From: Victor Julien Date: Tue, 10 Dec 2024 09:16:51 +0000 (+0100) Subject: eve/flow: add per flow TCP oob urg data counter X-Git-Tag: suricata-8.0.0-beta1~637 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=779f9d8ba35c3f9b5abfa327d3a4209861bd2eb8;p=thirdparty%2Fsuricata.git eve/flow: add per flow TCP oob urg data counter If TCP urgent handling is set to the OOB processing, the number of OOB bytes is tracked for SEQ offset calculations. If this offset is non-zero, add the field to the flow record. Ticket: #7411. --- diff --git a/etc/schema.json b/etc/schema.json index f03e89c3fb..c6ac4d7a41 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -6602,6 +6602,10 @@ "tc_max_regions": { "type": "integer" }, + "tc_urgent_oob_data": { + "description": "Number of Out-of-Band bytes sent by server using TCP urgent packets", + "type": "integer" + }, "tcp_flags": { "type": "string" }, @@ -6617,6 +6621,10 @@ "ts_max_regions": { "type": "integer" }, + "ts_urgent_oob_data": { + "description": "Number of Out-of-Band bytes sent by client using TCP urgent packets", + "type": "integer" + }, "urg": { "type": "boolean" } diff --git a/src/output-json-flow.c b/src/output-json-flow.c index 051d530fb1..015c72f8c7 100644 --- a/src/output-json-flow.c +++ b/src/output-json-flow.c @@ -318,6 +318,11 @@ static void EveFlowLogJSON(OutputJsonThreadCtx *aft, JsonBuilder *jb, Flow *f) jb_set_uint(jb, "ts_max_regions", ssn->client.sb.max_regions); jb_set_uint(jb, "tc_max_regions", ssn->server.sb.max_regions); + + if (ssn->urg_offset_ts) + jb_set_uint(jb, "ts_urgent_oob_data", ssn->urg_offset_ts); + if (ssn->urg_offset_tc) + jb_set_uint(jb, "tc_urgent_oob_data", ssn->urg_offset_tc); } /* Close tcp. */