From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 22 Feb 2024 08:42:41 +0000 (+0100)
Subject: output: log tx only when there is a fresh app update
X-Git-Tag: suricata-8.0.0-beta1~1702
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c41540f8391b44bf4d91d32641cc608ebfecb19c;p=thirdparty%2Fsuricata.git

output: log tx only when there is a fresh app update

Ticket: 6796

Similar to commit for detection
9240ae250cc369306803740279df2ab3eca6b54a

We only have more logging to do if the app update was fresh,
ie if p->app_update_direction != 0

If we have data acknowledged in one direction,
and then many packets in the other direction,
the APP_UPDATED flow flags did not get reset because we did not
run detection yet in this direction,
but there is nothing more to do after the first packet in the
other direction.
---

diff --git a/src/output-tx.c b/src/output-tx.c
index 751d538982..7585d37a55 100644
--- a/src/output-tx.c
+++ b/src/output-tx.c
@@ -337,7 +337,9 @@ static TmEcode OutputTxLog(ThreadVars *tv, Packet *p, void *thread_data)
     DEBUG_VALIDATE_BUG_ON(thread_data == NULL);
     if (p->flow == NULL)
         return TM_ECODE_OK;
-    if (!((PKT_IS_PSEUDOPKT(p)) || p->flow->flags & (FLOW_TS_APP_UPDATED | FLOW_TC_APP_UPDATED))) {
+    if (!PKT_IS_PSEUDOPKT(p) && p->app_update_direction == 0 &&
+            ((PKT_IS_TOSERVER(p) && (p->flow->flags & FLOW_TS_APP_UPDATED) == 0) ||
+                    (PKT_IS_TOCLIENT(p) && (p->flow->flags & FLOW_TC_APP_UPDATED) == 0))) {
         SCLogDebug("not pseudo, no app update: skip");
         return TM_ECODE_OK;
     }