From: Steven Baigal (sbaigal) <sbaigal@cisco.com>
Date: Fri, 2 Sep 2022 20:43:31 +0000 (+0000)
Subject: Pull request #3577: netflow: log even when some info is missing
X-Git-Tag: 3.1.41.0~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80a9013120460b6a78d215940e448c26dd187920;p=thirdparty%2Fsnort3.git

Pull request #3577: netflow: log even when some info is missing

Merge in SNORT/snort3 from ~MMATIRKO/snort3:netflow_fixes to master

Squashed commit of the following:

commit 7bcc8ee0ea2e5fe807751e42ebc4fc21d795a450
Author: Michael Matirko <mmatirko@cisco.com>
Date:   Thu Aug 18 11:45:36 2022 -0400

    netflow: log even when not all info is present
---

diff --git a/src/network_inspectors/rna/rna_pnd.cc b/src/network_inspectors/rna/rna_pnd.cc
index 0d5458504..02b23e081 100644
--- a/src/network_inspectors/rna/rna_pnd.cc
+++ b/src/network_inspectors/rna/rna_pnd.cc
@@ -210,16 +210,16 @@ void RnaPnd::analyze_netflow_host(NetFlowEvent* nfe)
 
     const uint8_t src_mac[6] = {0};
 
-    if ( new_host )
+    if (!nfe->get_create_host() and !nfe->get_create_service())
     {
-        if (!nfe->get_create_host() and !nfe->get_create_service())
-        {
-            uint32_t service = nfe->get_service_id();
-            RNAEvent new_flow_event(p, nfe->get_record(), service);
-            DataBus::publish(RNA_NEW_NETFLOW_HOST, new_flow_event);
-            return;
-        }
+        uint32_t service = nfe->get_service_id();
+        RNAEvent new_flow_event(p, nfe->get_record(), service);
+        DataBus::publish(RNA_NEW_NETFLOW_CONN, new_flow_event);
+        return;
+    }
 
+    if ( new_host )
+    {
         if ( nfe->get_create_host() )
             logger.log(RNA_EVENT_NEW, NEW_HOST, p, &ht, src_ip_ptr, src_mac);
         else
diff --git a/src/pub_sub/rna_events.h b/src/pub_sub/rna_events.h
index 5af57d745..4c706c41a 100644
--- a/src/pub_sub/rna_events.h
+++ b/src/pub_sub/rna_events.h
@@ -23,7 +23,7 @@
 #include "framework/data_bus.h"
 #include "service_inspectors/netflow/netflow_record.h"
 
-#define RNA_NEW_NETFLOW_HOST "network_inspector.rna.new_netflow_host"
+#define RNA_NEW_NETFLOW_CONN "network_inspector.rna.new_netflow_host"
 
 namespace snort
 {
@@ -51,4 +51,4 @@ private:
 
 }
 
-#endif
\ No newline at end of file
+#endif
diff --git a/src/service_inspectors/netflow/netflow.cc b/src/service_inspectors/netflow/netflow.cc
index 80df66951..8977f88e2 100644
--- a/src/service_inspectors/netflow/netflow.cc
+++ b/src/service_inspectors/netflow/netflow.cc
@@ -512,9 +512,7 @@ static bool decode_netflow_v9(const unsigned char* data, uint16_t size,
                     continue;
                 }
 
-                if ( record_status.bytes_sent and record_status.packets_sent and
-                    record_status.src and record_status.dst and record_status.first and
-                    record_status.last and record.first_pkt_second <= record.last_pkt_second )
+                if ( record_status.src and record_status.dst )
                 {
                     if ( record_status.src_tos )
                     {