webapp: request all app layers

ANSSI-FR · Nov 19, 2024 · 9bc1f07 · 9bc1f07
1 parent 7308aad
commit 9bc1f07
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 9 deletions.
diff --git a/suricata/suricata-eve-sqlite-output/src/schema.sql b/suricata/suricata-eve-sqlite-output/src/schema.sql
@@ -62,4 +62,4 @@ CREATE INDEX IF NOT EXISTS "alert_tag_idx" ON alert(tag);
 CREATE INDEX IF NOT EXISTS "alert_flow_id_idx" ON alert(flow_id);
 CREATE INDEX IF NOT EXISTS "anomaly_flow_id_idx" ON anomaly(flow_id);
 CREATE INDEX IF NOT EXISTS "fileinfo_flow_id_idx" ON fileinfo(flow_id);
-CREATE INDEX IF NOT EXISTS "app-event_flow_id_idx" ON "app-event"(flow_id, app_proto);
+CREATE INDEX IF NOT EXISTS "app-event_flow_id_idx" ON "app-event"(flow_id);
diff --git a/webapp/main.py b/webapp/main.py
@@ -152,15 +152,16 @@ async def api_flow_get(request):
         rows = await cursor.fetchall()
         result["fileinfo"] = [row_to_dict(f) for f in rows]
 
-    # Get associated protocol metadata
+    # Get associated application layer(s) metadata
     if app_proto and app_proto != "failed":
-        q_proto = app_proto if app_proto != "http2" else "http"
         cursor = await eve_database.execute(
-            "SELECT extra_data FROM 'app-event' WHERE flow_id = ? AND app_proto = ? ORDER BY id",
-            [flow_id, q_proto],
+            "SELECT app_proto, extra_data FROM 'app-event' WHERE flow_id = ? ORDER BY id",
+            [flow_id],
         )
-        rows = await cursor.fetchall()
-        result[app_proto] = [row_to_dict(f) for f in rows]
+        for row in await cursor.fetchall():
+            result[row["app_proto"]] = result.get(row["app_proto"], []) + [
+                json.loads(row["extra_data"])
+            ]
 
     # Get associated alert
     if result["flow"]["alerted"]:

diff --git a/webapp/static/js/flowdisplay.js b/webapp/static/js/flowdisplay.js
@@ -253,7 +253,7 @@ class FlowDisplay {
     })
 
     // Application protocol card
-    const appProto = flow.flow.app_proto
+    const appProto = flow.flow.app_proto.replace('http2', 'http')
     const flowEstablished = flow.flow.state !== 'new'
     document.getElementById('display-down').classList.toggle('d-none', flowEstablished)
     if (appProto && appProto !== 'failed' && flow[appProto] !== undefined) {
@@ -288,7 +288,7 @@ class FlowDisplay {
         if (appProto === 'http' || appProto === 'http2') {
           // Format HTTP dissection
           spanEl.classList.add('fw-bold')
-          spanEl.textContent = `${data.http_method ?? '?'} http://${data.hostname}:${data.http_port ?? flow.flow.dest_port}${data.url ?? ''} ${data.protocol ?? '?'}  ◄ ${data.status ?? '?'}\n`
+          spanEl.textContent = `${data.http_method ?? '?'} http://${data.hostname}:${data.http_port ?? flow.flow.dest_port}${data.url ?? ''} ${data.protocol ?? ''}  ◄ ${data.status ?? '?'}\n`
         } else {
           // Directly pretty-print JSON Suricata app protocol dissection
           spanEl.textContent += `${JSON.stringify(data, null, 4)}\n`