[Bro] Converting Notice::Info to JSON

[Azoff, Justin S]

> On Jan 31, 2017, at 9:49 AM, Dave Crawford <bro at pingtrip.com> wrote:
> 
> I’m creating a script that hooks Notice notice/policy and executes an ActiveHTTP call to submit specific notice events to a REST endpoint. In the submission I’d like to include the Notice::Info object as a JSON data field so tried:
> 
> to_json(n)
> 
> But it produces the following error:
> 
> 1485869266.028563 error in /Users/dave/Projects/bro/share/bro/base/utils/json.bro, line 26: wrong port format, must be /[0-9]{1,5}\/(tcp|udp|icmp)/ (to_port(cat(v)))

This looks like a bug in to_json (or possibly to_port)... but it's harmless and there are some workarounds you can do.

The json.bro code does this to convert ports to strings for json

        case "port":
        return cat(port_to_count(to_port(cat(v))));

but the unknown/uninitialized port of 0/unknown breaks to_port.  It seems to_port needs to account for 0/unknown or json.bro should just be doing

        case "port":
        return cat(port_to_count(v));

I'm not sure why it does a double conversion like that in the first place.

In any case, the code still works even though it outputs that error.  Since it doesn't understand the port it returns 0/unknown anyway, so the end result is the same:

$ cat j.bro
event bro_init()
{
    local c: conn_id;
    c$orig_h=1.2.3.4;
    c$resp_p=0/unknown;
    print to_json(c);
}
$ bro j.bro
error in /usr/local/Cellar/bro/HEAD/share/bro/base/utils/json.bro, line 26: wrong port format, must be /[0-9]{1,5}\/(tcp|udp|icmp)/ (to_port(cat(v)))
{"orig_h": "1.2.3.4", "resp_p": 0}
$

You could probably avoid the whole issue by using to_json like this:

    to_json(note, T);

to set the only_loggable option to true which should cause it to ignore fields that aren't normally logged in the first place.

-- 
- Justin Azoff