From 4f8783d65db3a69ef02ff3b48235ba7c2cacd2ba Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 25 Jun 2024 16:37:48 -0600 Subject: [PATCH] alerts: display quic sni if available --- src/elastic/eventrepo/alerts.rs | 1 + src/sqlite/eventrepo/alerts.rs | 3 +++ webapp/src/Alerts.tsx | 5 +++++ 3 files changed, 9 insertions(+) diff --git a/src/elastic/eventrepo/alerts.rs b/src/elastic/eventrepo/alerts.rs index 5f02ad15..431c933f 100644 --- a/src/elastic/eventrepo/alerts.rs +++ b/src/elastic/eventrepo/alerts.rs @@ -77,6 +77,7 @@ impl ElasticEventRepo { "timestamp", // So we can display the SNI in the alert list. "tls.sni", + "quic.sni", // So we can display the query name in the alert list. "dns.query", ]) diff --git a/src/sqlite/eventrepo/alerts.rs b/src/sqlite/eventrepo/alerts.rs index 461b1ddc..78ffba69 100644 --- a/src/sqlite/eventrepo/alerts.rs +++ b/src/sqlite/eventrepo/alerts.rs @@ -58,6 +58,7 @@ impl SqliteEventRepo { .selectjs("alert.action") .selectjs2("dns") .selectjs2("tls") + .selectjs2("quic") .selectjs("app_proto") .selectjs("dest_ip") .selectjs("src_ip") @@ -173,6 +174,7 @@ impl SqliteEventRepo { let host: Option = row.try_get("host").unwrap_or(None); let tls: serde_json::Value = row.try_get("tls").unwrap_or(serde_json::Value::Null); let dns: serde_json::Value = row.try_get("dns").unwrap_or(serde_json::Value::Null); + let quic: serde_json::Value = row.try_get("quic").unwrap_or(serde_json::Value::Null); if let Some(host) = host { sensors.insert(host); @@ -192,6 +194,7 @@ impl SqliteEventRepo { }, "tls": tls, "dns": dns, + "quic": quic, }); let key = format!("{alert_signature_id}{src_ip}{dest_ip}"); diff --git a/webapp/src/Alerts.tsx b/webapp/src/Alerts.tsx index 4f34acc1..e8207993 100644 --- a/webapp/src/Alerts.tsx +++ b/webapp/src/Alerts.tsx @@ -1052,6 +1052,11 @@ export function AlertDescription(props: { event: EventWrapper }) { {props.event._source.tls!.sni} + + + {props.event._source.quic!.sni} + + {props.event._source.dns?.query![0].rrname}