]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
eve/frame: run logging for flow end packets
authorVictor Julien <vjulien@oisf.net>
Fri, 6 Dec 2024 13:11:38 +0000 (14:11 +0100)
committerVictor Julien <vjulien@oisf.net>
Wed, 11 Dec 2024 08:33:02 +0000 (09:33 +0100)
If there are frames in the flow the flow manager will create flow
timeout packets to log the remaining frames. This requires the logger to
run for those flow timeout packets.

Ticket: #7440.

src/output-json-frame.c

index 41c5283294a9cdff6b6f5a56057261aff07e4055..6a3cf768a4f4d2e6ccebfcab8ddcbe9dc7dc3fef 100644 (file)
@@ -408,9 +408,11 @@ static bool JsonFrameLogCondition(ThreadVars *tv, void *thread_data, const Packe
 
     if ((p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) && p->flow->alparser != NULL) {
         if (p->proto == IPPROTO_TCP) {
-            if ((p->flow->flags & FLOW_TS_APP_UPDATED) && PKT_IS_TOSERVER(p)) {
+            if ((PKT_IS_PSEUDOPKT(p) || (p->flow->flags & FLOW_TS_APP_UPDATED)) &&
+                    PKT_IS_TOSERVER(p)) {
                 // fallthrough
-            } else if ((p->flow->flags & FLOW_TC_APP_UPDATED) && PKT_IS_TOCLIENT(p)) {
+            } else if ((PKT_IS_PSEUDOPKT(p) || (p->flow->flags & FLOW_TC_APP_UPDATED)) &&
+                       PKT_IS_TOCLIENT(p)) {
                 // fallthrough
             } else {
                 return false;