From: Alessandro Guido <ag@alessandroguido.name>
Date: Fri, 19 Jun 2015 14:57:48 +0000 (+0200)
Subject: Add option to omit payload in unified2 output
X-Git-Tag: suricata-3.0RC1~70
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=53bfcf64b7020993dd4d1cb2c2260fb5757e5e8e;p=thirdparty%2Fsuricata.git

Add option to omit payload in unified2 output

Add a boolean option named "payload" to the unified2-alert output type.
Such options makes suricata omit the payload in the resulting unified2
file. The default value is true in order to preserve the current behaviour.
---

diff --git a/src/alert-unified2-alert.c b/src/alert-unified2-alert.c
index ede624c4f3..facc66b231 100644
--- a/src/alert-unified2-alert.c
+++ b/src/alert-unified2-alert.c
@@ -186,8 +186,11 @@ typedef struct AlertUnified2Packet_ {
 typedef struct Unified2AlertFileCtx_ {
     LogFileCtx *file_ctx;
     HttpXFFCfg *xff_cfg;
+    uint32_t flags; /**< flags for all alerts */
 } Unified2AlertFileCtx;
 
+#define UNIFIED2_ALERT_FLAGS_EMIT_PACKET (1 << 0)
+
 /**
  * Unified2 thread vars
  *
@@ -698,6 +701,9 @@ static int Unified2PacketTypeAlert(Unified2AlertThread *aun, const Packet *p, ui
 {
     int ret = 0;
 
+    if (!(aun->unified2alert_ctx->flags & UNIFIED2_ALERT_FLAGS_EMIT_PACKET))
+        return 1;
+
     /* try stream logging first */
     if (stream) {
         SCLogDebug("logging the state");
@@ -1299,6 +1305,20 @@ OutputCtx *Unified2AlertInitCtx(ConfNode *conf)
         }
     }
 
+    uint32_t flags = UNIFIED2_ALERT_FLAGS_EMIT_PACKET;
+    if (conf != NULL) {
+        const char *payload = NULL;
+        payload = ConfNodeLookupChildValue(conf, "payload");
+        if (payload) {
+            if (ConfValIsFalse(payload)) {
+                flags &= ~UNIFIED2_ALERT_FLAGS_EMIT_PACKET;
+            } else if (!ConfValIsTrue(payload)) {
+                SCLogError(SC_ERR_INVALID_ARGUMENT, "Failed to initialize unified2 output, invalid payload: %s", payload);
+                exit(EXIT_FAILURE);
+            }
+        }
+    }
+
     ret = Unified2AlertOpenFileCtx(file_ctx, filename);
     if (ret < 0)
         goto error;
@@ -1325,6 +1345,7 @@ OutputCtx *Unified2AlertInitCtx(ConfNode *conf)
 
     unified2alert_ctx->file_ctx = file_ctx;
     unified2alert_ctx->xff_cfg = xff_cfg;
+    unified2alert_ctx->flags = flags;
     output_ctx->data = unified2alert_ctx;
     output_ctx->DeInit = Unified2AlertDeInitCtx;