From: Maurizio Abba Date: Fri, 3 Aug 2018 12:51:13 +0000 (+0100) Subject: eve/http: add tx->request_port_number as http_port X-Git-Tag: suricata-4.1.0-rc2~121 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bce7c2dd87fe9fbf149e68848f4713b3c21e57cf;p=thirdparty%2Fsuricata.git eve/http: add tx->request_port_number as http_port Add the port specified in the hostname (if any) to the http object in eve. The port may be different from the dest_port used by the TCP flow. --- diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst index da757f6d61..1a0cf09dc1 100644 --- a/doc/userguide/output/eve/eve-json-format.rst +++ b/doc/userguide/output/eve/eve-json-format.rst @@ -180,6 +180,21 @@ Event with non-extended logging: "http_content_type": "application\/x-gzip" } +In case the hostname shows a port number, such as in case there is a header "Host: www.test.org:1337": + +:: + + + "http": { + "http_port": 1337, + "hostname": "www.test.org", + "url" :"\/this\/is\/test.tar.gz", + "http_user_agent": "", + "http_content_type": "application\/x-gzip" + } + + + Event with extended logging: :: diff --git a/src/output-json-http.c b/src/output-json-http.c index 17962de9b0..ebb239b40c 100644 --- a/src/output-json-http.c +++ b/src/output-json-http.c @@ -202,6 +202,18 @@ static void JsonHttpLogJSONBasic(json_t *js, htp_tx_t *tx) } } + /* port */ + /* NOTE: this field will be set ONLY if the port is present in the + * hostname. It may be present in the header "Host" or in the URL. + * There is no connection (from the suricata point of view) between this + * port and the TCP destination port of the flow. + */ + if (tx->request_port_number >= 0) + { + json_object_set_new(js, "http_port", + json_integer(tx->request_port_number)); + } + /* uri */ if (tx->request_uri != NULL) {