Merge pull request #1074 in SNORT/snort3 from json_update to master

author Russ Combs (rucombs) <rucombs@cisco.com>

Tue, 21 Nov 2017 15:30:17 +0000 (10:30 -0500)

committer Russ Combs (rucombs) <rucombs@cisco.com>

Tue, 21 Nov 2017 15:30:17 +0000 (10:30 -0500)
author Russ Combs (rucombs) <rucombs@cisco.com>
Tue, 21 Nov 2017 15:30:17 +0000 (10:30 -0500)
committer Russ Combs (rucombs) <rucombs@cisco.com>
Tue, 21 Nov 2017 15:30:17 +0000 (10:30 -0500)
diff --git a/extra/src/loggers/alert_json/alert_json.cc b/extra/src/loggers/alert_json/alert_json.cc

index dcc872f71281c96113867a58a67aba4f57462501..062d06d4eccbbf5c513216759b42f0150ac66897 100644 (file)
--- a/extra/src/loggers/alert_json/alert_json.cc
+++ b/extra/src/loggers/alert_json/alert_json.cc
@@ -202,7 +202,7 @@ static bool ff_eth_len(Args& a)
          return false;
  
      print_label(a, "eth_len");
-    TextLog_Print(json_log, "0x%X", a.pkt->pkth->pktlen);
+    TextLog_Print(json_log, "%u", a.pkt->pkth->pktlen);
      return true;
  }
  
@@ -228,7 +228,7 @@ static bool ff_eth_type(Args& a)
      const eth::EtherHdr* eh = layer::get_eth_layer(a.pkt);
  
      print_label(a, "eth_type");
-    TextLog_Print(json_log, "0x%X", ntohs(eh->ether_type));
+    TextLog_Print(json_log, "\"0x%X\"", ntohs(eh->ether_type));
      return true;
  }
  
@@ -315,7 +315,7 @@ static bool ff_ip_len(Args& a)
  static bool ff_msg(Args& a)
  {
      print_label(a, "msg");
-    TextLog_Quote(json_log, a.msg);
+    TextLog_Puts(json_log, a.msg);
      return true;
  }
  
@@ -394,6 +394,13 @@ static bool ff_rule(Args& a)
      return true;
  }
  
+static bool ff_seconds(Args& a)
+{
+    print_label(a, "seconds");
+    TextLog_Print(json_log, "%u",  a.pkt->pkth->ts.tv_sec);
+    return true;
+}
+
  static bool ff_service(Args& a)
  {
      const char* svc = "unknown";
@@ -599,7 +606,7 @@ static const JsonFunc json_func[] =
      ff_dst_port, ff_eth_dst, ff_eth_len, ff_eth_src, ff_eth_type, ff_gid,
      ff_icmp_code, ff_icmp_id, ff_icmp_seq, ff_icmp_type, ff_iface, ff_ip_id,
      ff_ip_len, ff_msg, ff_mpls, ff_pkt_gen, ff_pkt_len, ff_pkt_num, ff_priority,
-    ff_proto, ff_rev, ff_rule, ff_service, ff_sid, ff_src_addr, ff_src_ap,
+    ff_proto, ff_rev, ff_rule, ff_seconds, ff_service, ff_sid, ff_src_addr, ff_src_ap,
      ff_src_port, ff_target, ff_tcp_ack, ff_tcp_flags, ff_tcp_len, ff_tcp_seq,
      ff_tcp_win, ff_timestamp, ff_tos, ff_ttl, ff_udp_len, ff_vlan
  };
@@ -609,7 +616,7 @@ static const JsonFunc json_func[] =
      "dst_port | eth_dst | eth_len | eth_src | eth_type | gid | " \
      "icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | " \
      "ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | " \
-    "proto | rev | rule | service | sid | src_addr | src_ap | " \
+    "proto | rev | rule | seconds | service | sid | src_addr | src_ap | " \
      "src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | " \
      "tcp_win | timestamp | tos | ttl | udp_len | vlan"
  
diff --git a/src/loggers/alert_csv.cc b/src/loggers/alert_csv.cc

index 49bf58e78bd6afd08ecd1c9a6acb61770326f536..34d42633e75e2fa2094a416423d79075198ebc0c 100644 (file)
--- a/src/loggers/alert_csv.cc
+++ b/src/loggers/alert_csv.cc
@@ -89,6 +89,8 @@ static void ff_b64_data(Args& a)
      unsigned nin = 0;
      Base64Encoder b64;
  
+    TextLog_Putc(csv_log, '"');
+
      while ( nin < a.pkt->dsize )
      {
          unsigned kin = min(a.pkt->dsize-nin, block_size);
@@ -99,6 +101,8 @@ static void ff_b64_data(Args& a)
  
      if ( unsigned kout = b64.finish(out) )
          TextLog_Write(csv_log, out, kout);
+
+    TextLog_Putc(csv_log, '"');
  }
  
  static void ff_dir(Args& a)
@@ -158,7 +162,7 @@ static void ff_eth_len(Args& a)
      if ( !(a.pkt->proto_bits & PROTO_BIT__ETH) )
          return;
  
-    TextLog_Print(csv_log, "0x%X", a.pkt->pkth->pktlen);
+    TextLog_Print(csv_log, "%u", a.pkt->pkth->pktlen);
  }
  
  static void ff_eth_src(Args& a)
@@ -230,7 +234,7 @@ static void ff_ip_len(Args& a)
  
  static void ff_msg(Args& a)
  {
-    TextLog_Quote(csv_log, a.msg);
+    TextLog_Puts(csv_log, a.msg);
  }
  
  static void ff_mpls(Args& a)
@@ -288,6 +292,11 @@ static void ff_rule(Args& a)
          a.event.sig_info->gid, a.event.sig_info->sid, a.event.sig_info->rev);
  }
  
+static void ff_seconds(Args& a)
+{
+    TextLog_Print(csv_log, "%u",  a.pkt->pkth->ts.tv_sec);
+}
+
  static void ff_service(Args& a)
  {
      const char* svc = "unknown";
@@ -428,7 +437,7 @@ static const CsvFunc csv_func[] =
      ff_dst_port, ff_eth_dst, ff_eth_len, ff_eth_src, ff_eth_type, ff_gid,
      ff_icmp_code, ff_icmp_id, ff_icmp_seq, ff_icmp_type, ff_iface, ff_ip_id,
      ff_ip_len, ff_msg, ff_mpls, ff_pkt_gen, ff_pkt_len, ff_pkt_num, ff_priority,
-    ff_proto, ff_rev, ff_rule, ff_service, ff_sid, ff_src_addr, ff_src_ap,
+    ff_proto, ff_rev, ff_rule, ff_seconds, ff_service, ff_sid, ff_src_addr, ff_src_ap,
      ff_src_port, ff_target, ff_tcp_ack, ff_tcp_flags, ff_tcp_len, ff_tcp_seq,
      ff_tcp_win, ff_timestamp, ff_tos, ff_ttl, ff_udp_len, ff_vlan
  };
@@ -438,7 +447,7 @@ static const CsvFunc csv_func[] =
      "dst_port | eth_dst | eth_len | eth_src | eth_type | gid | " \
      "icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | " \
      "ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | " \
-    "proto | rev | rule | service | sid | src_addr | src_ap | " \
+    "proto | rev | rule | seconds | service | sid | src_addr | src_ap | " \
      "src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | " \
      "tcp_win | timestamp | tos | ttl | udp_len | vlan"
  
diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc

index ee40f03552bc052f3436dbcf796f97f9618042fa..47b08f9ea1dfe72c1a3de3ff1cb0f1e204424d46 100644 (file)
--- a/src/parser/parse_rule.cc
+++ b/src/parser/parse_rule.cc
@@ -1274,6 +1274,9 @@ const char* parse_rule_close(SnortConfig* sc, RuleTreeNode& rtn, OptTreeNode* ot
      if ( !otn_dup )
          otn->ruleIndex = parser_get_rule_index(otn->sigInfo.gid, otn->sigInfo.sid);
  
+    if ( !otn->sigInfo.message )
+        otn->sigInfo.message = snort_strdup("\"no msg in rule\"");  // yes, stored as "msg"
+
      OptFpList* fpl = AddOptFuncToList(OptListEnd, otn);
      fpl->type = RULE_OPTION_TYPE_LEAF_NODE;
  
diff --git a/tools/snort2lua/helpers/converter.cc b/tools/snort2lua/helpers/converter.cc

index fd89184de132258aafcf4fb4fc4e81251cade19e..6d6a0ce5928e9da0f6a5bb423364713829732099 100644 (file)
--- a/tools/snort2lua/helpers/converter.cc
+++ b/tools/snort2lua/helpers/converter.cc
@@ -362,7 +362,7 @@ int Converter::convert(const std::string& input,
          // add binding for wizard at bottom of table
          auto& wiz = make_binder();
          wiz.set_use_type("wizard");
-        wiz.set_priority(Binder::MAX_PRIORITY);
+        wiz.set_priority(Binder::PRIORITY_LAST);
      }
  
      add_bindings();
diff --git a/tools/snort2lua/helpers/util_binder.h b/tools/snort2lua/helpers/util_binder.h

index 3ccb43647987a4042e4a6dc2c69eebabe268d040..1b271955e1447c42c20f7bf0b944c2582cfd34cb 100644 (file)
--- a/tools/snort2lua/helpers/util_binder.h
+++ b/tools/snort2lua/helpers/util_binder.h
@@ -51,7 +51,7 @@ public:
      void print_binding(bool should_print)
      { printed = !should_print; }
  
-    static const unsigned MAX_PRIORITY = UINT_MAX;
+    static const unsigned PRIORITY_LAST = UINT_MAX;
  
      void set_priority(unsigned);
      unsigned get_priority();
@@ -139,7 +139,7 @@ private:
      bool printed = false; // ensures that the binding is added once,
                            // by either the destructor or user
  
-    unsigned priority = MAX_PRIORITY;
+    unsigned priority = PRIORITY_LAST;
      
      int when_ips_policy_id = -1;
      std::string when_service;
author	Russ Combs (rucombs) <rucombs@cisco.com>
	Tue, 21 Nov 2017 15:30:17 +0000 (10:30 -0500)
committer	Russ Combs (rucombs) <rucombs@cisco.com>
	Tue, 21 Nov 2017 15:30:17 +0000 (10:30 -0500)
extra/src/loggers/alert_json/alert_json.cc		patch \| blob \| blame \| history
src/loggers/alert_csv.cc		patch \| blob \| blame \| history
src/parser/parse_rule.cc		patch \| blob \| blame \| history
tools/snort2lua/helpers/converter.cc		patch \| blob \| blame \| history
tools/snort2lua/helpers/util_binder.h		patch \| blob \| blame \| history