detect: add flag when packet is first with alert

We add a flag to packet to be able to know if this packet was the
first one to get alerts on the flow.

diff --git a/src/decode.h b/src/decode.h
index 3d1323fec76a1672a54a179fc4b6e66cacc8fbef..be1e6d2b759d8a0e4223429f1cebb9439b5b62f9 100644 (file)
--- a/src/decode.h
+++ b/src/decode.h
@@ -1220,6 +1220,9 @@ void DecodeUnregisterCounters(void);
  *  so flag it for not setting stream events */
 #define PKT_STREAM_NO_EVENTS BIT_U32(28)
 
+/** We had no alert on flow before this packet */
+#define PKT_FIRST_ALERTS BIT_U32(29)
+
 /** \brief return 1 if the packet is a pseudo packet */
 #define PKT_IS_PSEUDOPKT(p) \
     ((p)->flags & (PKT_PSEUDO_STREAM_END|PKT_PSEUDO_DETECTLOG_FLUSH))

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 359c224de9d41e830afc6e68645a26ad37ff97e4..b781f80bda2a0943d4df1b07580526b7ddc36f2e 100644 (file)
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -394,7 +394,10 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
 
     /* Set flag on flow to indicate that it has alerts */
     if (p->flow != NULL && p->alerts.cnt > 0) {
-        FlowSetHasAlertsFlag(p->flow);
+        if (!FlowHasAlerts(p->flow)) {
+            FlowSetHasAlertsFlag(p->flow);
+            p->flags |= PKT_FIRST_ALERTS;
+        }
     }
 
 }