From: Victor Julien <vjulien@oisf.net>
Date: Mon, 17 Mar 2025 08:13:08 +0000 (+0100)
Subject: eve/alert: log ts_progress/tc_progress
X-Git-Tag: suricata-8.0.0-beta1~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c8a55de54bf7399d973e0b9f4c30a119ad9dc40;p=thirdparty%2Fsuricata.git

eve/alert: log ts_progress/tc_progress

This is mostly to help with debugging firewall rules, but
can be useful in other places.
---

diff --git a/etc/schema.json b/etc/schema.json
index ef554f917e..3f7385c008 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -66,6 +66,12 @@
         "payload": {
             "type": "string"
         },
+        "ts_progress": {
+            "type": "string"
+        },
+        "tc_progress": {
+            "type": "string"
+        },
         "payload_length": {
             "type": "integer"
         },
@@ -6198,7 +6204,7 @@
                             "type": "object",
                             "error": {
                                 "description":
-                                    "Consolidated stats on how many times app-layer error exception policy was applied, and which one",
+                                        "Consolidated stats on how many times app-layer error exception policy was applied, and which one",
                                 "$ref": "#/$defs/exceptionPolicy"
                             }
                         },
diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 232e6174c2..d5ad6f30b1 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -323,6 +323,14 @@ static void AlertAddAppLayer(
         if (state) {
             void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
             if (tx) {
+                const int ts =
+                        AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
+                const int tc =
+                        AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
+                SCJbSetString(jb, "ts_progress",
+                        AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
+                SCJbSetString(jb, "tc_progress",
+                        AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
                 SCJbGetMark(jb, &mark);
                 switch (proto) {
                     // first check some protocols need special options for alerts logging
@@ -345,6 +353,20 @@ static void AlertAddAppLayer(
         }
         return;
     }
+    void *state = FlowGetAppState(p->flow);
+    if (state) {
+        void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
+        if (tx) {
+            const int ts =
+                    AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
+            const int tc =
+                    AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
+            SCJbSetString(jb, "ts_progress",
+                    AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
+            SCJbSetString(jb, "tc_progress",
+                    AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
+        }
+    }
     switch (proto) {
         case ALPROTO_HTTP1:
             // TODO: Could result in an empty http object being logged.
@@ -409,7 +431,6 @@ static void AlertAddAppLayer(
             }
             break;
         case ALPROTO_DCERPC: {
-            void *state = FlowGetAppState(p->flow);
             if (state) {
                 void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
                 if (tx) {