From: Victor Julien <victor@inliniac.net>
Date: Thu, 18 Mar 2021 09:52:44 +0000 (+0100)
Subject: eve/files: log in packet direction only
X-Git-Tag: suricata-7.0.0-beta1~1447
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=45dc4cdeece538c6f383b6658deca7dc1e825181;p=thirdparty%2Fsuricata.git

eve/files: log in packet direction only

Bug: #3703.

Don't log files too soon.
---

diff --git a/src/output-file.c b/src/output-file.c
index 957a1697dd..30b8e9f3e4 100644
--- a/src/output-file.c
+++ b/src/output-file.c
@@ -168,18 +168,25 @@ static TmEcode OutputFileLog(ThreadVars *tv, Packet *p, void *thread_data)
         SCReturnInt(TM_ECODE_OK);
     }
 
-    const bool file_close_ts = ((p->flags & PKT_PSEUDO_STREAM_END) &&
-            (p->flowflags & FLOW_PKT_TOSERVER));
-    const bool file_close_tc = ((p->flags & PKT_PSEUDO_STREAM_END) &&
-            (p->flowflags & FLOW_PKT_TOCLIENT));
-    const bool file_trunc = StreamTcpReassembleDepthReached(p);
-
-    FileContainer *ffc_ts = AppLayerParserGetFiles(f, STREAM_TOSERVER);
-    FileContainer *ffc_tc = AppLayerParserGetFiles(f, STREAM_TOCLIENT);
-
-    OutputFileLogFfc(tv, op_thread_data, p, ffc_ts, file_close_ts, file_trunc, STREAM_TOSERVER);
-    OutputFileLogFfc(tv, op_thread_data, p, ffc_tc, file_close_tc, file_trunc, STREAM_TOCLIENT);
-
+    if (p->proto == IPPROTO_TCP) {
+        const bool file_trunc = StreamTcpReassembleDepthReached(p);
+        if (p->flowflags & FLOW_PKT_TOSERVER) {
+            const bool file_close_ts = ((p->flags & PKT_PSEUDO_STREAM_END));
+            FileContainer *ffc_ts = AppLayerParserGetFiles(f, STREAM_TOSERVER);
+            OutputFileLogFfc(
+                    tv, op_thread_data, p, ffc_ts, file_close_ts, file_trunc, STREAM_TOSERVER);
+        } else {
+            const bool file_close_tc = ((p->flags & PKT_PSEUDO_STREAM_END));
+            FileContainer *ffc_tc = AppLayerParserGetFiles(f, STREAM_TOCLIENT);
+            OutputFileLogFfc(
+                    tv, op_thread_data, p, ffc_tc, file_close_tc, file_trunc, STREAM_TOCLIENT);
+        }
+    } else if (p->proto == IPPROTO_UDP) {
+        FileContainer *ffc_ts = AppLayerParserGetFiles(f, STREAM_TOSERVER);
+        OutputFileLogFfc(tv, op_thread_data, p, ffc_ts, false, false, STREAM_TOSERVER);
+        FileContainer *ffc_tc = AppLayerParserGetFiles(f, STREAM_TOCLIENT);
+        OutputFileLogFfc(tv, op_thread_data, p, ffc_tc, false, false, STREAM_TOCLIENT);
+    }
     return TM_ECODE_OK;
 }