json: sync key name with CIM

This patch is synchronizing key name with Common Information Model.
It updates key name following what is proposed in:
 http://docs.splunk.com/Documentation/PCI/2.0/DataSource/CommonInformationModelFieldReference
The interest of these modifications is that using the same key name
as other software will provide an easy to correlate and improve
data. For example, geoip setting in logstash can be applied on
all src_ip fields allowing geoip tagging of data.

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 1ee191b1fff025f39b577909b6bec5e9391ddcb5..71ba88066f505df03001984fe37f03f76fd5a58d 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -108,13 +108,13 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
 
         json_object_set_new(ajs, "action", json_string(action));
         json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
-        json_object_set_new(ajs, "id", json_integer(pa->s->id));
+        json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
         json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
-        json_object_set_new(ajs, "msg",
+        json_object_set_new(ajs, "signature",
                             json_string((pa->s->msg) ? pa->s->msg : ""));
-        json_object_set_new(ajs, "class",
+        json_object_set_new(ajs, "category",
                             json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
-        json_object_set_new(ajs, "pri", json_integer(pa->s->prio));
+        json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
 
         /* alert */
         json_object_set_new(js, "alert", ajs);
@@ -180,13 +180,13 @@ static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const
 
         json_object_set_new(ajs, "action", json_string(action));
         json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
-        json_object_set_new(ajs, "id", json_integer(pa->s->id));
+        json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
         json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
-        json_object_set_new(ajs, "msg",
+        json_object_set_new(ajs, "signature",
                             json_string((pa->s->msg) ? pa->s->msg : ""));
-        json_object_set_new(ajs, "class",
+        json_object_set_new(ajs, "category",
                             json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
-        json_object_set_new(ajs, "pri", json_integer(pa->s->prio));
+        json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
 
         /* alert */
         json_object_set_new(js, "alert", ajs);

diff --git a/src/output-json-http.c b/src/output-json-http.c
index fc5028a66ffd942de7f1878ca96fa368d4f0a28f..7c41ea7edfce7427067b60259196b67bde2db3c2 100644 (file)
--- a/src/output-json-http.c
+++ b/src/output-json-http.c
@@ -99,7 +99,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
         c = SCStrndup((char *)bstr_ptr(tx->request_uri),
                       bstr_len(tx->request_uri));
         if (c != NULL) {
-            json_object_set_new(hjs, "uri", json_string(c));
+            json_object_set_new(hjs, "url", json_string(c));
             SCFree(c);
         }
     }
@@ -113,11 +113,11 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
         c = SCStrndup((char *)bstr_ptr(h_user_agent->value),
                       bstr_len(h_user_agent->value));
         if (c != NULL) {
-            json_object_set_new(hjs, "user-agent", json_string(c));
+            json_object_set_new(hjs, "http_user_agent", json_string(c));
             SCFree(c);
         }
     } else {
-        json_object_set_new(hjs, "user-agent", json_string("<useragent unknown>"));
+        json_object_set_new(hjs, "http_user_agent", json_string("<useragent unknown>"));
     }
 
     /* x-forwarded-for */
@@ -146,7 +146,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
         if (c != NULL) {
             p = strchrnul(c, ';');
             *p = '\0';
-            json_object_set_new(hjs, "content-type", json_string(c));
+            json_object_set_new(hjs, "http_content_type", json_string(c));
             SCFree(c);
         }
     }
@@ -161,7 +161,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
             c = SCStrndup((char *)bstr_ptr(h_referer->value),
                           bstr_len(h_referer->value));
             if (c != NULL) {
-                json_object_set_new(hjs, "referer", json_string(c));
+                json_object_set_new(hjs, "http_refer", json_string(c));
                 SCFree(c);
             }
         }
@@ -171,7 +171,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
             c = SCStrndup((char *)bstr_ptr(tx->request_method),
                           bstr_len(tx->request_method));
             if (c != NULL) {
-                json_object_set_new(hjs, "method", json_string(c));
+                json_object_set_new(hjs, "http_method", json_string(c));
                 SCFree(c);
             }
         }

diff --git a/src/output-json.c b/src/output-json.c
index c3ba9a97d2db6db31db254cd9ce61d93abc1090c..55647e269431aa97eb534ec3014de90a15ba3ce6 100644 (file)
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -208,7 +208,7 @@ json_t *CreateJSONHeader(Packet *p, int direction_sensitive)
 
     /* sensor id */
     if (sensor_id >= 0)
-        json_object_set_new(js, "sensor-id", json_integer(sensor_id));
+        json_object_set_new(js, "sensor_id", json_integer(sensor_id));
 
     /* pcap_cnt */
     if (p->pcap_cnt != 0) {
@@ -240,24 +240,24 @@ json_t *CreateJSONHeader(Packet *p, int direction_sensitive)
     }
 
     /* tuple */
-    json_object_set_new(js, "srcip", json_string(srcip));
+    json_object_set_new(js, "src_ip", json_string(srcip));
     switch(p->proto) {
         case IPPROTO_ICMP:
             break;
         case IPPROTO_UDP:
         case IPPROTO_TCP:
         case IPPROTO_SCTP:
-            json_object_set_new(js, "sp", json_integer(sp));
+            json_object_set_new(js, "src_port", json_integer(sp));
             break;
     }
-    json_object_set_new(js, "dstip", json_string(dstip));
+    json_object_set_new(js, "dest_ip", json_string(dstip));
     switch(p->proto) {
         case IPPROTO_ICMP:
             break;
         case IPPROTO_UDP:
         case IPPROTO_TCP:
         case IPPROTO_SCTP:
-            json_object_set_new(js, "dp", json_integer(dp));
+            json_object_set_new(js, "dest_port", json_integer(dp));
             break;
     }
     json_object_set_new(js, "proto", json_string(proto));