eve/alert: include rule text in alert output

[rs-natano]

Make sure these boxes are signed before submitting your Pull Request -- thank you.

• I have read the contributing guide lines at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing
• I have signed the Open Information Security Foundation contribution agreement at https://suricata-ids.org/about/contribution-agreement/
• I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/2020

Describe changes:

For SIEM analysis it is often useful to refer to the actual rules to find out why a specific alert has been triggered when the signature message does not convey enough information.

Turn on the new rule flag to include the rule text in eve alert output. The feature is turned off by default.

With a rule like this:

alert dns $HOME_NET any -> 8.8.8.8 any (msg:"Google DNS server contacted"; sid:42;)

The eve alert output might look something like this (pretty-printed for readability):

{
  "timestamp": "2017-08-14T12:35:05.830812+0200",
  "flow_id": 1919856770919772,
  "in_iface": "eth0",
  "event_type": "alert",
  "src_ip": "10.20.30.40",
  "src_port": 50968,
  "dest_ip": "8.8.8.8",
  "dest_port": 53,
  "proto": "UDP",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 42,
    "rev": 0,
    "signature": "Google DNS server contacted",
    "category": "",
    "severity": 3,
    "rule": "alert dns $HOME_NET any -> 8.8.8.8 any (msg:\"Google DNS server contacted\"; sid:43;)"
  },
  "app_proto": "dns",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 81,
    "bytes_toclient": 0,
    "start": "2017-08-14T12:35:05.830812+0200"
  }
}

[jasonish]

This will leak if SigParseBasics fails to parse the rule.

[rs-natano]

No. The only caller of SigParse() calls SigFree() in case the function returned an error. See https://github.com/rs-natano/suricata/blob/9af2e9a50cfdb9d75d206614a8e3b03cb8486590/src/detect-parse.c#L1644 . SigFree() also frees sig_str when not NULL. Note that all other dynamically allocated members of the signature struct are handled in the same way (class_msg, sp, dp, ...); otherwise the cleanup code would be much more complex.

[rs-natano]

Makes sense?

[jasonish]

Yes, it does. Took too much of a micro-look at the patch.

[jasonish]

So maybe dup the string based on the value of r.

[rs-natano]

See previous comment.

[inliniac]

Minor comment. Looks good otherwise. Can you resubmit an updated branch?

[inliniac]

this will need a proper check

[rs-natano]

What's wrong about the check? When the "alert" key is not there it's a bug in the code before, isn't it?

[rs-natano]

Ah I see now, the "alert" key might not be there in out of memory conditions. I will create an updated PR.

[inliniac]

yeah we generally try to allow for alloc issues. Thanks!

[rs-natano]

Updated PR: #2897