From cd4cf6b6c72527d7a899780b7cfe46e2d954fa43 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 26 Nov 2024 21:44:45 +0100 Subject: [PATCH] detect: log app-layer metadata in alert with single tx Ticket: 7199 When there is a single live transaction, we cannot pick a wrong transaction to log, even if the rule does not use app-layer keywords. --- src/detect.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/src/detect.c b/src/detect.c index 03fa8437068d..43c2f5e78c86 100644 --- a/src/detect.c +++ b/src/detect.c @@ -813,15 +813,16 @@ static inline void DetectRulePacketRules( DetectRunPostMatch(tv, det_ctx, p, s); uint64_t txid = PACKET_ALERT_NOTX; - if ((alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) || - (s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP)) { - // if there is a stream match (TCP), or - // a UDP specific app-layer signature, - // try to use the good tx for the packet direction - if (pflow->alstate) { - uint8_t dir = - (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER; - txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir); + if (pflow && pflow->alstate) { + uint8_t dir = (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER; + txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir); + if ((alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) || + (s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP) || + AppLayerParserGetTxCnt(pflow, pflow->alstate) == txid + 1) { + // if there is a stream match (TCP), or + // a UDP specific app-layer signature, + // or only one live transaction + // try to use the good tx for the packet direction void *tx_ptr = AppLayerParserGetTx(pflow->proto, pflow->alproto, pflow->alstate, txid); AppLayerTxData *txd =