drop json log: log out 'drop' signature

If no normal sig was logged as the 'drop' reason, try the stored
drop signature instead, this will also log out 'noalert' sigs.

diff --git a/src/output-json-drop.c b/src/output-json-drop.c
index fc4b4eb36db53c58a1a1ea80944e043af31f86d1..9f457ab7df594516861ccf5093feff5e7a0f1a28 100644 (file)
--- a/src/output-json-drop.c
+++ b/src/output-json-drop.c
@@ -142,6 +142,7 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
     json_object_set_new(js, "drop", djs);
 
     if (aft->drop_ctx->flags & LOG_DROP_ALERTS) {
+        int logged = 0;
         int i;
         for (i = 0; i < p->alerts.cnt; i++) {
             const PacketAlert *pa = &p->alerts.alerts[i];
@@ -152,6 +153,13 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
                ((pa->action & ACTION_DROP) && EngineModeIsIPS()))
             {
                 AlertJsonHeader(pa, js);
+                logged = 1;
+            }
+        }
+        if (logged == 0) {
+            if (p->alerts.drop.action != 0) {
+                const PacketAlert *pa = &p->alerts.drop;
+                AlertJsonHeader(pa, js);
             }
         }
     }
@@ -365,6 +373,8 @@ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
 
     if (p->flow != NULL) {
         int ret = FALSE;
+
+        /* for a flow that will be dropped fully, log just once per direction */
         FLOWLOCK_RDLOCK(p->flow);
         if (p->flow->flags & FLOW_ACTION_DROP) {
             if (PKT_IS_TOSERVER(p) && !(p->flow->flags & FLOW_TOSERVER_DROP_LOGGED))
@@ -373,6 +383,11 @@ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
                 ret = TRUE;
         }
         FLOWLOCK_UNLOCK(p->flow);
+
+        /* if drop is caused by signature, log anyway */
+        if (p->alerts.drop.action != 0)
+            ret = TRUE;
+
         return ret;
     } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
         return TRUE;