From: Victor Julien <victor@inliniac.net>
Date: Tue, 6 Sep 2016 09:29:09 +0000 (+0200)
Subject: eve-drop: allow logging all drops
X-Git-Tag: suricata-3.1.2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2225%2Fhead;p=thirdparty%2Fsuricata.git

eve-drop: allow logging all drops

- drop:
    alerts: yes      # log alerts that caused drops
    flows: all       # start or all: 'start' logs only a single drop
                     # per flow direction. All logs each dropped pkt.
---

diff --git a/src/output-json-drop.c b/src/output-json-drop.c
index 5c866809b8..fd7f513ead 100644
--- a/src/output-json-drop.c
+++ b/src/output-json-drop.c
@@ -71,6 +71,9 @@ typedef struct JsonDropLogThread_ {
     MemBuffer *buffer;
 } JsonDropLogThread;
 
+/* default to true as this has been the default behavior for a long time */
+static int g_droplog_flows_start = 1;
+
 /**
  * \brief   Log the dropped packets in netfilter format when engine is running
  *          in inline mode
@@ -282,6 +285,17 @@ static OutputCtx *JsonDropLogInitCtx(ConfNode *conf)
                 drop_ctx->flags = LOG_DROP_ALERTS;
             }
         }
+        extended = ConfNodeLookupChildValue(conf, "flows");
+        if (extended != NULL) {
+            if (strcasecmp(extended, "start") == 0) {
+                g_droplog_flows_start = 1;
+            } else if (strcasecmp(extended, "all") == 0) {
+                g_droplog_flows_start = 0;
+            } else {
+                SCLogWarning(SC_ERR_CONF_YAML_ERROR, "valid options for "
+                        "'flow' are 'start' and 'all'");
+            }
+        }
     }
 
     output_ctx->data = drop_ctx;
@@ -316,6 +330,17 @@ static OutputCtx *JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
                 drop_ctx->flags = LOG_DROP_ALERTS;
             }
         }
+        extended = ConfNodeLookupChildValue(conf, "flows");
+        if (extended != NULL) {
+            if (strcasecmp(extended, "start") == 0) {
+                g_droplog_flows_start = 1;
+            } else if (strcasecmp(extended, "all") == 0) {
+                g_droplog_flows_start = 0;
+            } else {
+                SCLogWarning(SC_ERR_CONF_YAML_ERROR, "valid options for "
+                        "'flow' are 'start' and 'all'");
+            }
+        }
     }
 
     drop_ctx->file_ctx = ajt->file_ctx;
@@ -341,6 +366,9 @@ static int JsonDropLogger(ThreadVars *tv, void *thread_data, const Packet *p)
     if (r < 0)
         return -1;
 
+    if (!g_droplog_flows_start)
+        return 0;
+
     if (p->flow) {
         FLOWLOCK_RDLOCK(p->flow);
         if (p->flow->flags & FLOW_ACTION_DROP) {
@@ -374,7 +402,7 @@ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
         return FALSE;
     }
 
-    if (p->flow != NULL) {
+    if (g_droplog_flows_start && p->flow != NULL) {
         int ret = FALSE;
 
         /* for a flow that will be dropped fully, log just once per direction */
diff --git a/suricata.yaml.in b/suricata.yaml.in
index d2fb45f758..3512619627 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -204,7 +204,9 @@ outputs:
             force-magic: no   # force logging magic on all logged files
             force-md5: no     # force logging of md5 checksums
         #- drop:
-        #    alerts: no       # log alerts that caused drops
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
         - smtp:
             #extended: yes # enable this for extended logging information
             # this includes: bcc, message-id, subject, x_mailer, user-agent