From: Eric Leblond <eric@regit.org>
Date: Sun, 8 Nov 2020 17:10:49 +0000 (+0100)
Subject: detect: add flag when packet is first with alert
X-Git-Tag: suricata-7.0.0-beta1~580
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=435557ee7f0a0283456e049bd807dd9ab3e14b4b;p=thirdparty%2Fsuricata.git

detect: add flag when packet is first with alert

We add a flag to packet to be able to know if this packet was the
first one to get alerts on the flow.
---

diff --git a/src/decode.h b/src/decode.h
index 3d1323fec7..be1e6d2b75 100644
--- a/src/decode.h
+++ b/src/decode.h
@@ -1220,6 +1220,9 @@ void DecodeUnregisterCounters(void);
  *  so flag it for not setting stream events */
 #define PKT_STREAM_NO_EVENTS BIT_U32(28)
 
+/** We had no alert on flow before this packet */
+#define PKT_FIRST_ALERTS BIT_U32(29)
+
 /** \brief return 1 if the packet is a pseudo packet */
 #define PKT_IS_PSEUDOPKT(p) \
     ((p)->flags & (PKT_PSEUDO_STREAM_END|PKT_PSEUDO_DETECTLOG_FLUSH))
diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 359c224de9..b781f80bda 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -394,7 +394,10 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
 
     /* Set flag on flow to indicate that it has alerts */
     if (p->flow != NULL && p->alerts.cnt > 0) {
-        FlowSetHasAlertsFlag(p->flow);
+        if (!FlowHasAlerts(p->flow)) {
+            FlowSetHasAlertsFlag(p->flow);
+            p->flags |= PKT_FIRST_ALERTS;
+        }
     }
 
 }