From: Giuseppe Longo Date: Mon, 7 Aug 2017 08:31:16 +0000 (+0200) Subject: output-json-alert: add dns info X-Git-Tag: suricata-4.1.0-beta1~51 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=92db7be502bc80294151a0a2169b55175603f7a4;p=thirdparty%2Fsuricata.git output-json-alert: add dns info This changes LogQuery and LogAnswer functions returning a json object instead of writing it in a log file. In this way it's possible to reuse them to add dns info into an alert. The following is an alert record with dns: { "timestamp": "2017-07-31T15:01:17.885281+0200", "event_type": "alert", "src_ip": "8.8.8.8", ... "dns": { "query": [ { "type": "query", "id": 25394, "rrname": "notifications.google.com", "rrtype": "A", "tx_id": 0 } ], "answer": { "type": "answer", "id": 25394, "rcode": "NOERROR", "answers": [ { "rrname": "notifications.google.com", "rrtype": "CNAME", "ttl": 3599, "rdata": "plus.l.google.com" }, { "rrname": "plus.l.google.com", "rrtype": "A", "ttl": 299, "rdata": "216.58.205.174" } ] } } } --- diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 5013171bef..f8b36097c5 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -46,6 +46,7 @@ #include "detect-metadata.h" #include "app-layer-parser.h" #include "app-layer-dnp3.h" +#include "app-layer-dns-common.h" #include "app-layer-htp.h" #include "app-layer-htp-xff.h" #include "app-layer-ftp.h" @@ -57,6 +58,7 @@ #include "output-json.h" #include "output-json-alert.h" #include "output-json-dnp3.h" +#include "output-json-dns.h" #include "output-json-http.h" #include "output-json-tls.h" #include "output-json-ssh.h" @@ -185,6 +187,35 @@ static void AlertJsonDnp3(const Flow *f, json_t *js) return; } +static void AlertJsonDns(const Flow *f, json_t *js) +{ +#ifndef HAVE_RUST + DNSState *dns_state = (DNSState *)FlowGetAppState(f); + if (dns_state) { + uint64_t tx_id = AppLayerParserGetTransactionLogId(f->alparser); + DNSTransaction *tx = AppLayerParserGetTx(f->proto, ALPROTO_DNS, + dns_state, tx_id); + if (tx) { + json_t *dnsjs = json_object(); + if (unlikely(dnsjs == NULL)) { + return; + } + + json_t *qjs = JsonDNSLogQuery(tx, tx_id); + if (qjs != NULL) { + json_object_set_new(dnsjs, "query", qjs); + } + json_t *ajs = JsonDNSLogAnswer(tx, tx_id); + if (ajs != NULL) { + json_object_set_new(dnsjs, "answer", ajs); + } + json_object_set_new(js, "dns", dnsjs); + } + } +#endif + return; +} + static void AlertJsonSourceTarget(const Packet *p, const PacketAlert *pa, json_t *js, json_t* ajs) { @@ -478,6 +509,9 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) AlertJsonDnp3(p->flow, js); } + if (proto == ALPROTO_DNS) { + AlertJsonDns(p->flow, js); + } } if (p->flow) { @@ -493,7 +527,6 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) } } - /* payload */ if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) { int stream = (p->proto == IPPROTO_TCP) ?