detect/tag: add a tag for first packet

author Eric Leblond <eric@regit.org>

Thu, 25 Feb 2021 21:48:16 +0000 (22:48 +0100)

committer Victor Julien <vjulien@oisf.net>

Thu, 26 May 2022 11:33:33 +0000 (13:33 +0200)
author Eric Leblond <eric@regit.org>
Thu, 25 Feb 2021 21:48:16 +0000 (22:48 +0100)
committer Victor Julien <vjulien@oisf.net>
Thu, 26 May 2022 11:33:33 +0000 (13:33 +0200)
diff --git a/src/decode.h b/src/decode.h

index be1e6d2b759d8a0e4223429f1cebb9439b5b62f9..1b9806e74817d9942dddae0a0fbd73ca3f7ffb6f 100644 (file)
--- a/src/decode.h
+++ b/src/decode.h
@@ -1222,6 +1222,7 @@ void DecodeUnregisterCounters(void);
  
  /** We had no alert on flow before this packet */
  #define PKT_FIRST_ALERTS BIT_U32(29)
+#define PKT_FIRST_TAG    BIT_U32(30)
  
  /** \brief return 1 if the packet is a pseudo packet */
  #define PKT_IS_PSEUDOPKT(p) \
diff --git a/src/detect-engine-tag.c b/src/detect-engine-tag.c

index 5839bd1597b4f57fcfb03935e88549083f244fe0..66409d17bdc94a47366fd58f6155aed8bb9b4831 100644 (file)
--- a/src/detect-engine-tag.c
+++ b/src/detect-engine-tag.c
@@ -276,6 +276,7 @@ static void TagHandlePacketFlow(Flow *f, Packet *p)
           * to log it (the alert will log it) */
          if (!(iter->flags & TAG_ENTRY_FLAG_SKIPPED_FIRST)) {
              iter->flags |= TAG_ENTRY_FLAG_SKIPPED_FIRST;
+            p->flags |= PKT_FIRST_TAG;
          } else {
              /* Update metrics; remove if tag expired; and set alerts */
              switch (iter->metric) {
author	Eric Leblond <eric@regit.org>
	Thu, 25 Feb 2021 21:48:16 +0000 (22:48 +0100)
committer	Victor Julien <vjulien@oisf.net>
	Thu, 26 May 2022 11:33:33 +0000 (13:33 +0200)
src/decode.h		patch \| blob \| blame \| history
src/detect-engine-tag.c		patch \| blob \| blame \| history