From: Eric Leblond <eric@regit.org>
Date: Wed, 21 Jun 2017 17:50:11 +0000 (+0200)
Subject: output-json-alert: add app_proto or flow to events
X-Git-Tag: suricata-4.0.0-rc1~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=da9005c404f281badd3bb4ccee675560fae2d359;p=thirdparty%2Fsuricata.git

output-json-alert: add app_proto or flow to events

This patch adds a partial flow entry in the alert event
(if applayer or flow is selected) or simply app_proto if
it is not.

app_proto is useful as filter and aggregation field. And
the partial flow entry contains more information about the
proto as well as some volumetry info.
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 6931ba2617..460ae7a73e 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -61,6 +61,7 @@
 #include "output-json-smtp.h"
 #include "output-json-email-common.h"
 #include "output-json-nfs.h"
+#include "output-json-flow.h"
 
 #include "util-byte.h"
 #include "util-privs.h"
@@ -85,8 +86,9 @@
 #define LOG_JSON_DNP3           BIT_U16(8)
 #define LOG_JSON_VARS           BIT_U16(9)
 #define LOG_JSON_APP_LAYER      BIT_U16(10)
+#define LOG_JSON_FLOW           BIT_U16(11)
 
-#define LOG_JSON_APP_LAYER_ALL  (LOG_JSON_APP_LAYER|LOG_JSON_HTTP|LOG_JSON_TLS|LOG_JSON_SSH|LOG_JSON_SMTP|LOG_JSON_DNP3)
+#define LOG_JSON_APP_LAYER_ALL  (LOG_JSON_APP_LAYER|LOG_JSON_HTTP|LOG_JSON_TLS|LOG_JSON_SSH|LOG_JSON_SMTP|LOG_JSON_DNP3|LOG_JSON_FLOW)
 
 #define JSON_STREAM_BUFFER_SIZE 4096
 
@@ -442,6 +444,20 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             JsonAddVars(p, p->flow, js);
         }
 
+        if (p->flow) {
+            if (json_output_ctx->flags & LOG_JSON_FLOW) {
+                hjs = json_object();
+                if (hjs != NULL) {
+                    JsonAddFlow(p->flow, js, hjs);
+                    json_object_set_new(js, "flow", hjs);
+                }
+            } else {
+                json_object_set_new(js, "app_proto",
+                        json_string(AppProtoToString(p->flow->alproto)));
+            }
+        }
+
+
         /* payload */
         if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
             int stream = (p->proto == IPPROTO_TCP) ?
@@ -750,7 +766,13 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
         const char *dnp3 = ConfNodeLookupChildValue(conf, "dnp3");
         const char *vars = ConfNodeLookupChildValue(conf, "vars");
         const char *applayer = ConfNodeLookupChildValue(conf, "applayer");
+        const char *flow = ConfNodeLookupChildValue(conf, "flow");
 
+        if (flow != NULL) {
+            if (ConfValIsTrue(flow)) {
+                json_output_ctx->flags |= LOG_JSON_FLOW;
+            }
+        }
         if (vars != NULL) {
             if (ConfValIsTrue(vars)) {
                 json_output_ctx->flags |= LOG_JSON_VARS;
diff --git a/src/output-json-flow.c b/src/output-json-flow.c
index 19f94bab3c..f715cc04f1 100644
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@@ -177,17 +177,8 @@ static json_t *CreateJSONHeaderFromFlow(Flow *f, const char *event_type)
     return js;
 }
 
-/* JSON format logging */
-static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
+void JsonAddFlow(Flow *f, json_t *js, json_t *hjs)
 {
-#if 0
-    LogJsonFileCtx *flow_ctx = aft->flowlog_ctx;
-#endif
-    json_t *hjs = json_object();
-    if (hjs == NULL) {
-        return;
-    }
-
     json_object_set_new(js, "app_proto",
             json_string(AppProtoToString(f->alproto)));
     if (f->alproto_ts != f->alproto) {
@@ -216,12 +207,26 @@ static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
     json_object_set_new(hjs, "bytes_toclient",
             json_integer(f->tosrcbytecnt));
 
-    char timebuf1[64], timebuf2[64];
-
+    char timebuf1[64];
     CreateIsoTimeString(&f->startts, timebuf1, sizeof(timebuf1));
-    CreateIsoTimeString(&f->lastts, timebuf2, sizeof(timebuf2));
-
     json_object_set_new(hjs, "start", json_string(timebuf1));
+}
+
+/* JSON format logging */
+static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
+{
+#if 0
+    LogJsonFileCtx *flow_ctx = aft->flowlog_ctx;
+#endif
+    json_t *hjs = json_object();
+    if (hjs == NULL) {
+        return;
+    }
+
+    JsonAddFlow(f, js, hjs);
+
+    char timebuf2[64];
+    CreateIsoTimeString(&f->lastts, timebuf2, sizeof(timebuf2));
     json_object_set_new(hjs, "end", json_string(timebuf2));
 
     int32_t age = f->lastts.tv_sec - f->startts.tv_sec;
diff --git a/src/output-json-flow.h b/src/output-json-flow.h
index 439af93857..0e105819c8 100644
--- a/src/output-json-flow.h
+++ b/src/output-json-flow.h
@@ -25,5 +25,8 @@
 #define __OUTPUT_JSON_FLOW_H__
 
 void JsonFlowLogRegister(void);
+#ifdef HAVE_LIBJANSSON
+void JsonAddFlow(Flow *f, json_t *js, json_t *hjs);
+#endif /* HAVE_LIBJANSSON */
 
 #endif /* __OUTPUT_JSON_FLOW_H__ */