Skip to content

Commit

Permalink
dcerpc: add app-layer metadata in alerts
Browse files Browse the repository at this point in the history 
Ticket: 6090
  • Loading branch information
@catenacyber @victorjulien
catenacyber authored and victorjulien committed Jun 22, 2024
1 parent 5f35035 commit a212328
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 1 deletion.
20 changes: 20 additions & 0 deletions src/output-json-alert.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -381,6 +381,26 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
jb_restore_mark(jb, &mark);
}
break;
case ALPROTO_DCERPC:
jb_get_mark(jb, &mark);
void *state = FlowGetAppState(p->flow);
if (state) {
void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
if (tx) {
jb_open_object(jb, "dcerpc");
if (p->proto == IPPROTO_TCP) {
if (!rs_dcerpc_log_json_record_tcp(state, tx, jb)) {
jb_restore_mark(jb, &mark);
}
} else {
if (!rs_dcerpc_log_json_record_udp(state, tx, jb)) {
jb_restore_mark(jb, &mark);
}
}
jb_close(jb);
}
}
break;
default:
break;
}
Expand Down
2 changes: 1 addition & 1 deletion src/output.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1126,7 +1126,7 @@ static EveJsonSimpleAppLayerLogger simple_json_applayer_loggers[ALPROTO_MAX] = {
{ ALPROTO_IMAP, NULL }, // protocol detection only
{ ALPROTO_JABBER, NULL }, // no parser, no logging
{ ALPROTO_SMB, NULL }, // special: uses state
{ ALPROTO_DCERPC, NULL }, // TODO missing
{ ALPROTO_DCERPC, NULL }, // special: uses state
{ ALPROTO_IRC, NULL }, // no parser, no logging
{ ALPROTO_DNS, AlertJsonDns },
{ ALPROTO_MODBUS, (EveJsonSimpleTxLogFunc)rs_modbus_to_json },
Expand Down

0 comments on commit a212328

Please sign in to comment.