detect: use direction-based tx for app-layer logging

When we only have stream matches.

Ticket: 6846

This solves the case where another transaction was created
by parsing data in the other direction, before running the
detection.

Like
1. get data in direction 1
2. acked data: parse it, but do not run detection in dir 1
3. other data in direction 2
4. other data acked : parse it and create new tx,
then run detection for direction 1 with data from first packet

diff --git a/src/detect.c b/src/detect.c
index 9d595e66dc4a8b82580549747d80ba4a1d5dad74..0fc08ee5322394a3c3e68832a1fe431591ba4303 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -812,9 +812,11 @@ static inline void DetectRulePacketRules(
                 (s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP)) {
             // if there is a stream match (TCP), or
             // a UDP specific app-layer signature,
-            // try to use the last tx
+            // try to use the good tx for the packet direction
             if (pflow->alstate) {
-                txid = AppLayerParserGetTxCnt(pflow, pflow->alstate) - 1;
+                uint8_t dir =
+                        (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER;
+                txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir);
                 alert_flags |= PACKET_ALERT_FLAG_TX;
             }
         }