option inspection-recursion-limit you can limit this action.
The stream-tx-log-limit defines the maximum number of times a
-transaction will get logged for a stream-only rule match.
+transaction will get logged for rules without app-layer keywords.
This is meant to avoid logging the same data an arbitrary number
of times.
/// STREAM_TOCLIENT: file tx , files only in toclient dir
/// STREAM_TOSERVER|STREAM_TOCLIENT: files possible in both dirs
pub file_tx: u8,
- /// Number of times this tx data has already been logged for one stream match
- pub stream_logged: u8,
+ /// Number of times this tx data has already been logged for signatures
+ /// not using application layer keywords
+ pub guessed_applayer_logged: u8,
/// detection engine flags for use by detection engine
detect_flags_ts: u64,
files_stored: 0,
file_flags: 0,
file_tx: 0,
- stream_logged: 0,
+ guessed_applayer_logged: 0,
updated_tc: true,
updated_ts: true,
detect_flags_ts: 0,
files_stored: 0,
file_flags: 0,
file_tx: 0,
- stream_logged: 0,
+ guessed_applayer_logged: 0,
updated_tc,
updated_ts,
detect_flags_ts,
de_ctx->inspection_recursion_limit);
// default value is 4
- de_ctx->stream_tx_log_limit = 4;
+ de_ctx->guess_applayer_log_limit = 4;
if (ConfGetInt("detect.stream-tx-log-limit", &value) == 1) {
if (value >= 0 && value <= UINT8_MAX) {
- de_ctx->stream_tx_log_limit = (uint8_t)value;
+ de_ctx->guess_applayer_log_limit = (uint8_t)value;
} else {
SCLogWarning("Invalid value for detect-engine.stream-tx-log-limit: must be between 0 "
"and 255, will default to 4");
AppLayerTxData *txd =
tx_ptr ? AppLayerParserGetTxData(pflow->proto, pflow->alproto, tx_ptr)
: NULL;
- if (txd && txd->stream_logged < de_ctx->stream_tx_log_limit) {
+ if (txd && txd->guessed_applayer_logged < de_ctx->guess_applayer_log_limit) {
alert_flags |= PACKET_ALERT_FLAG_TX;
if (pflow->proto != IPPROTO_UDP) {
alert_flags |= PACKET_ALERT_FLAG_TX_GUESSED;
}
- txd->stream_logged++;
+ txd->guessed_applayer_logged++;
}
}
}
/* maximum recursion depth for content inspection */
int inspection_recursion_limit;
- /* maximum number of times a tx will get logged for a stream-only rule match */
- uint8_t stream_tx_log_limit;
+ /* maximum number of times a tx will get logged for rules not using app-layer keywords */
+ uint8_t guess_applayer_log_limit;
/* force app-layer tx finding for alerts with signatures not having app-layer keywords */
bool guess_applayer;
toserver-groups: 25
sgh-mpm-context: auto
inspection-recursion-limit: 3000
- # maximum number of times a tx will get logged for a stream-only rule match
+ # maximum number of times a tx will get logged for rules without app-layer keywords
# stream-tx-log-limit: 4
# try to tie an app-layer transaction for rules without app-layer keywords
# if there is only one live transaction for the flow