From: Victor Julien <vjulien@oisf.net>
Date: Wed, 11 Dec 2024 11:04:34 +0000 (+0100)
Subject: detect: re-add app-layer to alerts on stream matches
X-Git-Tag: suricata-7.0.8~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b025fe283da0f8f98fb0d35b2d837c79d0dbe35c;p=thirdparty%2Fsuricata.git

detect: re-add app-layer to alerts on stream matches

The `guess-applayer-tx` work also removed the stream match condition
for adding app-layer metadata to alerts. This is a behavior change that
is not desired at this point, so this commit reverts that part of the
changes.

We keep the exising logging of app-layer metadata if the match was in
the stream.
---

diff --git a/src/detect.c b/src/detect.c
index f3cf0e0ba3..82aaafcb94 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -822,6 +822,7 @@ static inline void DetectRulePacketRules(
             uint8_t dir = (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER;
             txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir);
             if ((s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP) ||
+                    (alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) ||
                     (de_ctx->guess_applayer &&
                             AppLayerParserGetTxCnt(pflow, pflow->alstate) == txid + 1)) {
                 // if there is a UDP specific app-layer signature,