LOG_DIR_PACKET, &addr);
+
+    json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "drop", &addr);
     if (unlikely(js == NULL))
         return TM_ECODE_OK;
 
@@ -160,14 +163,14 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
             if ((pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) ||
                ((pa->action & ACTION_DROP) && EngineModeIsIPS()))
             {
-                AlertJsonHeader(NULL, p, pa, js, 0);
+                AlertJsonHeader(NULL, p, pa, js, 0, &addr);
                 logged = 1;
             }
         }
         if (logged == 0) {
             if (p->alerts.drop.action != 0) {
                 const PacketAlert *pa = &p->alerts.drop;
-                AlertJsonHeader(NULL, p, pa, js, 0);
+                AlertJsonHeader(NULL, p, pa, js, 0, &addr);
             }
         }
     }
diff --git a/src/output-json.c b/src/output-json.c
index d30966670d..ff6ca16163 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -82,6 +82,8 @@ static const char *TRAFFIC_LABEL_PREFIX = "traffic/label/";
 static size_t traffic_id_prefix_len = 0;
 static size_t traffic_label_prefix_len = 0;
 
+const JsonAddrInfo json_addr_info_zero;
+
 void OutputJsonRegister (void)
 {
     OutputRegisterModule(MODULE_NAME, "eve-log", OutputJsonInitCtx);
@@ -881,7 +883,7 @@ json_t *CreateJSONHeader(const Packet *p, enum OutputJsonLogDirection dir,
     }
 
     /* 5-tuple */
-    JsonAddrInfo addr_info = {0};
+    JsonAddrInfo addr_info = json_addr_info_zero;
     if (addr == NULL) {
         JsonAddrInfoInit(p, dir, &addr_info);
         addr = &addr_info;
diff --git a/src/output-json.h b/src/output-json.h
index 9b694e39e4..d928a9ee4c 100644
--- a/src/output-json.h
+++ b/src/output-json.h
@@ -52,6 +52,8 @@ typedef struct JsonAddrInfo_ {
     char proto[JSON_PROTO_LEN];
 } JsonAddrInfo;
 
+extern const JsonAddrInfo json_addr_info_zero;
+
 void JsonAddrInfoInit(const Packet *p, enum OutputJsonLogDirection dir,
         JsonAddrInfo *addr);
 
diff --git a/src/output.c b/src/output.c
index 086f9a0b62..fd43b8614b 100644
--- a/src/output.c
+++ b/src/output.c
@@ -44,6 +44,7 @@
 #include "alert-debuglog.h"
 #include "alert-prelude.h"
 #include "alert-syslog.h"
+#include "output-json.h"
 #include "output-json-alert.h"
 #include "output-json-anomaly.h"
 #include "output-json-flow.h"