From: Eric Leblond <eric@regit.org>
Date: Sat, 17 Dec 2016 09:40:11 +0000 (+0100)
Subject: output-json-alert: output source and target
X-Git-Tag: suricata-4.0.0-rc1~79
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6af529d0c66407beac142a74ad437e62f1274ef5;p=thirdparty%2Fsuricata.git

output-json-alert: output source and target

Use metadata provided information to output the Source and Target
in the definition of IDMEF.

The output is now the following:

  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1,
    "rev": 1,
    "signature": "connection to home",
    "category": "",
    "severity": 3,
    "source": {
      "ip": "2001:31d0:000a:f68a:0000:0000:0000:0001",
      "port": 80
    },
    "target": {
      "ip": "2a01:0e34:ee97:b130:c685:08ff:dab3:c9c8",
      "port": 48390
    }
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 2a5a752e41..7526c96029 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -174,6 +174,54 @@ static void AlertJsonDnp3(const Flow *f, json_t *js)
     return;
 }
 
+static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa,
+                                  json_t *js, json_t* ajs)
+{
+    json_t *sjs = json_object();
+    if (sjs == NULL) {
+        return;
+    }
+
+    json_t *tjs = json_object();
+    if (tjs == NULL) {
+        json_decref(sjs);
+        return;
+    }
+
+    if (pa->s->flags & SIG_FLAG_DEST_IS_TARGET) {
+        json_object_set(sjs, "ip", json_object_get(js, "src_ip"));
+        json_object_set(tjs, "ip", json_object_get(js, "dest_ip"));
+        switch (p->proto) {
+            case IPPROTO_ICMP:
+            case IPPROTO_ICMPV6:
+                break;
+            case IPPROTO_UDP:
+            case IPPROTO_TCP:
+            case IPPROTO_SCTP:
+                json_object_set(sjs, "port", json_object_get(js, "src_port"));
+                json_object_set(tjs, "port", json_object_get(js, "dest_port"));
+                break;
+        }
+    } else if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
+        json_object_set(sjs, "ip", json_object_get(js, "dest_ip"));
+        json_object_set(tjs, "ip", json_object_get(js, "src_ip"));
+        switch (p->proto) {
+            case IPPROTO_ICMP:
+            case IPPROTO_ICMPV6:
+                break;
+            case IPPROTO_UDP:
+            case IPPROTO_TCP:
+            case IPPROTO_SCTP:
+                json_object_set(sjs, "port", json_object_get(js, "dest_port"));
+                json_object_set(tjs, "port", json_object_get(js, "src_port"));
+                break;
+        }
+    }
+    json_object_set_new(ajs, "source", sjs);
+    json_object_set_new(ajs, "target", tjs);
+}
+
+
 void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js)
 {
     const char *action = "allowed";
@@ -215,6 +263,10 @@ void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js)
     if (p->tenant_id > 0)
         json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));
 
+    if (pa->s->flags & SIG_FLAG_HAS_TARGET) {
+        AlertJsonSourceTarget(p, pa, js, ajs);
+    }
+
     /* alert */
     json_object_set_new(js, "alert", ajs);
 }