Pull request #3711: netflow: grab the proto off of the netflow record - not the wire...

Merge in SNORT/snort3 from ~MMATIRKO/snort3:netflow_proto to master

Squashed commit of the following:

commit bffc80a39a33507892dae4a2575544323a7003a7
Author: Michael Matirko <mmatirko@cisco.com>
Date:   Mon Dec 19 15:12:07 2022 -0500

    netflow: grab the proto off of the netflow record - not the wire packet

diff --git a/src/network_inspectors/rna/rna_pnd.cc b/src/network_inspectors/rna/rna_pnd.cc
index c6610e491a3886f86181ec6fb1a795fd8fac4ff2..38da31fd5eeef860b2d9e4eaf6bdcaef0101d1f5 100644 (file)
--- a/src/network_inspectors/rna/rna_pnd.cc
+++ b/src/network_inspectors/rna/rna_pnd.cc
@@ -229,6 +229,7 @@ void RnaPnd::analyze_netflow_host(NetFlowEvent* nfe)
             return;
     }
 
+    // Note: this is the ethertype for the wire packet itself, not the NetFlow flows
     uint16_t ptype = rna_get_eth(p);
     if ( ptype > to_utype(ProtocolId::ETHERTYPE_MINIMUM) )
     {
@@ -237,7 +238,8 @@ void RnaPnd::analyze_netflow_host(NetFlowEvent* nfe)
                 packet_time());
     }
 
-    ptype = to_utype(p->get_ip_proto_next());
+    // Remaining fields (port, proto, etc.) are parsed from the NetFlow record
+    ptype = nfe->get_record()->proto;
     if ( ht->add_xport_proto(ptype) )
         logger.log(RNA_EVENT_NEW, NEW_XPORT_PROTOCOL, p, &ht, ptype, src_mac, src_ip_ptr,
             packet_time());
@@ -278,7 +280,7 @@ void RnaPnd::analyze_netflow_service(NetFlowEvent* nfe)
         if ( proto == IpProtocol::TCP )
             logger.log(RNA_EVENT_NEW, NEW_TCP_SERVICE, p, &ht,
                 (const struct in6_addr*) src_ip.get_ip6_ptr(), mac_addr, &ha);
-        else
+        else if ( proto == IpProtocol::UDP )
             logger.log(RNA_EVENT_NEW, NEW_UDP_SERVICE, p, &ht,
                 (const struct in6_addr*) src_ip.get_ip6_ptr(), mac_addr, &ha);