From: Mats Klepsland Date: Fri, 27 Jan 2017 11:42:08 +0000 (+0100) Subject: output-json: move code to get 5-tuple to own function X-Git-Tag: suricata-4.0.0-beta1~300 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7293286f2fab12cd674d29d0a5559de03954aa09;p=thirdparty%2Fsuricata.git output-json: move code to get 5-tuple to own function Move code to get 5-tuple in JSON object to own function 'JsonFiveTuple'. This enables this code to be reused when printing 'parent' JSON object in output-json-alert. --- diff --git a/src/output-json.c b/src/output-json.c index 7b655f64ca..7b0a1f99a0 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -280,73 +280,123 @@ void JsonTcpFlags(uint8_t flags, json_t *js) json_object_set_new(js, "cwr", json_true()); } -void CreateJSONFlowId(json_t *js, const Flow *f) -{ - if (f == NULL) - return; - int64_t flow_id = FlowGetId(f); - /* reduce to 51 bits as Javascript and even JSON often seem to - * max out there. */ - flow_id &= 0x7ffffffffffffLL; - json_object_set_new(js, "flow_id", json_integer(flow_id)); -} - -json_t *CreateJSONHeader(const Packet *p, int direction_sensitive, - const char *event_type) +/** + * \brief Add five tuple from packet to JSON object + * + * \param p Packet + * \param direction_sensitive Indicate direction sensitivity + * \param js JSON object + */ +void JsonFiveTuple(const Packet *p, int direction_sensitive, json_t *js) { - char timebuf[64]; char srcip[46], dstip[46]; Port sp, dp; - - json_t *js = json_object(); - if (unlikely(js == NULL)) - return NULL; - - CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf)); + char proto[16]; srcip[0] = '\0'; dstip[0] = '\0'; + if (direction_sensitive) { if ((PKT_IS_TOSERVER(p))) { if (PKT_IS_IPV4(p)) { - PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); - PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), + dstip, sizeof(dstip)); } else if (PKT_IS_IPV6(p)) { - PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); - PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), + dstip, sizeof(dstip)); } sp = p->sp; dp = p->dp; } else { if (PKT_IS_IPV4(p)) { - PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip)); - PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip)); + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), + dstip, sizeof(dstip)); } else if (PKT_IS_IPV6(p)) { - PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), srcip, sizeof(srcip)); - PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), dstip, sizeof(dstip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), + dstip, sizeof(dstip)); } sp = p->dp; dp = p->sp; } } else { if (PKT_IS_IPV4(p)) { - PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); - PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), + dstip, sizeof(dstip)); } else if (PKT_IS_IPV6(p)) { - PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); - PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), + dstip, sizeof(dstip)); } sp = p->sp; dp = p->dp; } - char proto[16]; if (SCProtoNameValid(IP_GET_IPPROTO(p)) == TRUE) { strlcpy(proto, known_proto[IP_GET_IPPROTO(p)], sizeof(proto)); } else { snprintf(proto, sizeof(proto), "%03" PRIu32, IP_GET_IPPROTO(p)); } + json_object_set_new(js, "src_ip", json_string(srcip)); + + switch(p->proto) { + case IPPROTO_ICMP: + break; + case IPPROTO_UDP: + case IPPROTO_TCP: + case IPPROTO_SCTP: + json_object_set_new(js, "src_port", json_integer(sp)); + break; + } + + json_object_set_new(js, "dest_ip", json_string(dstip)); + + switch(p->proto) { + case IPPROTO_ICMP: + break; + case IPPROTO_UDP: + case IPPROTO_TCP: + case IPPROTO_SCTP: + json_object_set_new(js, "dest_port", json_integer(dp)); + break; + } + + json_object_set_new(js, "proto", json_string(proto)); +} + +void CreateJSONFlowId(json_t *js, const Flow *f) +{ + if (f == NULL) + return; + int64_t flow_id = FlowGetId(f); + /* reduce to 51 bits as Javascript and even JSON often seem to + * max out there. */ + flow_id &= 0x7ffffffffffffLL; + json_object_set_new(js, "flow_id", json_integer(flow_id)); +} + +json_t *CreateJSONHeader(const Packet *p, int direction_sensitive, + const char *event_type) +{ + char timebuf[64]; + + json_t *js = json_object(); + if (unlikely(js == NULL)) + return NULL; + + CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf)); + /* time & tx */ json_object_set_new(js, "timestamp", json_string(timebuf)); @@ -394,28 +444,10 @@ json_t *CreateJSONHeader(const Packet *p, int direction_sensitive, } } - /* tuple */ - json_object_set_new(js, "src_ip", json_string(srcip)); - switch(p->proto) { - case IPPROTO_ICMP: - break; - case IPPROTO_UDP: - case IPPROTO_TCP: - case IPPROTO_SCTP: - json_object_set_new(js, "src_port", json_integer(sp)); - break; - } - json_object_set_new(js, "dest_ip", json_string(dstip)); - switch(p->proto) { - case IPPROTO_ICMP: - break; - case IPPROTO_UDP: - case IPPROTO_TCP: - case IPPROTO_SCTP: - json_object_set_new(js, "dest_port", json_integer(dp)); - break; - } - json_object_set_new(js, "proto", json_string(proto)); + /* 5-tuple */ + JsonFiveTuple(p, direction_sensitive, js); + + /* icmp */ switch (p->proto) { case IPPROTO_ICMP: if (p->icmpv4h) { diff --git a/src/output-json.h b/src/output-json.h index c654549219..5f42e7657a 100644 --- a/src/output-json.h +++ b/src/output-json.h @@ -42,6 +42,7 @@ int OutputJSONMemBufferCallback(const char *str, size_t size, void *data); void JsonAddVars(const Packet *p, const Flow *f, json_t *js); void CreateJSONFlowId(json_t *js, const Flow *f); void JsonTcpFlags(uint8_t flags, json_t *js); +void JsonFiveTuple(const Packet *, int, json_t *); json_t *CreateJSONHeader(const Packet *p, int direction_sensative, const char *event_type); json_t *CreateJSONHeaderWithTxId(const Packet *p, int direction_sensitive, const char *event_type, uint64_t tx_id); int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer);