From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 2 Dec 2024 10:00:31 +0000 (+0100)
Subject: detect: rename stream_log variables
X-Git-Tag: suricata-8.0.0-beta1~652
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f426ee3ee2c97e99102ab9b3b16eca7bfa163c00;p=thirdparty%2Fsuricata.git

detect: rename stream_log variables

to better reflect their true meaning
---

diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
index b6488b09f1..c68d14f401 100644
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -695,7 +695,7 @@ meaning it will repeat its actions over and over again. With the
 option inspection-recursion-limit you can limit this action.
 
 The stream-tx-log-limit defines the maximum number of times a
-transaction will get logged for a stream-only rule match.
+transaction will get logged for rules without app-layer keywords.
 This is meant to avoid logging the same data an arbitrary number
 of times.
 
diff --git a/rust/src/applayer.rs b/rust/src/applayer.rs
index 4535e563aa..4b78695326 100644
--- a/rust/src/applayer.rs
+++ b/rust/src/applayer.rs
@@ -120,8 +120,9 @@ pub struct AppLayerTxData {
     /// STREAM_TOCLIENT: file tx , files only in toclient dir
     /// STREAM_TOSERVER|STREAM_TOCLIENT: files possible in both dirs
     pub file_tx: u8,
-    /// Number of times this tx data has already been logged for one stream match
-    pub stream_logged: u8,
+    /// Number of times this tx data has already been logged for signatures
+    /// not using application layer keywords
+    pub guessed_applayer_logged: u8,
 
     /// detection engine flags for use by detection engine
     detect_flags_ts: u64,
@@ -160,7 +161,7 @@ impl AppLayerTxData {
             files_stored: 0,
             file_flags: 0,
             file_tx: 0,
-            stream_logged: 0,
+            guessed_applayer_logged: 0,
             updated_tc: true,
             updated_ts: true,
             detect_flags_ts: 0,
@@ -185,7 +186,7 @@ impl AppLayerTxData {
             files_stored: 0,
             file_flags: 0,
             file_tx: 0,
-            stream_logged: 0,
+            guessed_applayer_logged: 0,
             updated_tc,
             updated_ts,
             detect_flags_ts,
diff --git a/src/detect-engine.c b/src/detect-engine.c
index f923ab81f6..8c440dff61 100644
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -2931,10 +2931,10 @@ static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
                de_ctx->inspection_recursion_limit);
 
     // default value is 4
-    de_ctx->stream_tx_log_limit = 4;
+    de_ctx->guess_applayer_log_limit = 4;
     if (ConfGetInt("detect.stream-tx-log-limit", &value) == 1) {
         if (value >= 0 && value <= UINT8_MAX) {
-            de_ctx->stream_tx_log_limit = (uint8_t)value;
+            de_ctx->guess_applayer_log_limit = (uint8_t)value;
         } else {
             SCLogWarning("Invalid value for detect-engine.stream-tx-log-limit: must be between 0 "
                          "and 255, will default to 4");
diff --git a/src/detect.c b/src/detect.c
index 66770500e2..f00d02af48 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -827,12 +827,12 @@ static inline void DetectRulePacketRules(
                 AppLayerTxData *txd =
                         tx_ptr ? AppLayerParserGetTxData(pflow->proto, pflow->alproto, tx_ptr)
                                : NULL;
-                if (txd && txd->stream_logged < de_ctx->stream_tx_log_limit) {
+                if (txd && txd->guessed_applayer_logged < de_ctx->guess_applayer_log_limit) {
                     alert_flags |= PACKET_ALERT_FLAG_TX;
                     if (pflow->proto != IPPROTO_UDP) {
                         alert_flags |= PACKET_ALERT_FLAG_TX_GUESSED;
                     }
-                    txd->stream_logged++;
+                    txd->guessed_applayer_logged++;
                 }
             }
         }
diff --git a/src/detect.h b/src/detect.h
index c8bdafdcaa..4e31c5fe02 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -886,8 +886,8 @@ typedef struct DetectEngineCtx_ {
     /* maximum recursion depth for content inspection */
     int inspection_recursion_limit;
 
-    /* maximum number of times a tx will get logged for a stream-only rule match */
-    uint8_t stream_tx_log_limit;
+    /* maximum number of times a tx will get logged for rules not using app-layer keywords */
+    uint8_t guess_applayer_log_limit;
 
     /* force app-layer tx finding for alerts with signatures not having app-layer keywords */
     bool guess_applayer;
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 0a1ae54cc4..672429e403 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1700,7 +1700,7 @@ detect:
     toserver-groups: 25
   sgh-mpm-context: auto
   inspection-recursion-limit: 3000
-  # maximum number of times a tx will get logged for a stream-only rule match
+  # maximum number of times a tx will get logged for rules without app-layer keywords
   # stream-tx-log-limit: 4
   # try to tie an app-layer transaction for rules without app-layer keywords
   # if there is only one live transaction for the flow