From 2d7f79a62bc1ad75dd5d97b1a43710a5b36552cc Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 21 Oct 2014 19:27:34 +0200 Subject: [PATCH] drop json log: log out 'drop' signature If no normal sig was logged as the 'drop' reason, try the stored drop signature instead, this will also log out 'noalert' sigs. --- src/output-json-drop.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/output-json-drop.c b/src/output-json-drop.c index fc4b4eb36d..9f457ab7df 100644 --- a/src/output-json-drop.c +++ b/src/output-json-drop.c @@ -142,6 +142,7 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p) json_object_set_new(js, "drop", djs); if (aft->drop_ctx->flags & LOG_DROP_ALERTS) { + int logged = 0; int i; for (i = 0; i < p->alerts.cnt; i++) { const PacketAlert *pa = &p->alerts.alerts[i]; @@ -152,6 +153,13 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p) ((pa->action & ACTION_DROP) && EngineModeIsIPS())) { AlertJsonHeader(pa, js); + logged = 1; + } + } + if (logged == 0) { + if (p->alerts.drop.action != 0) { + const PacketAlert *pa = &p->alerts.drop; + AlertJsonHeader(pa, js); } } } @@ -365,6 +373,8 @@ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p) if (p->flow != NULL) { int ret = FALSE; + + /* for a flow that will be dropped fully, log just once per direction */ FLOWLOCK_RDLOCK(p->flow); if (p->flow->flags & FLOW_ACTION_DROP) { if (PKT_IS_TOSERVER(p) && !(p->flow->flags & FLOW_TOSERVER_DROP_LOGGED)) @@ -373,6 +383,11 @@ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p) ret = TRUE; } FLOWLOCK_UNLOCK(p->flow); + + /* if drop is caused by signature, log anyway */ + if (p->alerts.drop.action != 0) + ret = TRUE; + return ret; } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) { return TRUE; -- 2.47.2