eve/alert: log ts_progress/tc_progress

This is mostly to help with debugging firewall rules, but
can be useful in other places.

diff --git a/etc/schema.json b/etc/schema.json
index ef554f917edf0dcbe8d05a5afc4211c9a95a79c1..3f7385c0082b606697e3c6d6787ea73bc605f8fb 100644 (file)
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -66,6 +66,12 @@
         "payload": {
             "type": "string"
         },
+        "ts_progress": {
+            "type": "string"
+        },
+        "tc_progress": {
+            "type": "string"
+        },
         "payload_length": {
             "type": "integer"
         },
@@ -6198,7 +6204,7 @@
                             "type": "object",
                             "error": {
                                 "description":
-                                    "Consolidated stats on how many times app-layer error exception policy was applied, and which one",
+                                        "Consolidated stats on how many times app-layer error exception policy was applied, and which one",
                                 "$ref": "#/$defs/exceptionPolicy"
                             }
                         },

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 232e6174c220b49bae08f3fc024059178bd581dc..d5ad6f30b16287bc441d6a4a4a6bef98fedd847e 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -323,6 +323,14 @@ static void AlertAddAppLayer(
         if (state) {
             void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
             if (tx) {
+                const int ts =
+                        AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
+                const int tc =
+                        AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
+                SCJbSetString(jb, "ts_progress",
+                        AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
+                SCJbSetString(jb, "tc_progress",
+                        AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
                 SCJbGetMark(jb, &mark);
                 switch (proto) {
                     // first check some protocols need special options for alerts logging
@@ -345,6 +353,20 @@ static void AlertAddAppLayer(
         }
         return;
     }
+    void *state = FlowGetAppState(p->flow);
+    if (state) {
+        void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
+        if (tx) {
+            const int ts =
+                    AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
+            const int tc =
+                    AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
+            SCJbSetString(jb, "ts_progress",
+                    AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
+            SCJbSetString(jb, "tc_progress",
+                    AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
+        }
+    }
     switch (proto) {
         case ALPROTO_HTTP1:
             // TODO: Could result in an empty http object being logged.
@@ -409,7 +431,6 @@ static void AlertAddAppLayer(
             }
             break;
         case ALPROTO_DCERPC: {
-            void *state = FlowGetAppState(p->flow);
             if (state) {
                 void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
                 if (tx) {