]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6882bcb)
eve/flow: add per flow TCP oob urg data counter
authorVictor Julien <vjulien@oisf.net>
Tue, 10 Dec 2024 09:16:51 +0000 (10:16 +0100)
committerVictor Julien <vjulien@oisf.net>
Wed, 11 Dec 2024 13:50:39 +0000 (14:50 +0100)
If TCP urgent handling is set to the OOB processing, the number of OOB
bytes is tracked for SEQ offset calculations. If this offset is
non-zero, add the field to the flow record.

Ticket: #7411.

etc/schema.json patch | blob | blame | history
src/output-json-flow.c patch | blob | blame | history

diff --git a/etc/schema.json b/etc/schema.json
index f03e89c3fb9211ea015d3305b7d4e47d2a900f64..c6ac4d7a4132c8f6fa74608e0a3b000bff51e8b6 100644 (file)
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -6602,6 +6602,10 @@
                 "tc_max_regions": {
                     "type": "integer"
                 },
+                "tc_urgent_oob_data": {
+                    "description": "Number of Out-of-Band bytes sent by server using TCP urgent packets",
+                    "type": "integer"
+                },
                 "tcp_flags": {
                     "type": "string"
                 },
@@ -6617,6 +6621,10 @@
                 "ts_max_regions": {
                     "type": "integer"
                 },
+                "ts_urgent_oob_data": {
+                    "description": "Number of Out-of-Band bytes sent by client using TCP urgent packets",
+                    "type": "integer"
+                },
                 "urg": {
                     "type": "boolean"
                 }
diff --git a/src/output-json-flow.c b/src/output-json-flow.c
index 051d530fb1efafee2663ecaff5f4ed1788bbeb9b..015c72f8c7bcdb4b32eaaacb2a31ca8ba9c6ae48 100644 (file)
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@@ -318,6 +318,11 @@ static void EveFlowLogJSON(OutputJsonThreadCtx *aft, JsonBuilder *jb, Flow *f)
 
             jb_set_uint(jb, "ts_max_regions", ssn->client.sb.max_regions);
             jb_set_uint(jb, "tc_max_regions", ssn->server.sb.max_regions);
+
+            if (ssn->urg_offset_ts)
+                jb_set_uint(jb, "ts_urgent_oob_data", ssn->urg_offset_ts);
+            if (ssn->urg_offset_tc)
+                jb_set_uint(jb, "tc_urgent_oob_data", ssn->urg_offset_tc);
         }
 
         /* Close tcp. */
Mirror of https://github.com/OISF/suricata.git