From: Eric Leblond Date: Mon, 15 Dec 2014 23:14:59 +0000 (+0100) Subject: output-json: fix duplicate logging X-Git-Tag: suricata-2.1beta3~70 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=969abc2ccd0b85924dd5c3aea55fd441a7cd9588;p=thirdparty%2Fsuricata.git output-json: fix duplicate logging This patches is fixing a issue in the OutputJSONBuffer function. It was writing to file the content of the buffer starting from the start to the final offset. But as the writing is done for each JSON string we are duplicating the previous events if we are reusing the same buffer. Duplication was for example triggered when we have multiple alerts attached to a packet. In the case of two alerts, the first one was logged twice more as the second one. --- diff --git a/src/output-json-alert.c b/src/output-json-alert.c index ed6b3b4373..cd1168aa2d 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -134,8 +134,6 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) if (p->alerts.cnt == 0) return TM_ECODE_OK; - MemBufferReset(aft->json_buffer); - json_t *js = CreateJSONHeader((Packet *)p, 0, "alert"); if (unlikely(js == NULL)) return TM_ECODE_OK; @@ -159,6 +157,8 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) return TM_ECODE_OK; } + MemBufferReset(aft->json_buffer); + json_object_set_new(ajs, "action", json_string(action)); json_object_set_new(ajs, "gid", json_integer(pa->s->gid)); json_object_set_new(ajs, "signature_id", json_integer(pa->s->id)); @@ -303,11 +303,11 @@ static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const if (p->alerts.cnt == 0) return TM_ECODE_OK; - MemBufferReset(buffer); - CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf)); for (i = 0; i < p->alerts.cnt; i++) { + MemBufferReset(buffer); + const PacketAlert *pa = &p->alerts.alerts[i]; if (unlikely(pa->s == NULL)) { continue;