]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 717c6b0)
filestore: store chunks in packet direction
authorVictor Julien <victor@inliniac.net>
Thu, 18 Mar 2021 13:38:33 +0000 (14:38 +0100)
committerShivani Bhardwaj <shivanib134@gmail.com>
Fri, 17 Sep 2021 02:48:49 +0000 (08:18 +0530)
Storing too early can lead to files being considered TRUNCATED if the
TCP state is not yet CLOSED when logging is triggered. This has been
observed with FTP-DATA and might also be an issue with simple HTTP.

(cherry picked from commit ca124b033ef408501897e0517eaf79d2196c68d9)

src/output-filedata.c patch | blob | blame | history

diff --git a/src/output-filedata.c b/src/output-filedata.c
index 62b3bf5ed2bb8ea2038fcedca9dd2dc7cc9232c3..784d4d18d70360e4f536b2592eaebaf8b3446e44 100644 (file)
--- a/src/output-filedata.c
+++ b/src/output-filedata.c
@@ -239,18 +239,20 @@ static TmEcode OutputFiledataLog(ThreadVars *tv, Packet *p, void *thread_data)
         SCReturnInt(TM_ECODE_OK);
     }
 
-    const bool file_close_ts = ((p->flags & PKT_PSEUDO_STREAM_END) &&
-            (p->flowflags & FLOW_PKT_TOSERVER));
-    const bool file_close_tc = ((p->flags & PKT_PSEUDO_STREAM_END) &&
-            (p->flowflags & FLOW_PKT_TOCLIENT));
     const bool file_trunc = StreamTcpReassembleDepthReached(p);
-
-    FileContainer *ffc_ts = AppLayerParserGetFiles(f, STREAM_TOSERVER);
-    FileContainer *ffc_tc = AppLayerParserGetFiles(f, STREAM_TOCLIENT);
-    SCLogDebug("ffc_ts %p", ffc_ts);
-    OutputFiledataLogFfc(tv, op_thread_data, p, ffc_ts, STREAM_TOSERVER, file_close_ts, file_trunc, STREAM_TOSERVER);
-    SCLogDebug("ffc_tc %p", ffc_tc);
-    OutputFiledataLogFfc(tv, op_thread_data, p, ffc_tc, STREAM_TOCLIENT, file_close_tc, file_trunc, STREAM_TOCLIENT);
+    if (p->flowflags & FLOW_PKT_TOSERVER) {
+        const bool file_close_ts = p->flags & PKT_PSEUDO_STREAM_END;
+        FileContainer *ffc_ts = AppLayerParserGetFiles(f, STREAM_TOSERVER);
+        SCLogDebug("ffc_ts %p", ffc_ts);
+        OutputFiledataLogFfc(tv, op_thread_data, p, ffc_ts, STREAM_TOSERVER, file_close_ts,
+                file_trunc, STREAM_TOSERVER);
+    } else if (p->flowflags & FLOW_PKT_TOCLIENT) {
+        const bool file_close_tc = p->flags & PKT_PSEUDO_STREAM_END;
+        FileContainer *ffc_tc = AppLayerParserGetFiles(f, STREAM_TOCLIENT);
+        SCLogDebug("ffc_tc %p", ffc_tc);
+        OutputFiledataLogFfc(tv, op_thread_data, p, ffc_tc, STREAM_TOCLIENT, file_close_tc,
+                file_trunc, STREAM_TOCLIENT);
+    }
 
     return TM_ECODE_OK;
 }
Mirror of https://github.com/OISF/suricata.git