From: Eric Leblond Date: Sat, 16 Sep 2017 12:28:22 +0000 (+0100) Subject: flow: add parent_id field X-Git-Tag: suricata-4.1.0-beta1~431 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d68050e609f12f7f40078de366125f3777efd06;p=thirdparty%2Fsuricata.git flow: add parent_id field This patch adds a parent_id field to the Flow structure that contain the flow ID of the parent connection for protocol with dynamic parallel connection opening like FTP. --- diff --git a/src/flow-util.h b/src/flow-util.h index 11109c3c5a..68475fd6bf 100644 --- a/src/flow-util.h +++ b/src/flow-util.h @@ -43,6 +43,7 @@ SC_ATOMIC_INIT((f)->flow_state); \ SC_ATOMIC_INIT((f)->use_cnt); \ (f)->tenant_id = 0; \ + (f)->parent_id = 0; \ (f)->probing_parser_toserver_alproto_masks = 0; \ (f)->probing_parser_toclient_alproto_masks = 0; \ (f)->flags = 0; \ @@ -85,6 +86,7 @@ SC_ATOMIC_RESET((f)->flow_state); \ SC_ATOMIC_RESET((f)->use_cnt); \ (f)->tenant_id = 0; \ + (f)->parent_id = 0; \ (f)->probing_parser_toserver_alproto_masks = 0; \ (f)->probing_parser_toclient_alproto_masks = 0; \ (f)->flags = 0; \ diff --git a/src/flow.h b/src/flow.h index a13aa5eb9f..f6d080a23e 100644 --- a/src/flow.h +++ b/src/flow.h @@ -361,6 +361,9 @@ typedef struct Flow_ uint32_t flags; /**< generic flags */ + /* Parent flow id for protocol like ftp */ + int64_t parent_id; + uint16_t file_flags; /**< file tracking/extraction flags */ /* coccinelle: Flow:file_flags:FLOWFILE_ */ diff --git a/src/output-json.c b/src/output-json.c index 32495d416c..ecd26ee5d6 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -387,6 +387,9 @@ void CreateJSONFlowId(json_t *js, const Flow *f) return; int64_t flow_id = FlowGetId(f); json_object_set_new(js, "flow_id", json_integer(flow_id)); + if (f->parent_id) { + json_object_set_new(js, "parent_id", json_integer(f->parent_id)); + } } json_t *CreateJSONHeader(const Packet *p, int direction_sensitive,