]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c78f5ac)
filestore: store chunks in packet direction
authorVictor Julien <victor@inliniac.net>
Thu, 18 Mar 2021 13:38:33 +0000 (14:38 +0100)
committerVictor Julien <victor@inliniac.net>
Wed, 1 Sep 2021 06:33:52 +0000 (08:33 +0200)
Storing too early can lead to files being considered TRUNCATED if the
TCP state is not yet CLOSED when logging is triggered. This has been
observed with FTP-DATA and might also be an issue with simple HTTP.

src/output-filedata.c patch | blob | blame | history

diff --git a/src/output-filedata.c b/src/output-filedata.c
index 7a458737cc5d08b36dcada729487a86c0d265475..783f50f98a73d67c938596ba0f87525a25d55581 100644 (file)
--- a/src/output-filedata.c
+++ b/src/output-filedata.c
@@ -225,18 +225,20 @@ static TmEcode OutputFiledataLog(ThreadVars *tv, Packet *p, void *thread_data)
         SCReturnInt(TM_ECODE_OK);
     }
 
-    const bool file_close_ts = ((p->flags & PKT_PSEUDO_STREAM_END) &&
-            (p->flowflags & FLOW_PKT_TOSERVER));
-    const bool file_close_tc = ((p->flags & PKT_PSEUDO_STREAM_END) &&
-            (p->flowflags & FLOW_PKT_TOCLIENT));
     const bool file_trunc = StreamTcpReassembleDepthReached(p);
-
-    FileContainer *ffc_ts = AppLayerParserGetFiles(f, STREAM_TOSERVER);
-    FileContainer *ffc_tc = AppLayerParserGetFiles(f, STREAM_TOCLIENT);
-    SCLogDebug("ffc_ts %p", ffc_ts);
-    OutputFiledataLogFfc(tv, op_thread_data, p, ffc_ts, STREAM_TOSERVER, file_close_ts, file_trunc, STREAM_TOSERVER);
-    SCLogDebug("ffc_tc %p", ffc_tc);
-    OutputFiledataLogFfc(tv, op_thread_data, p, ffc_tc, STREAM_TOCLIENT, file_close_tc, file_trunc, STREAM_TOCLIENT);
+    if (p->flowflags & FLOW_PKT_TOSERVER) {
+        const bool file_close_ts = ((p->flags & PKT_PSEUDO_STREAM_END));
+        FileContainer *ffc_ts = AppLayerParserGetFiles(f, STREAM_TOSERVER);
+        SCLogDebug("ffc_ts %p", ffc_ts);
+        OutputFiledataLogFfc(tv, op_thread_data, p, ffc_ts, STREAM_TOSERVER, file_close_ts,
+                file_trunc, STREAM_TOSERVER);
+    } else {
+        const bool file_close_tc = ((p->flags & PKT_PSEUDO_STREAM_END));
+        FileContainer *ffc_tc = AppLayerParserGetFiles(f, STREAM_TOCLIENT);
+        SCLogDebug("ffc_tc %p", ffc_tc);
+        OutputFiledataLogFfc(tv, op_thread_data, p, ffc_tc, STREAM_TOCLIENT, file_close_tc,
+                file_trunc, STREAM_TOCLIENT);
+    }
 
     return TM_ECODE_OK;
 }
Mirror of https://github.com/OISF/suricata.git