Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Output notx 6846 backport7 v3 #11126

Closed
wants to merge 4 commits into from
Closed

Output notx 6846 backport7 v3 #11126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
aa6ca73
output: do not use tx id 0 when there is no tx
catenacyber Mar 11, 2024
dafd26b
output/alert: check flag before logging app-layer
catenacyber Mar 13, 2024
d7cd2d9
detect: use direction-based tx for app-layer logging
catenacyber Apr 18, 2024
95d9828
detect: log relevant frames app-layer metadata
catenacyber Apr 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions src/detect-engine-alert.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,7 @@ static inline PacketAlert PacketAlertSet(
pa.s = (Signature *)s;
pa.flags = alert_flags;
/* Set tx_id if the frame has it */
pa.tx_id = (tx_id == UINT64_MAX) ? 0 : tx_id;
pa.tx_id = tx_id;
pa.frame_id = (alert_flags & PACKET_ALERT_FLAG_FRAME) ? det_ctx->frame_id : 0;
return pa;
}
Expand Down Expand Up @@ -317,10 +317,15 @@ static int AlertQueueSortHelper(const void *a, const void *b)
{
const PacketAlert *pa0 = a;
const PacketAlert *pa1 = b;
if (pa1->num == pa0->num)
if (pa1->num == pa0->num) {
if (pa1->tx_id == PACKET_ALERT_NOTX) {
return -1;
} else if (pa0->tx_id == PACKET_ALERT_NOTX) {
return 1;
}
return pa0->tx_id < pa1->tx_id ? 1 : -1;
else
return pa0->num > pa1->num ? 1 : -1;
}
return pa0->num > pa1->num ? 1 : -1;
}

/** \internal
Expand Down
21 changes: 18 additions & 3 deletions src/detect.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -813,7 +813,20 @@ static inline void DetectRulePacketRules(
#endif
DetectRunPostMatch(tv, det_ctx, p, s);

AlertQueueAppend(det_ctx, s, p, 0, alert_flags);
uint64_t txid = PACKET_ALERT_NOTX;
if ((alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) ||
(s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP)) {
// if there is a stream match (TCP), or
// a UDP specific app-layer signature,
// try to use the good tx for the packet direction
if (pflow->alstate) {
uint8_t dir =
(p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER;
txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir);
alert_flags |= PACKET_ALERT_FLAG_TX;
}
}
AlertQueueAppend(det_ctx, s, p, txid, alert_flags);
next:
DetectVarProcessList(det_ctx, pflow, p);
DetectReplaceFree(det_ctx);
Expand Down Expand Up @@ -1714,12 +1727,14 @@ static void DetectRunFrames(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngin
/* match */
DetectRunPostMatch(tv, det_ctx, p, s);

const uint8_t alert_flags =
(PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_FRAME);
uint8_t alert_flags = (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_FRAME);
det_ctx->flags |= DETECT_ENGINE_THREAD_CTX_FRAME_ID_SET;
det_ctx->frame_id = frame->id;
SCLogDebug(
"%p/%" PRIi64 " sig %u (%u) matched", frame, frame->id, s->id, s->num);
if (frame->flags & FRAME_FLAG_TX_ID_SET) {
alert_flags |= PACKET_ALERT_FLAG_TX;
}
AlertQueueAppend(det_ctx, s, p, frame->tx_id, alert_flags);
}
}
Expand Down
3 changes: 3 additions & 0 deletions src/detect.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@
* classtype. */
#define DETECT_DEFAULT_PRIO 3

// tx_id value to use when there is no transaction
#define PACKET_ALERT_NOTX UINT64_MAX

/* forward declarations for the structures from detect-engine-sigorder.h */
struct SCSigOrderFunc_;
struct SCSigSignatureWrapper_;
Expand Down
14 changes: 8 additions & 6 deletions src/output-json-alert.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -782,12 +782,14 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
}

if (p->flow != NULL) {
if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {
AlertAddAppLayer(p, jb, pa->tx_id, json_output_ctx->flags);
}
/* including fileinfo data is configured by the metadata setting */
if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
AlertAddFiles(p, jb, pa->tx_id);
if (pa->flags & PACKET_ALERT_FLAG_TX) {
if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {
AlertAddAppLayer(p, jb, pa->tx_id, json_output_ctx->flags);
}
/* including fileinfo data is configured by the metadata setting */
if (json_output_ctx->flags & LOG_JSON_RULE_METADATA) {
AlertAddFiles(p, jb, pa->tx_id);
}
}

EveAddAppProto(p->flow, jb);
Expand Down
Loading