From: Jason Ish Date: Fri, 22 Nov 2024 21:26:49 +0000 (-0600) Subject: output-json: drop eve records that are too long X-Git-Tag: suricata-8.0.0-beta1~683 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d39e42728a5b84d9cefbd4329034064d71c4e268;p=thirdparty%2Fsuricata.git output-json: drop eve records that are too long In the situation where the mem buffer cannot be expanded to the requested size, drop the log message. For each JSON log context, a warning will be emitted once with a partial bit of the log record being dropped to identify what event types may be leading to large log records. This also fixes the call to MemBufferExpand which is supposed be passed the amount to expand by, not the new size required. Ticket: #7300 --- diff --git a/src/output-json.c b/src/output-json.c index 18376fd428..4b42b6802d 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -980,8 +980,22 @@ int OutputJsonBuilderBuffer( size_t jslen = jb_len(js); DEBUG_VALIDATE_BUG_ON(jb_len(js) > UINT32_MAX); - if (MEMBUFFER_OFFSET(*buffer) + jslen >= MEMBUFFER_SIZE(*buffer)) { - MemBufferExpand(buffer, (uint32_t)jslen); + size_t remaining = MEMBUFFER_SIZE(*buffer) - MEMBUFFER_OFFSET(*buffer); + if (jslen >= remaining) { + size_t expand_by = jslen + 1 - remaining; + if (MemBufferExpand(buffer, (uint32_t)expand_by) < 0) { + if (!ctx->too_large_warning) { + /* Log a warning once, and include enough of the log + * message to hopefully identify the event_type. */ + char partial[120]; + size_t partial_len = MIN(sizeof(partial), jslen); + memcpy(partial, jb_ptr(js), partial_len - 1); + partial[partial_len - 1] = '\0'; + SCLogWarning("Formatted JSON EVE record too large, will be dropped: %s", partial); + ctx->too_large_warning = true; + } + return 0; + } } MemBufferWriteRaw((*buffer), jb_ptr(js), (uint32_t)jslen); diff --git a/src/output-json.h b/src/output-json.h index 89597e616a..205ed445d4 100644 --- a/src/output-json.h +++ b/src/output-json.h @@ -90,6 +90,7 @@ typedef struct OutputJsonThreadCtx_ { OutputJsonCtx *ctx; LogFileCtx *file_ctx; MemBuffer *buffer; + bool too_large_warning; } OutputJsonThreadCtx; json_t *SCJsonString(const char *val);