From 234a3a890bb16141d5fb67b12e239ad52c7edf4c Mon Sep 17 00:00:00 2001 From: Mats Klepsland Date: Fri, 27 Jan 2017 12:50:08 +0100 Subject: [PATCH] output-json-alert: print 'tunnel' JSON object if tunnel Log src_ip, dst_ip and proto for root packet (p->root) if the packet that triggered is inside a tunnel, as JSON object 'tunnel'. Also log recursion depth to indicate the depth of the tunnel. --- src/output-json-alert.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 031bebb17d..135ee618ed 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -218,6 +218,29 @@ void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js) json_object_set_new(js, "alert", ajs); } +static void AlertJsonTunnel(const Packet *p, json_t *js) +{ + json_t *tunnel = json_object(); + if (tunnel == NULL) + return; + + if (p->root == NULL) { + json_decref(tunnel); + return; + } + + /* get a lock to access root packet fields */ + SCMutex *m = &p->root->tunnel_mutex; + + SCMutexLock(m); + JsonFiveTuple((const Packet *)p->root, 0, tunnel); + SCMutexUnlock(m); + + json_object_set_new(tunnel, "depth", json_integer(p->recursion_level)); + + json_object_set_new(js, "tunnel", tunnel); +} + static void AlertJsonPacket(const Packet *p, json_t *js) { unsigned long len = GET_PKT_LEN(p) * 2; @@ -261,6 +284,10 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) /* alert */ AlertJsonHeader(p, pa, js); + if (IS_TUNNEL_PKT(p)) { + AlertJsonTunnel(p, js); + } + if (json_output_ctx->flags & LOG_JSON_HTTP) { if (p->flow != NULL) { uint16_t proto = FlowGetAppProtocol(p->flow); -- 2.47.2