Skip to content

Comments

Output alert applayer v13.2#9799

Closed
catenacyber wants to merge 7 commits intoOISF:masterfrom
catenacyber:output-alert-applayer-v13.2
Closed

Output alert applayer v13.2#9799
catenacyber wants to merge 7 commits intoOISF:masterfrom
catenacyber:output-alert-applayer-v13.2

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Nov 16, 2023

Link to redmine tickets:
https://redmine.openinfosecfoundation.org/issues/3827
https://redmine.openinfosecfoundation.org/issues/5977
https://redmine.openinfosecfoundation.org/issues/6500
https://redmine.openinfosecfoundation.org/issues/6501
preliminary work for https://redmine.openinfosecfoundation.org/issues/5053 and app-layer plugins

Describe changes:

  • Fix setup-app-layer script so that it adds app-layer metadata to alerts
  • add krb5 metadata to alerts
  • add ftp metadata to alerts
  • add tftp metadata to alerts

#9797 with more commits

SV_BRANCH=pr/1465

OISF/suricata-verify#1465

Draft : CI will fail because of BitTorrent named bittorrent-dht with a dash as a protocol, but event_type is bittorrent_dht with an underscore. @jasonish does this need harmonization ?
(there is the same thing for ftp-data protocol having ftp_data events)

catenacyber and others added 7 commits November 16, 2023 10:01
@catenacyber
output/alert: rewrite code for app-layer properties
2efff72 
Especially fix setup-app-layer script to not forget this part

This allows, for simple loggers, to have a unique definition
of the actual logging function with the jsonbuilder.
This way, alerts, files, and app-layer event can share the code
to output the same data.

Ticket: OISF#3827
@catenacyber
output/ftp: have ftp properties in alerts
6591092 
Ticket: 6500
@catenacyber
output/tftp: have tftp properties in alerts
24c3c52 
Ticket: 6501
@catenacyber
output/krb5: have krb5 properties in alerts
5a0f41b 
Ticket: 5977
@catenacyber
output/dnp3: restrict function scope to one file
cb4e29b
@catenacyber
output/dns: do not add empty app-layer metadata
fb2c598
@catenacyber
output: generic simple tx json logger
a8bfd9a 
Ticket: 3827
@suricata-qa
Copy link

suricata-qa commented Nov 16, 2023

Information: QA ran without warnings.

Pipeline 16555

@catenacyber catenacyber mentioned this pull request Nov 16, 2023
Closed
@catenacyber
Copy link
Contributor Author

catenacyber commented Nov 16, 2023

Draft : CI will fail because of BitTorrent named bittorrent-dht with a dash as a protocol, but event_type is bittorrent_dht with an underscore. @jasonish does this need harmonization ? (there is the same thing for ftp-data protocol having ftp_data events)

See https://redmine.openinfosecfoundation.org/issues/6502

Meanwhile, we can play with #9807

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @suricata-qa