From 582014b60c61f61d0f86de90b2a30fa9de81c2d8 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 11 Mar 2024 14:06:50 +0100
Subject: [PATCH] output: do not use tx id 0 when there is no tx

Ticket: 6846

This led to packet rules logging irrelevant app-layer data

(cherry picked from commit 910f6af54fa37cde1790bbff46162b7dee864bb6)
---
 src/detect-engine-alert.c | 13 +++++++++----
 src/detect.c              | 13 ++++++++++++-
 src/detect.h              |  3 +++
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index f9cbed1564..39ce79818c 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -272,7 +272,7 @@ static inline PacketAlert PacketAlertSet(
     pa.s = (Signature *)s;
     pa.flags = alert_flags;
     /* Set tx_id if the frame has it */
-    pa.tx_id = (tx_id == UINT64_MAX) ? 0 : tx_id;
+    pa.tx_id = tx_id;
     pa.frame_id = (alert_flags & PACKET_ALERT_FLAG_FRAME) ? det_ctx->frame_id : 0;
     return pa;
 }
@@ -317,10 +317,15 @@ static int AlertQueueSortHelper(const void *a, const void *b)
 {
     const PacketAlert *pa0 = a;
     const PacketAlert *pa1 = b;
-    if (pa1->num == pa0->num)
+    if (pa1->num == pa0->num) {
+        if (pa1->tx_id == PACKET_ALERT_NOTX) {
+            return -1;
+        } else if (pa0->tx_id == PACKET_ALERT_NOTX) {
+            return 1;
+        }
         return pa0->tx_id < pa1->tx_id ? 1 : -1;
-    else
-        return pa0->num > pa1->num ? 1 : -1;
+    }
+    return pa0->num > pa1->num ? 1 : -1;
 }
 
 /** \internal
diff --git a/src/detect.c b/src/detect.c
index 40b46dde1e..91c31e4f25 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -813,7 +813,18 @@ static inline void DetectRulePacketRules(
 #endif
         DetectRunPostMatch(tv, det_ctx, p, s);
 
-        AlertQueueAppend(det_ctx, s, p, 0, alert_flags);
+        uint64_t txid = PACKET_ALERT_NOTX;
+        if ((alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) ||
+                (s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP)) {
+            // if there is a stream match (TCP), or
+            // a UDP specific app-layer signature,
+            // try to use the last tx
+            if (pflow->alstate) {
+                txid = AppLayerParserGetTxCnt(pflow, pflow->alstate) - 1;
+                alert_flags |= PACKET_ALERT_FLAG_TX;
+            }
+        }
+        AlertQueueAppend(det_ctx, s, p, txid, alert_flags);
 next:
         DetectVarProcessList(det_ctx, pflow, p);
         DetectReplaceFree(det_ctx);
diff --git a/src/detect.h b/src/detect.h
index 587a29c39d..145e20d3cd 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -49,6 +49,9 @@
  *  classtype. */
 #define DETECT_DEFAULT_PRIO 3
 
+// tx_id value to use when there is no transaction
+#define PACKET_ALERT_NOTX UINT64_MAX
+
 /* forward declarations for the structures from detect-engine-sigorder.h */
 struct SCSigOrderFunc_;
 struct SCSigSignatureWrapper_;
-- 
2.47.2