From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Thu, 4 Jun 2020 12:37:12 +0000 (-0400)
Subject: output/json: Include fileinfo in alerts
X-Git-Tag: suricata-6.0.0-beta1~323
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff9274585176ab21dcfff3ad4e541dcc998b8d46;p=thirdparty%2Fsuricata.git

output/json: Include fileinfo in alerts

This commit adds fileinfo to alerts when `metadata` is configured.
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index d4bde83059..8df256df06 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -565,6 +565,31 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             }
         }
 
+        /* including fileinfo data is configured by the metadata setting */
+        if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
+            FileContainer *ffc = AppLayerParserGetFiles(p->flow,
+                    p->flowflags & FLOW_PKT_TOSERVER ? STREAM_TOSERVER:STREAM_TOCLIENT);
+            if (ffc != NULL) {
+                File *file = ffc->head;
+                bool isopen = false;
+                while (file) {
+                    if (pa->tx_id == file->txid) {
+                        if (!isopen) {
+                            isopen = true;
+                            jb_open_array(jb, "fileinfo");
+                        }
+                        jb_start_object(jb);
+                        EveFileInfo(jb, file, file->flags & FILE_STORED);
+                        jb_close(jb);
+                    }
+                    file = file->next;
+                }
+                if (isopen) {
+                    jb_close(jb);
+                }
+            }
+        }
+
         if (p->flow) {
             EveAddAppProto(p->flow, jb);
             if (json_output_ctx->flags & LOG_JSON_FLOW) {
diff --git a/src/output-json-file.c b/src/output-json-file.c
index 378bf6f799..64fa1f55ad 100644
--- a/src/output-json-file.c
+++ b/src/output-json-file.c
@@ -174,7 +174,9 @@ JsonBuilder *JsonBuildFileInfoRecord(const Packet *p, const File *ff,
 
     jb_set_string(js, "app_proto", AppProtoToString(p->flow->alproto));
 
-    JsonFileInfo(js, ff, stored);
+    jb_open_object(js, "fileinfo");
+    EveFileInfo(js, ff, stored);
+    jb_close(js);
 
     /* xff header */
     if (have_xff_ip && xff_cfg->flags & XFF_EXTRADATA) {
diff --git a/src/output-json.c b/src/output-json.c
index 6f7e8c3bf6..dd7467d0e9 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -152,30 +152,27 @@ json_t *JsonAddStringN(const char *string, size_t size)
     return SCJsonString(tmpbuf);
 }
 
-void JsonFileInfo(JsonBuilder *js, const File *ff, const bool stored)
+void EveFileInfo(JsonBuilder *jb, const File *ff, const bool stored)
 {
-    /* Open the fileinfo object. */
-    jb_open_object(js, "fileinfo");
-
     size_t filename_size = ff->name_len * 2 + 1;
     char filename_string[filename_size];
     BytesToStringBuffer(ff->name, ff->name_len, filename_string, filename_size);
-    jb_set_string(js, "filename", filename_string);
+    jb_set_string(jb, "filename", filename_string);
 
-    jb_open_array(js, "sid");
+    jb_open_array(jb, "sid");
     for (uint32_t i = 0; ff->sid != NULL && i < ff->sid_cnt; i++) {
-        jb_append_uint(js, ff->sid[i]);
+        jb_append_uint(jb, ff->sid[i]);
     }
-    jb_close(js);
+    jb_close(jb);
 
 #ifdef HAVE_MAGIC
     if (ff->magic)
-        jb_set_string(js, "magic", (char *)ff->magic);
+        jb_set_string(jb, "magic", (char *)ff->magic);
 #endif
-    jb_set_bool(js, "gaps", ff->flags & FILE_HAS_GAPS);
+    jb_set_bool(jb, "gaps", ff->flags & FILE_HAS_GAPS);
     switch (ff->state) {
         case FILE_STATE_CLOSED:
-            jb_set_string(js, "state", "CLOSED");
+            JB_SET_STRING(jb, "state", "CLOSED");
 #ifdef HAVE_NSS
             if (ff->flags & FILE_MD5) {
                 size_t x;
@@ -184,7 +181,7 @@ void JsonFileInfo(JsonBuilder *js, const File *ff, const bool stored)
                 for (i = 0, x = 0; x < sizeof(ff->md5); x++) {
                     i += snprintf(&str[i], 255-i, "%02x", ff->md5[x]);
                 }
-                jb_set_string(js, "md5", str);
+                jb_set_string(jb, "md5", str);
             }
             if (ff->flags & FILE_SHA1) {
                 size_t x;
@@ -193,18 +190,18 @@ void JsonFileInfo(JsonBuilder *js, const File *ff, const bool stored)
                 for (i = 0, x = 0; x < sizeof(ff->sha1); x++) {
                     i += snprintf(&str[i], 255-i, "%02x", ff->sha1[x]);
                 }
-                jb_set_string(js, "sha1", str);
+                jb_set_string(jb, "sha1", str);
             }
 #endif
             break;
         case FILE_STATE_TRUNCATED:
-            JB_SET_STRING(js, "state", "TRUNCATED");
+            JB_SET_STRING(jb, "state", "TRUNCATED");
             break;
         case FILE_STATE_ERROR:
-            JB_SET_STRING(js, "state", "ERROR");
+            JB_SET_STRING(jb, "state", "ERROR");
             break;
         default:
-            JB_SET_STRING(js, "state", "UNKNOWN");
+            JB_SET_STRING(jb, "state", "UNKNOWN");
             break;
     }
 
@@ -216,26 +213,23 @@ void JsonFileInfo(JsonBuilder *js, const File *ff, const bool stored)
         for (i = 0, x = 0; x < sizeof(ff->sha256); x++) {
             i += snprintf(&str[i], 255-i, "%02x", ff->sha256[x]);
         }
-        jb_set_string(js, "sha256", str);
+        jb_set_string(jb, "sha256", str);
     }
 #endif
 
     if (stored) {
-        jb_set_bool(js, "stored", true);
-        jb_set_uint(js, "file_id", ff->file_store_id);
+        JB_SET_TRUE(jb, "stored");
+        jb_set_uint(jb, "file_id", ff->file_store_id);
     } else {
-        jb_set_bool(js, "stored", false);
+        JB_SET_FALSE(jb, "stored");
     }
 
-    jb_set_uint(js, "size", FileTrackedSize(ff));
+    jb_set_uint(jb, "size", FileTrackedSize(ff));
     if (ff->end > 0) {
-        jb_set_uint(js, "start", ff->start);
-        jb_set_uint(js, "end", ff->end);
+        jb_set_uint(jb, "start", ff->start);
+        jb_set_uint(jb, "end", ff->end);
     }
-    jb_set_uint(js, "tx_id", ff->txid);
-
-    /* Close fileinfo object */
-    jb_close(js);
+    jb_set_uint(jb, "tx_id", ff->txid);
 }
 
 static void JsonAddPacketvars(const Packet *p, json_t *js_vars)
diff --git a/src/output-json.h b/src/output-json.h
index 86ff211b69..4428aacd9d 100644
--- a/src/output-json.h
+++ b/src/output-json.h
@@ -72,7 +72,7 @@ int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);
 void CreateJSONFlowId(json_t *js, const Flow *f);
 void CreateEveFlowId(JsonBuilder *js, const Flow *f);
 void JsonTcpFlags(uint8_t flags, json_t *js);
-void JsonFileInfo(JsonBuilder *js, const File *file, const bool stored);
+void EveFileInfo(JsonBuilder *js, const File *file, const bool stored);
 void EveTcpFlags(uint8_t flags, JsonBuilder *js);
 void JsonPacket(const Packet *p, json_t *js, unsigned long max_length);
 void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length);