From: Victor Julien <vjulien@oisf.net>
Date: Fri, 6 Dec 2024 13:13:14 +0000 (+0100)
Subject: eve/frame: require frame length to be known
X-Git-Tag: suricata-8.0.0-beta1~642
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0de9eee04d967a4dc8c0ba7d0bc57789f4d8a1f2;p=thirdparty%2Fsuricata.git

eve/frame: require frame length to be known

Or reach logging threshold.

Avoids logging too early.

Ticket: #7440.
---

diff --git a/src/output-json-frame.c b/src/output-json-frame.c
index 6a3cf768a4..3fc875b051 100644
--- a/src/output-json-frame.c
+++ b/src/output-json-frame.c
@@ -369,7 +369,9 @@ static int FrameJson(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p)
             int64_t abs_offset = (int64_t)frame->offset + (int64_t)STREAM_BASE_OFFSET(stream);
             int64_t win = STREAM_APP_PROGRESS(stream) - abs_offset;
 
-            if (!eof && win < frame->len && win < 2500) {
+            /* skip frame if threshold not yet reached, esp if frame length is
+             * still unknown. */
+            if (!eof && ((frame->len == -1) || (win < frame->len)) && win < 2500) {
                 SCLogDebug("frame id %" PRIi64 " len %" PRIi64 ", win %" PRIi64
                            ", skipping logging",
                         frame->id, frame->len, win);