From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sat, 28 Sep 2019 13:00:24 +0000 (-0400)
Subject: logging/alert: Warn if metadata not selected
X-Git-Tag: suricata-5.0.0~44
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95879c0d5ab402d63392f983358bb0449336082a;p=thirdparty%2Fsuricata.git

logging/alert: Warn if metadata not selected

Warn when HTTP body logging has been selected but applayer/metadata
logging is not configured.
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index f6e0d6a8ce..419b15e58d 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -97,6 +97,8 @@
             LOG_JSON_APP_LAYER  |                                  \
             LOG_JSON_RULE_METADATA)
 
+#define JSON_BODY_LOGGING  (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64)
+
 #define JSON_STREAM_BUFFER_SIZE 4096
 
 typedef struct AlertJsonOutputCtx_ {
@@ -810,6 +812,7 @@ static void SetFlag(const ConfNode *conf, const char *name, uint16_t flag, uint1
 static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
         ConfNode *conf)
 {
+    static bool warn_no_meta = false;
     uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
     uint16_t flags = METADATA_DEFAULTS;
 
@@ -868,6 +871,15 @@ static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
             }
         }
 
+        if (!warn_no_meta && flags & JSON_BODY_LOGGING) {
+            if (((flags & LOG_JSON_APP_LAYER) == 0)) {
+                SCLogWarning(SC_WARN_ALERT_CONFIG, "HTTP body logging has been configured, however, "
+                             "metadata logging has not been enabled. HTTP body logging will be disabled.");
+                flags &= ~JSON_BODY_LOGGING;
+                warn_no_meta = true;
+            }
+        }
+
         json_output_ctx->payload_buffer_size = payload_buffer_size;
     }
 
diff --git a/src/util-error.c b/src/util-error.c
index c068094019..2b9d401454 100644
--- a/src/util-error.c
+++ b/src/util-error.c
@@ -364,6 +364,7 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_ERR_THASH_INIT);
         CASE_CODE (SC_ERR_DATASET);
         CASE_CODE (SC_WARN_ANOMALY_CONFIG);
+        CASE_CODE (SC_WARN_ALERT_CONFIG);
 
         CASE_CODE (SC_ERR_MAX);
     }
diff --git a/src/util-error.h b/src/util-error.h
index 060490b389..0897b02651 100644
--- a/src/util-error.h
+++ b/src/util-error.h
@@ -354,6 +354,7 @@ typedef enum {
     SC_ERR_THASH_INIT,
     SC_ERR_DATASET,
     SC_WARN_ANOMALY_CONFIG,
+    SC_WARN_ALERT_CONFIG,
 
     SC_ERR_MAX
 } SCError;