From: Eric Leblond <eric@regit.org>
Date: Fri, 6 Mar 2015 20:16:52 +0000 (+0100)
Subject: json-alert: add SSH fields in alert logging
X-Git-Tag: suricata-2.1beta4~175
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=881f32cc02e897fec8cb0c1bec022709f4748083;p=thirdparty%2Fsuricata.git

json-alert: add SSH fields in alert logging
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 44e418f78a..22c48963a9 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -53,6 +53,7 @@
 #include "output-json.h"
 #include "output-json-http.h"
 #include "output-json-tls.h"
+#include "output-json-ssh.h"
 
 #include "util-byte.h"
 #include "util-privs.h"
@@ -72,6 +73,7 @@
 #define LOG_JSON_PAYLOAD_BASE64 4
 #define LOG_JSON_HTTP 8
 #define LOG_JSON_TLS 16
+#define LOG_JSON_SSH 32
 
 #define JSON_STREAM_BUFFER_SIZE 4096
 
@@ -143,6 +145,22 @@ static void AlertJsonTls(const Flow *f, json_t *js)
     return;
 }
 
+static void AlertJsonSsh(const Flow *f, json_t *js)
+{
+    SshState *ssh_state = (SshState *)f->alstate;
+    if (ssh_state) {
+        json_t *tjs = json_object();
+        if (unlikely(tjs == NULL))
+            return;
+
+        JsonSshLogJSON(tjs, ssh_state);
+
+        json_object_set_new(js, "ssh", tjs);
+    }
+
+    return;
+}
+
 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
 {
     MemBuffer *payload = aft->payload_buffer;
@@ -220,6 +238,19 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             }
         }
 
+        if (json_output_ctx->flags & LOG_JSON_SSH) {
+            if (p->flow != NULL) {
+                FLOWLOCK_RDLOCK(p->flow);
+                uint16_t proto = FlowGetAppProtocol(p->flow);
+
+                /* http alert */
+                if (proto == ALPROTO_SSH)
+                    AlertJsonSsh(p->flow, js);
+
+                FLOWLOCK_UNLOCK(p->flow);
+            }
+        }
+
         /* payload */
         if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
             int stream = (p->proto == IPPROTO_TCP) ?
@@ -554,7 +585,13 @@ static OutputCtx *JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
         const char *payload_printable = ConfNodeLookupChildValue(conf, "payload-printable");
         const char *http = ConfNodeLookupChildValue(conf, "http");
         const char *tls = ConfNodeLookupChildValue(conf, "tls");
+        const char *ssh = ConfNodeLookupChildValue(conf, "ssh");
 
+        if (ssh != NULL) {
+            if (ConfValIsTrue(ssh)) {
+                json_output_ctx->flags |= LOG_JSON_SSH;
+            }
+        }
         if (tls != NULL) {
             if (ConfValIsTrue(tls)) {
                 json_output_ctx->flags |= LOG_JSON_TLS;
diff --git a/suricata.yaml.in b/suricata.yaml.in
index be62eeac90..beb8f7e4a5 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -106,6 +106,7 @@ outputs:
             # packet: yes            # enable dumping of packet (without stream segments)
             # http: yes              # enable dumping of http fields
             # tls: yes               # enable dumping of tls fields
+            # ssh: yes               # enable dumping of ssh fields
 
             # HTTP X-Forwarded-For support by adding an extra field or overwriting
             # the source or destination IP address (depending on flow direction)