Suricata eve alert payload logging #228
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
add option to log payload data to eve.json alert logging. This could probably use a check to make sure alert logging is on if alert payload logging is selected. as it is now it does no alert logging if alert payload is selected and alert is not selected
if selected in suricata_interfaces_edit.php
|
Before this pull request can be accepted you must first sign a CLA as described at https://www.pfsense.org/about-pfsense/#cla. Please read for more details. |
|
@bmeeks8 can you take a look please? |
|
This looks like a good addition to the package. I am OK with it. Thank you to the contributor! Bill |
rbgarga
requested changes
Dec 13, 2016
| $eve_out_types .= "\n tls: yes # enable dumping of tls fields"; | ||
| $eve_out_types .= "\n ssh: yes # enable dumping of ssh fields"; | ||
| $eve_out_types .= "\n smtp: yes # enable dumping of smtp fields"; | ||
| } |
rbgarga
requested changes
Dec 13, 2016
| $eve_out_types .= "\n - alert"; | ||
|
|
||
| if (($suricatacfg['eve_log_alerts'] == 'on') && ($suricatacfg['eve_log_alerts_payload'] == 'on')) { |
| $eve_out_types .= "\n payload: yes # enable dumping payload in Base64"; | ||
| $eve_out_types .= "\n payload-printable: yes # enable dumping payload in printable (lossy) format"; | ||
| $eve_out_types .= "\n packet: yes # enable dumping of packet (without stream segments)"; | ||
| $eve_out_types .= "\n http: yes # enable dumping of http fields"; |
There was a problem hiding this comment.
Use TAB to indent 4 lines above instead of spaces
| $eve_out_types .= "\n http: yes # enable dumping of http fields"; | ||
| $eve_out_types .= "\n tls: yes # enable dumping of tls fields"; | ||
| $eve_out_types .= "\n ssh: yes # enable dumping of ssh fields"; | ||
| $eve_out_types .= "\n smtp: yes # enable dumping of smtp fields"; |
There was a problem hiding this comment.
Use TAB to indent 2 lines above
| $eve_out_types .= "\n tls: yes # enable dumping of tls fields"; | ||
| $eve_out_types .= "\n ssh: yes # enable dumping of ssh fields"; | ||
| $eve_out_types .= "\n smtp: yes # enable dumping of smtp fields"; | ||
| } |
There was a problem hiding this comment.
} should be in the begin of the line
rbgarga
requested changes
Dec 14, 2016
| $eve_out_types .= "\n tls: yes # enable dumping of tls fields"; | ||
| $eve_out_types .= "\n ssh: yes # enable dumping of ssh fields"; | ||
| $eve_out_types .= "\n smtp: yes # enable dumping of smtp fields"; | ||
| } |
There was a problem hiding this comment.
Almost there. ssh and smtp lines are still indented with spaces and } should be at line begin
netgate-git-updates
pushed a commit
that referenced
this pull request
Dec 21, 2016
netgate-git-updates
pushed a commit
that referenced
this pull request
Aug 17, 2017
[ Robert Edmonds ] * Release 1.3.0. * Add test case for the issue in #220 (#254). * Fix issue #251, "Bad enums with multiple oneofs" (#256). * Add warning flags to my_CFLAGS (#257). * Fix namespace errors when compiled with latest protobuf (#280). * Bump minimum required header version for proto3 syntax (#282). [ Paolo Borelli ] * Turn the compiler into a protoc plugin (#206). This allows the protobuf-c compiler to be invoked as "protoc --c_out=...". For backwards compatibility, we still ship a protoc-c command, but it's a symlink to the protoc-gen-c binary. * proto3 support (#228). * Remove leftover FIXME comment (#258). * Fix proto3 "is zeroish" evaluation (#264). * Small cleanup in oneof handling (#265). * Rework is_zeroish one more time (#267). * proto3: make strings default to "" instead of NULL (#274). [ Tomek Wasilczyk ] * Fix -Wsign-compare warnings (#213). * Fix ISO C90 -Wdeclaration-after-statement warnings (#214). * Fix bigendian -Wunused-label warning (#215). [ Ilya Lipnitsky ] * protoc-c/c_message.cc: Force int size on oneof enums (#221). Fixes wrong enum generation and handling for onceof cases (#220). [ Adnan ] * Fix cmake build if built as part of an external project (#231). [ Gregory Detal ] * Remove .pb.{cc,h} in distdir instead of top_distdir in order to prevent removing files from other projects when protobuf-c is included as an autotools subproject (#232). [ Ben Farnham ] * Relax autoconf constraint from v2.64 to v2.63 so that it works on older Linux distros (#233). [ Thomas Koeckerbauer ] * rm argument fix for Solaris (#234). * Add 'const' qualifier to 'init_value' variable in generated files (#236). [ Richard Kettlewell ] * Document and extend the effect of passing NULL to ..._free_unpacked functions (#255). [ Alex Milich ] * CMake: Workaround for static builds that use MSVC (#243). [ Josh Junon ] * CMake: Allow protobuf-c to be included via include_subdirectory (#245). [ Alexei Kasatkin ] * CMake: Windows fixes (#266). This fixes the build breakage with devel/protobuf 1.3.0 [1] PR: 221572 [1] Sponsored by: Farsight Security, Inc.
netgate-git-updates
pushed a commit
that referenced
this pull request
Jul 1, 2023
<ChangeLog> - [BREAKING] Update from clap 3 to clap 4. This forces the use of --exp/-e to require an = sign, which was not required before. This means that when you used to be able to write --exp +365d, you must now write --exp=+365d. This is only required for this flag. - Added --out argument to save output to a file #221 - Added support for EdDSA #238 - Added --date argument to change the display format of the timestamps #235 - Added --no-typ argument to prevent typ from being added to the header - Add Scoop installation info #241 - Add Macports installation info #231 Changes - Dependency updates - Remove Gofish installation info. See #228 - Update from jsonwebtoken 7 to 8 Fixes - Added better error handling for improper secret and algorithm combinations </ChangeLog>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add checkbox to suricata_interfaces_edit.php to log payload data with eve.json alerts (inspired by this forum post https://forum.pfsense.org/index.php?topic=112587.0) and corresponding updates to suricata_generate_yaml.php to properly generate suricata.yaml with new options