From: Victor Julien <vjulien@oisf.net>
Date: Tue, 21 Mar 2023 19:20:48 +0000 (+0100)
Subject: eve/drop: don't log drops unless packet is dropped
X-Git-Tag: suricata-7.0.0-rc2~505
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=09348564f032ad61811d2a77aecc1d0472f4a656;p=thirdparty%2Fsuricata.git

eve/drop: don't log drops unless packet is dropped

In pass/drop combinations where the pass rule took precendence over
the drop, a "drop" false positive could still be logged due to the
storing of the drop record in the packet drop alert store.

Bug: #5867.
---

diff --git a/src/output-json-drop.c b/src/output-json-drop.c
index 39d283d3aa..962358ab61 100644
--- a/src/output-json-drop.c
+++ b/src/output-json-drop.c
@@ -349,6 +349,10 @@ static int JsonDropLogCondition(ThreadVars *tv, void *data, const Packet *p)
         return FALSE;
     }
 
+    if (!(PacketCheckAction(p, ACTION_DROP))) {
+        return FALSE;
+    }
+
     if (g_droplog_flows_start && p->flow != NULL) {
         int ret = FALSE;
 
@@ -365,11 +369,9 @@ static int JsonDropLogCondition(ThreadVars *tv, void *data, const Packet *p)
             ret = TRUE;
 
         return ret;
-    } else if (PacketCheckAction(p, ACTION_DROP)) {
-        return TRUE;
     }
 
-    return FALSE;
+    return TRUE;
 }
 
 void JsonDropLogRegister (void)