detect: log app-layer metadata in alert with single tx

Ticket: 7199 When there is a single transaction, we cannot pick a wrong transaction to log, even if the rule does not use app-layer keywords.
OISF · Nov 27, 2024 · 7bec7d5 · 7bec7d5
1 parent bd7d38e
commit 7bec7d5
Showing 1 changed file with 13 additions and 15 deletions.
diff --git a/src/detect.c b/src/detect.c
@@ -813,24 +813,22 @@ static inline void DetectRulePacketRules(
         DetectRunPostMatch(tv, det_ctx, p, s);
 
         uint64_t txid = PACKET_ALERT_NOTX;
-        if ((alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) ||
-                (s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP)) {
+        if (pflow && pflow->alstate &&
+                ((alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) ||
+                        (s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP) ||
+                        AppLayerParserGetTxCnt(pflow, pflow->alstate) == 1)) {
             // if there is a stream match (TCP), or
             // a UDP specific app-layer signature,
+            // or only one transaction
             // try to use the good tx for the packet direction
-            if (pflow->alstate) {
-                uint8_t dir =
-                        (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER;
-                txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir);
-                void *tx_ptr =
-                        AppLayerParserGetTx(pflow->proto, pflow->alproto, pflow->alstate, txid);
-                AppLayerTxData *txd =
-                        tx_ptr ? AppLayerParserGetTxData(pflow->proto, pflow->alproto, tx_ptr)
-                               : NULL;
-                if (txd && txd->stream_logged < de_ctx->stream_tx_log_limit) {
-                    alert_flags |= PACKET_ALERT_FLAG_TX;
-                    txd->stream_logged++;
-                }
+            uint8_t dir = (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER;
+            txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir);
+            void *tx_ptr = AppLayerParserGetTx(pflow->proto, pflow->alproto, pflow->alstate, txid);
+            AppLayerTxData *txd =
+                    tx_ptr ? AppLayerParserGetTxData(pflow->proto, pflow->alproto, tx_ptr) : NULL;
+            if (txd && txd->stream_logged < de_ctx->stream_tx_log_limit) {
+                alert_flags |= PACKET_ALERT_FLAG_TX;
+                txd->stream_logged++;
             }
         }
         AlertQueueAppend(det_ctx, s, p, txid, alert_flags);