websocket: configurable logging of payload in alerts

OISF · Jan 16, 2024 · dedbb50 · dedbb50
1 parent e1fb45e
commit dedbb50
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 3 deletions.
diff --git a/etc/schema.json b/etc/schema.json
@@ -5522,6 +5522,12 @@
                 },
                 "opcode": {
                     "type": "string"
+                },
+                "payload_base64": {
+                    "type": "string"
+                },
+                "payload_printable": {
+                    "type": "string"
                 }
             },
             "additionalProperties": false

diff --git a/rust/src/websocket/logger.rs b/rust/src/websocket/logger.rs
@@ -21,7 +21,7 @@ use crate::detect::Enum;
 use crate::jsonbuilder::{JsonBuilder, JsonError};
 use std;
 
-fn log_websocket(tx: &WebSocketTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> {
+fn log_websocket(tx: &WebSocketTransaction, js: &mut JsonBuilder, pp: bool, pb64: bool) -> Result<(), JsonError> {
     js.open_object("websocket")?;
     js.set_bool("fin", tx.pdu.fin)?;
     if let Some(xorkey) = tx.pdu.mask {
@@ -32,6 +32,12 @@ fn log_websocket(tx: &WebSocketTransaction, js: &mut JsonBuilder) -> Result<(),
     } else {
         js.set_string("opcode", &format!("unknown-{}", tx.pdu.opcode))?;
     }
+    if pp {
+        js.set_string("payload_printable", &String::from_utf8_lossy(&tx.pdu.payload))?;
+    }
+    if pb64 {
+        js.set_base64("payload_base64", &tx.pdu.payload)?;
+    }
     js.close()?;
     Ok(())
 }
@@ -41,5 +47,13 @@ pub unsafe extern "C" fn rs_websocket_logger_log(
     tx: *mut std::os::raw::c_void, js: &mut JsonBuilder,
 ) -> bool {
     let tx = cast_pointer!(tx, WebSocketTransaction);
-    log_websocket(tx, js).is_ok()
+    log_websocket(tx, js, false, false).is_ok()
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn SCWebSocketLogDetails(
+    tx: &WebSocketTransaction, js: &mut JsonBuilder,
+    pp: bool, pb64: bool,
+) -> bool {
+    log_websocket(tx, js, pp, pb64).is_ok()
 }
diff --git a/src/output-json-alert.c b/src/output-json-alert.c
@@ -84,12 +84,16 @@
 #define LOG_JSON_RULE_METADATA     BIT_U16(8)
 #define LOG_JSON_RULE              BIT_U16(9)
 #define LOG_JSON_VERDICT           BIT_U16(10)
+#define LOG_JSON_WEBSOCKET_PAYLOAD        BIT_U16(11)
+#define LOG_JSON_WEBSOCKET_PAYLOAD_BASE64 BIT_U16(12)
 
 #define METADATA_DEFAULTS ( LOG_JSON_FLOW |                        \
             LOG_JSON_APP_LAYER  |                                  \
             LOG_JSON_RULE_METADATA)
 
-#define JSON_BODY_LOGGING  (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64)
+#define JSON_BODY_LOGGING                                                                          \
+    (LOG_JSON_HTTP_BODY | LOG_JSON_HTTP_BODY_BASE64 | LOG_JSON_WEBSOCKET_PAYLOAD |                 \
+            LOG_JSON_WEBSOCKET_PAYLOAD_BASE64)
 
 #define JSON_STREAM_BUFFER_SIZE 4096
 
@@ -303,6 +307,20 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
             void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
             if (tx) {
                 jb_get_mark(jb, &mark);
+                switch (proto) {
+                    // first check some protocols need special options for alerts logging
+                    case ALPROTO_WEBSOCKET:
+                        if (option_flags &
+                                (LOG_JSON_WEBSOCKET_PAYLOAD | LOG_JSON_WEBSOCKET_PAYLOAD_BASE64)) {
+                            bool pp = (option_flags & LOG_JSON_WEBSOCKET_PAYLOAD) != 0;
+                            bool pb64 = (option_flags & LOG_JSON_WEBSOCKET_PAYLOAD_BASE64) != 0;
+                            if (!SCWebSocketLogDetails(tx, jb, pp, pb64)) {
+                                jb_restore_mark(jb, &mark);
+                            }
+                            // nothing more to log or do
+                            return;
+                        }
+                }
                 if (!al->LogTx(tx, jb)) {
                     jb_restore_mark(jb, &mark);
                 }
@@ -850,6 +868,8 @@ static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
         SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
         SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
         SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
+        SetFlag(conf, "websocket-payload-printable", LOG_JSON_WEBSOCKET_PAYLOAD, &flags);
+        SetFlag(conf, "websocket-payload", LOG_JSON_WEBSOCKET_PAYLOAD_BASE64, &flags);
         SetFlag(conf, "verdict", LOG_JSON_VERDICT, &flags);
 
         /* Check for obsolete flags and warn that they have no effect. */

diff --git a/suricata.yaml.in b/suricata.yaml.in
@@ -164,6 +164,8 @@ outputs:
             # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
             # http-body: yes           # Requires metadata; enable dumping of HTTP body in Base64
             # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
+            # websocket-payload: yes   # Requires metadata; enable dumping of WebSocket Payload in Base64
+            # websocket-payload-printable: yes # Requires metadata; enable dumping of WebSocket Payload in printable format
 
             # Enable the logging of tagged packets for rules using the
             # "tag" keyword.