From: Eric Leblond <el@stamus-networks.com>
Date: Sun, 2 Oct 2022 12:42:21 +0000 (+0200)
Subject: eve/alert: add src and dest info to flow in alert
X-Git-Tag: suricata-7.0.0-beta1~107
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f1300e68c96713166f1d2855aae188ce5f276a59;p=thirdparty%2Fsuricata.git

eve/alert: add src and dest info to flow in alert

When looking at an alert event, it was impossible to determine which
side from src or dest IP in the alert was the client and wich side
was the server with regards to the underlying flow. This was a problem
when you try to known who belongs a metadata property such as a HTTP
hostname or a TLS JA3.

This patch updates the code to add src and dest IP in the flow
subobject as well as src and dst port. This way, we can now which
side is the client and which side is the server.

The result is looking like:

{
  "event_type": "alert",
  "src_ip": "22.47.184.196",
  "src_port": 81,
  "dest_ip": "192.168.1.47",
  "dest_port": 1063,
  "proto": "TCP",
  "tx_id": 0,
  "alert": {
    "signature_id": 2018959,
    "rev": 3,
  },
  "app_proto": "http",
  "flow": {
    "pkts_toserver": 22,
    "pkts_toclient": 35,
    "bytes_toserver": 1370,
    "bytes_toclient": 48852,
    "start": "2009-10-28T10:01:46.755232+0100",
    "src_ip": "192.168.1.47",
    "dest_ip": "22.47.184.196",
    "src_port": 1063,
    "dest_port": 81
  }
}
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 026d01b6f4..9953daa4bb 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -722,6 +722,21 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             if (json_output_ctx->flags & LOG_JSON_FLOW) {
                 jb_open_object(jb, "flow");
                 EveAddFlow(p->flow, jb);
+                if (p->flowflags & FLOW_PKT_TOCLIENT) {
+                    jb_set_string(jb, "src_ip", addr.dst_ip);
+                    jb_set_string(jb, "dest_ip", addr.src_ip);
+                    if (addr.sp > 0) {
+                        jb_set_uint(jb, "src_port", addr.dp);
+                        jb_set_uint(jb, "dest_port", addr.sp);
+                    }
+                } else {
+                    jb_set_string(jb, "src_ip", addr.src_ip);
+                    jb_set_string(jb, "dest_ip", addr.dst_ip);
+                    if (addr.sp > 0) {
+                        jb_set_uint(jb, "src_port", addr.sp);
+                        jb_set_uint(jb, "dest_port", addr.dp);
+                    }
+                }
                 jb_close(jb);
             }
         }