#include "output-json.h"
#include "output-json-http.h"
#include "output-json-tls.h"
+#include "output-json-ssh.h"
#include "util-byte.h"
#include "util-privs.h"
#define LOG_JSON_PAYLOAD_BASE64 4
#define LOG_JSON_HTTP 8
#define LOG_JSON_TLS 16
+#define LOG_JSON_SSH 32
#define JSON_STREAM_BUFFER_SIZE 4096
return;
}
+static void AlertJsonSsh(const Flow *f, json_t *js)
+{
+ SshState *ssh_state = (SshState *)f->alstate;
+ if (ssh_state) {
+ json_t *tjs = json_object();
+ if (unlikely(tjs == NULL))
+ return;
+
+ JsonSshLogJSON(tjs, ssh_state);
+
+ json_object_set_new(js, "ssh", tjs);
+ }
+
+ return;
+}
+
static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
{
MemBuffer *payload = aft->payload_buffer;
}
}
+ if (json_output_ctx->flags & LOG_JSON_SSH) {
+ if (p->flow != NULL) {
+ FLOWLOCK_RDLOCK(p->flow);
+ uint16_t proto = FlowGetAppProtocol(p->flow);
+
+ /* http alert */
+ if (proto == ALPROTO_SSH)
+ AlertJsonSsh(p->flow, js);
+
+ FLOWLOCK_UNLOCK(p->flow);
+ }
+ }
+
/* payload */
if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
int stream = (p->proto == IPPROTO_TCP) ?
const char *payload_printable = ConfNodeLookupChildValue(conf, "payload-printable");
const char *http = ConfNodeLookupChildValue(conf, "http");
const char *tls = ConfNodeLookupChildValue(conf, "tls");
+ const char *ssh = ConfNodeLookupChildValue(conf, "ssh");
+ if (ssh != NULL) {
+ if (ConfValIsTrue(ssh)) {
+ json_output_ctx->flags |= LOG_JSON_SSH;
+ }
+ }
if (tls != NULL) {
if (ConfValIsTrue(tls)) {
json_output_ctx->flags |= LOG_JSON_TLS;
# packet: yes # enable dumping of packet (without stream segments)
# http: yes # enable dumping of http fields
# tls: yes # enable dumping of tls fields
+ # ssh: yes # enable dumping of ssh fields
# HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction)
projects / thirdparty / suricata.git / commitdiff
