[Oisf-devel] [PATCH 2/2] Add options to choose if we log header and content in Prelude alert module.

Pierre Chifflier chifflier at edenwall.com
Sat Dec 18 16:03:38 UTC 2010 

Signed-off-by: Pierre Chifflier <chifflier at edenwall.com>
---
 src/alert-prelude.c |   66 +++++++++++++++++++++++++++++++-------------------
 suricata.yaml       |    2 +
 2 files changed, 43 insertions(+), 25 deletions(-)

diff --git a/src/alert-prelude.c b/src/alert-prelude.c
index d0f5a40..2c888a4 100644
--- a/src/alert-prelude.c
+++ b/src/alert-prelude.c
@@ -144,6 +144,8 @@ void TmModuleAlertPreludeRegister (void) {
 typedef struct AlertPreludeCtx_ {
     /** The client (which has the send function) */
     prelude_client_t *client;
+    int log_packet_content;
+    int log_packet_header;
 } AlertPreludeCtx;
 
 /**
@@ -481,7 +483,7 @@ static int PacketToDataV6(Packet *p, PacketAlert *pa, idmef_alert_t *alert)
  *
  * \return 0 if ok
  */
-static int PacketToData(Packet *p, PacketAlert *pa, idmef_alert_t *alert)
+static int PacketToData(Packet *p, PacketAlert *pa, idmef_alert_t *alert, AlertPreludeCtx *ctx)
 {
     SCEnter();
 
@@ -491,39 +493,42 @@ static int PacketToData(Packet *p, PacketAlert *pa, idmef_alert_t *alert)
     AddIntData(alert, "snort_rule_sid", pa->sid);
     AddIntData(alert, "snort_rule_rev", pa->rev);
 
-    if ( PKT_IS_IPV4(p) )
-        PacketToDataV4(p, pa, alert);
+    if (ctx->log_packet_header) {
+        if ( PKT_IS_IPV4(p) )
+            PacketToDataV4(p, pa, alert);
 
-    else if ( PKT_IS_IPV6(p) )
-        PacketToDataV6(p, pa, alert);
+        else if ( PKT_IS_IPV6(p) )
+            PacketToDataV6(p, pa, alert);
 
-    if ( PKT_IS_TCP(p) ) {
-        AddIntData(alert, "tcp_seq", ntohl(p->tcph->th_seq));
-        AddIntData(alert, "tcp_ack", ntohl(p->tcph->th_ack));
+        if ( PKT_IS_TCP(p) ) {
+            AddIntData(alert, "tcp_seq", ntohl(p->tcph->th_seq));
+            AddIntData(alert, "tcp_ack", ntohl(p->tcph->th_ack));
 
-        AddIntData(alert, "tcp_off", TCP_GET_RAW_OFFSET(p->tcph));
-        AddIntData(alert, "tcp_res", TCP_GET_RAW_X2(p->tcph));
-        AddIntData(alert, "tcp_flags", p->tcph->th_flags);
+            AddIntData(alert, "tcp_off", TCP_GET_RAW_OFFSET(p->tcph));
+            AddIntData(alert, "tcp_res", TCP_GET_RAW_X2(p->tcph));
+            AddIntData(alert, "tcp_flags", p->tcph->th_flags);
 
-        AddIntData(alert, "tcp_win", ntohs(p->tcph->th_win));
-        AddIntData(alert, "tcp_sum", ntohs(p->tcph->th_sum));
-        AddIntData(alert, "tcp_urp", ntohs(p->tcph->th_urp));
+            AddIntData(alert, "tcp_win", ntohs(p->tcph->th_win));
+            AddIntData(alert, "tcp_sum", ntohs(p->tcph->th_sum));
+            AddIntData(alert, "tcp_urp", ntohs(p->tcph->th_urp));
 
-    }
+        }
 
-    else if ( PKT_IS_UDP(p) ) {
-        AddIntData(alert, "udp_len", ntohs(p->udph->uh_len));
-        AddIntData(alert, "udp_sum", ntohs(p->udph->uh_sum));
-    }
+        else if ( PKT_IS_UDP(p) ) {
+            AddIntData(alert, "udp_len", ntohs(p->udph->uh_len));
+            AddIntData(alert, "udp_sum", ntohs(p->udph->uh_sum));
+        }
 
-    else if ( PKT_IS_ICMPV4(p) ) {
-        AddIntData(alert, "icmp_type", p->icmpv4h->type);
-        AddIntData(alert, "icmp_code", p->icmpv4h->code);
-        AddIntData(alert, "icmp_sum", ntohs(p->icmpv4h->checksum));
+        else if ( PKT_IS_ICMPV4(p) ) {
+            AddIntData(alert, "icmp_type", p->icmpv4h->type);
+            AddIntData(alert, "icmp_code", p->icmpv4h->code);
+            AddIntData(alert, "icmp_sum", ntohs(p->icmpv4h->checksum));
 
+        }
     }
 
-    AddByteData(alert, "payload", p->payload, p->payload_len);
+    if (ctx->log_packet_content)
+        AddByteData(alert, "payload", p->payload, p->payload_len);
 
     SCReturnInt(0);
 }
@@ -697,7 +702,7 @@ TmEcode AlertPrelude (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Pa
     if ( ret < 0 )
         goto err;
 
-    ret = PacketToData(p, pa, alert);
+    ret = PacketToData(p, pa, alert, apn->ctx);
     if ( ret < 0 )
         goto err;
 
@@ -793,6 +798,8 @@ OutputCtx *AlertPreludeInitCtx(ConfNode *conf)
     prelude_client_t *client;
     AlertPreludeCtx *ctx;
     const char *prelude_profile_name;
+    const char *log_packet_content;
+    const char *log_packet_header;
     OutputCtx *output_ctx;
 
     SCEnter();
@@ -807,6 +814,9 @@ OutputCtx *AlertPreludeInitCtx(ConfNode *conf)
     if (prelude_profile_name == NULL)
         prelude_profile_name = DEFAULT_PRELUDE_PROFILE;
 
+    log_packet_content = ConfNodeLookupChildValue(conf, "log_packet_content");
+    log_packet_header = ConfNodeLookupChildValue(conf, "log_packet_header");
+
     ret = prelude_client_new(&client, prelude_profile_name);
     if ( ret < 0 || ! client ) {
         prelude_perror(ret, "Unable to create a prelude client object");
@@ -838,6 +848,12 @@ OutputCtx *AlertPreludeInitCtx(ConfNode *conf)
     }
 
     ctx->client = client;
+    ctx->log_packet_content = 0;
+    ctx->log_packet_header = 1;
+    if (log_packet_content && strcmp(log_packet_content,"yes")==0)
+        ctx->log_packet_content = 1;
+    if (log_packet_header && strcmp(log_packet_header,"yes")!=0)
+        ctx->log_packet_header = 0;
 
     output_ctx = SCMalloc(sizeof(OutputCtx));
     if (output_ctx == NULL)
diff --git a/suricata.yaml b/suricata.yaml
index f033c63..12e022e 100644
--- a/suricata.yaml
+++ b/suricata.yaml
@@ -77,6 +77,8 @@ outputs:
   - alert-prelude:
       enabled: no
       profile: suricata
+      log_packet_content: no
+      log_packet_header: yes
 
   # Stats.log contains data from various counters of the suricata engine.
   # The interval field (in seconds) tells after how long output will be written
-- 
1.7.2.3

More information about the Oisf-devel mailing list