Skip to content

Commit

Permalink
eve/alert: enrich decoder event
Browse files Browse the repository at this point in the history
Default decoder event alert was very sparse, not even logging packet
type and pcap_cnt. Expand support for this record type. It will be more
useful with the ethernet headers and packet field, but these are still
disabled by default.

Ticket: OISF#7433.
(cherry picked from commit 2fe2cf8)
  • Loading branch information
victorjulien committed Dec 6, 2024
1 parent 344802f commit e09b263
Showing 1 changed file with 20 additions and 8 deletions.
28 changes: 20 additions & 8 deletions src/output-json-alert.c
Original file line number Diff line number Diff line change
Expand Up @@ -939,28 +939,40 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
{
AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
char timebuf[64];

if (p->alerts.cnt == 0)
return TM_ECODE_OK;

CreateIsoTimeString(p->ts, timebuf, sizeof(timebuf));

for (int i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}

JsonBuilder *jb = jb_new_object();
if (unlikely(jb == NULL)) {
JsonBuilder *jb =
CreateEveHeader(p, LOG_DIR_PACKET, "alert", NULL, json_output_ctx->eve_ctx);
if (unlikely(jb == NULL))
return TM_ECODE_OK;

AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, NULL, NULL);

if (IS_TUNNEL_PKT(p)) {
AlertJsonTunnel(p, jb);
}

/* just the timestamp, no tuple */
jb_set_string(jb, "timestamp", timebuf);
/* base64-encoded full packet */
if (json_output_ctx->flags & LOG_JSON_PACKET) {
EvePacket(p, jb, 0);
}

AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, NULL, NULL);
char *pcap_filename = PcapLogGetFilename();
if (pcap_filename != NULL) {
jb_set_string(jb, "capture_file", pcap_filename);
}

if (json_output_ctx->flags & LOG_JSON_VERDICT) {
EveAddVerdict(jb, p);
}

OutputJsonBuilderBuffer(jb, aft->ctx);
jb_free(jb);
Expand Down

0 comments on commit e09b263

Please sign in to comment.