eve/netflow: add tx_cnt

This patch adds a `tx_cnt` field to `netflow` events to give some
context about the underlying protocol activity.

Ticket: #7635

diff --git a/etc/schema.json b/etc/schema.json
index 0bdb0178c548bc1252b79f81139e719825089b2b..774bf36df5441a986a17cfa60adf4d7fa2ae9030 100644 (file)
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -3493,6 +3493,9 @@
                 },
                 "start": {
                     "type": "string"
+                },
+                "tx_cnt": {
+                    "type": "integer"
                 }
             },
             "additionalProperties": false

diff --git a/src/output-json-netflow.c b/src/output-json-netflow.c
index 6a2bb7ff17e532e5948b9ce141f324226e3228d4..b577571d6c6aee500da62ac518049ce52318f2ed 100644 (file)
--- a/src/output-json-netflow.c
+++ b/src/output-json-netflow.c
@@ -24,6 +24,7 @@
  */
 
 #include "suricata-common.h"
+#include "app-layer-parser.h"
 #include "detect.h"
 #include "pkt-var.h"
 #include "conf.h"
@@ -198,6 +199,13 @@ static void NetFlowLogEveToServer(SCJsonBuilder *js, Flow *f)
     SCJbSetUint(js, "min_ttl", f->min_ttl_toserver);
     SCJbSetUint(js, "max_ttl", f->max_ttl_toserver);
 
+    if (f->alstate) {
+        uint64_t tx_id = AppLayerParserGetTxCnt(f, f->alstate);
+        if (tx_id) {
+            SCJbSetUint(js, "tx_cnt", tx_id);
+        }
+    }
+
     /* Close netflow. */
     SCJbClose(js);
 
@@ -244,6 +252,13 @@ static void NetFlowLogEveToClient(SCJsonBuilder *js, Flow *f)
         SCJbSetUint(js, "max_ttl", f->max_ttl_toclient);
     }
 
+    if (f->alstate) {
+        uint64_t tx_id = AppLayerParserGetTxCnt(f, f->alstate);
+        if (tx_id) {
+            SCJbSetUint(js, "tx_cnt", tx_id);
+        }
+    }
+
     /* Close netflow. */
     SCJbClose(js);