Suricata

Apparently Suricata shortens long interface names to something like:

$ sudo ./src/suricata -i abcdefghijk
[5468] 1/9/2017 -- 16:07:51 - (util-device.c:187) <Info> (LiveSafeDeviceName) -- Shortening device name to: abcd..hijk
[...]

Unfortunately, the dots in the shortened interface name are causing problems in the per-thread JSON stats output. There, dots in hierarchical paths are used as separators to structure the JSON output. For instance, with the interface name above we obtain a field path (output-json-stats.c:153) of:

W#05-abcd..hijk.app_layer.flow.http

which, when processed by OutputStats2Json(), results in:

...
      "W#05-abcd": {
        "": {
          "hijk": {
...
            "app_layer": {
              "flow": {
                "http": 0,
...
              }
            }
          }
        }
      },
...

which is most likely unintended and differs from the structure for threads processing non-shortened interfaces:

...
      "W#05-abcde": {
...
        "app_layer": {
          "flow": {
            "http": 0,
...
        },
      },
...

This confused my new Telegraf plugin for Suricata run-time stats, so I noticed it.

I have a simple patch ready makes sure double periods (..) are skipped when tokenizing stats fields for JSON output. I can file a PR on GitHub if you want.