]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
eve/frame: require frame length to be known
authorVictor Julien <vjulien@oisf.net>
Fri, 6 Dec 2024 13:13:14 +0000 (14:13 +0100)
committerVictor Julien <vjulien@oisf.net>
Wed, 11 Dec 2024 08:34:08 +0000 (09:34 +0100)
Or reach logging threshold.

Avoids logging too early.

Ticket: #7440.

src/output-json-frame.c

index 6a3cf768a4f4d2e6ccebfcab8ddcbe9dc7dc3fef..3fc875b0517be5d83d1a09a1fd4ba1227dd56469 100644 (file)
@@ -369,7 +369,9 @@ static int FrameJson(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p)
             int64_t abs_offset = (int64_t)frame->offset + (int64_t)STREAM_BASE_OFFSET(stream);
             int64_t win = STREAM_APP_PROGRESS(stream) - abs_offset;
 
-            if (!eof && win < frame->len && win < 2500) {
+            /* skip frame if threshold not yet reached, esp if frame length is
+             * still unknown. */
+            if (!eof && ((frame->len == -1) || (win < frame->len)) && win < 2500) {
                 SCLogDebug("frame id %" PRIi64 " len %" PRIi64 ", win %" PRIi64
                            ", skipping logging",
                         frame->id, frame->len, win);