-
Notifications
You must be signed in to change notification settings - Fork 596
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suricata eve alert payload logging #228
Suricata eve alert payload logging #228
Conversation
add option to log payload data to eve.json alert logging. This could probably use a check to make sure alert logging is on if alert payload logging is selected. as it is now it does no alert logging if alert payload is selected and alert is not selected
if selected in suricata_interfaces_edit.php
Before this pull request can be accepted you must first sign a CLA as described at https://www.pfsense.org/about-pfsense/#cla. Please read for more details. |
@bmeeks8 can you take a look please? |
This looks like a good addition to the package. I am OK with it. Thank you to the contributor! Bill |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bump PORTVERSION or PORTREVISION on Makefile to make build system to produce a new package
$eve_out_types .= "\n tls: yes # enable dumping of tls fields"; | ||
$eve_out_types .= "\n ssh: yes # enable dumping of ssh fields"; | ||
$eve_out_types .= "\n smtp: yes # enable dumping of smtp fields"; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix indent
$eve_out_types .= "\n - alert"; | ||
|
||
if (($suricatacfg['eve_log_alerts'] == 'on') && ($suricatacfg['eve_log_alerts_payload'] == 'on')) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use space to separate ) and {
$eve_out_types .= "\n payload: yes # enable dumping payload in Base64"; | ||
$eve_out_types .= "\n payload-printable: yes # enable dumping payload in printable (lossy) format"; | ||
$eve_out_types .= "\n packet: yes # enable dumping of packet (without stream segments)"; | ||
$eve_out_types .= "\n http: yes # enable dumping of http fields"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use TAB to indent 4 lines above instead of spaces
$eve_out_types .= "\n http: yes # enable dumping of http fields"; | ||
$eve_out_types .= "\n tls: yes # enable dumping of tls fields"; | ||
$eve_out_types .= "\n ssh: yes # enable dumping of ssh fields"; | ||
$eve_out_types .= "\n smtp: yes # enable dumping of smtp fields"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use TAB to indent 2 lines above
$eve_out_types .= "\n tls: yes # enable dumping of tls fields"; | ||
$eve_out_types .= "\n ssh: yes # enable dumping of ssh fields"; | ||
$eve_out_types .= "\n smtp: yes # enable dumping of smtp fields"; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
} should be in the begin of the line
$eve_out_types .= "\n tls: yes # enable dumping of tls fields"; | ||
$eve_out_types .= "\n ssh: yes # enable dumping of ssh fields"; | ||
$eve_out_types .= "\n smtp: yes # enable dumping of smtp fields"; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Almost there. ssh and smtp lines are still indented with spaces and } should be at line begin
[ Robert Edmonds ] * Release 1.3.0. * Add test case for the issue in #220 (#254). * Fix issue #251, "Bad enums with multiple oneofs" (#256). * Add warning flags to my_CFLAGS (#257). * Fix namespace errors when compiled with latest protobuf (#280). * Bump minimum required header version for proto3 syntax (#282). [ Paolo Borelli ] * Turn the compiler into a protoc plugin (#206). This allows the protobuf-c compiler to be invoked as "protoc --c_out=...". For backwards compatibility, we still ship a protoc-c command, but it's a symlink to the protoc-gen-c binary. * proto3 support (#228). * Remove leftover FIXME comment (#258). * Fix proto3 "is zeroish" evaluation (#264). * Small cleanup in oneof handling (#265). * Rework is_zeroish one more time (#267). * proto3: make strings default to "" instead of NULL (#274). [ Tomek Wasilczyk ] * Fix -Wsign-compare warnings (#213). * Fix ISO C90 -Wdeclaration-after-statement warnings (#214). * Fix bigendian -Wunused-label warning (#215). [ Ilya Lipnitsky ] * protoc-c/c_message.cc: Force int size on oneof enums (#221). Fixes wrong enum generation and handling for onceof cases (#220). [ Adnan ] * Fix cmake build if built as part of an external project (#231). [ Gregory Detal ] * Remove .pb.{cc,h} in distdir instead of top_distdir in order to prevent removing files from other projects when protobuf-c is included as an autotools subproject (#232). [ Ben Farnham ] * Relax autoconf constraint from v2.64 to v2.63 so that it works on older Linux distros (#233). [ Thomas Koeckerbauer ] * rm argument fix for Solaris (#234). * Add 'const' qualifier to 'init_value' variable in generated files (#236). [ Richard Kettlewell ] * Document and extend the effect of passing NULL to ..._free_unpacked functions (#255). [ Alex Milich ] * CMake: Workaround for static builds that use MSVC (#243). [ Josh Junon ] * CMake: Allow protobuf-c to be included via include_subdirectory (#245). [ Alexei Kasatkin ] * CMake: Windows fixes (#266). This fixes the build breakage with devel/protobuf 1.3.0 [1] PR: 221572 [1] Sponsored by: Farsight Security, Inc.
<ChangeLog> - [BREAKING] Update from clap 3 to clap 4. This forces the use of --exp/-e to require an = sign, which was not required before. This means that when you used to be able to write --exp +365d, you must now write --exp=+365d. This is only required for this flag. - Added --out argument to save output to a file #221 - Added support for EdDSA #238 - Added --date argument to change the display format of the timestamps #235 - Added --no-typ argument to prevent typ from being added to the header - Add Scoop installation info #241 - Add Macports installation info #231 Changes - Dependency updates - Remove Gofish installation info. See #228 - Update from jsonwebtoken 7 to 8 Fixes - Added better error handling for improper secret and algorithm combinations </ChangeLog>
Add checkbox to suricata_interfaces_edit.php to log payload data with eve.json alerts (inspired by this forum post https://forum.pfsense.org/index.php?topic=112587.0) and corresponding updates to suricata_generate_yaml.php to properly generate suricata.yaml with new options