From: Victor Julien Date: Fri, 6 Dec 2024 13:11:38 +0000 (+0100) Subject: eve/frame: run logging for flow end packets X-Git-Tag: suricata-8.0.0-beta1~643 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95ac92f9aa5fe86428f407d88b5e3325f7edc376;p=thirdparty%2Fsuricata.git eve/frame: run logging for flow end packets If there are frames in the flow the flow manager will create flow timeout packets to log the remaining frames. This requires the logger to run for those flow timeout packets. Ticket: #7440. --- diff --git a/src/output-json-frame.c b/src/output-json-frame.c index 41c5283294..6a3cf768a4 100644 --- a/src/output-json-frame.c +++ b/src/output-json-frame.c @@ -408,9 +408,11 @@ static bool JsonFrameLogCondition(ThreadVars *tv, void *thread_data, const Packe if ((p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) && p->flow->alparser != NULL) { if (p->proto == IPPROTO_TCP) { - if ((p->flow->flags & FLOW_TS_APP_UPDATED) && PKT_IS_TOSERVER(p)) { + if ((PKT_IS_PSEUDOPKT(p) || (p->flow->flags & FLOW_TS_APP_UPDATED)) && + PKT_IS_TOSERVER(p)) { // fallthrough - } else if ((p->flow->flags & FLOW_TC_APP_UPDATED) && PKT_IS_TOCLIENT(p)) { + } else if ((PKT_IS_PSEUDOPKT(p) || (p->flow->flags & FLOW_TC_APP_UPDATED)) && + PKT_IS_TOCLIENT(p)) { // fallthrough } else { return false;