From 779f9d8ba35c3f9b5abfa327d3a4209861bd2eb8 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 10 Dec 2024 10:16:51 +0100 Subject: [PATCH] eve/flow: add per flow TCP oob urg data counter If TCP urgent handling is set to the OOB processing, the number of OOB bytes is tracked for SEQ offset calculations. If this offset is non-zero, add the field to the flow record. Ticket: #7411. --- etc/schema.json | 8 ++++++++ src/output-json-flow.c | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/etc/schema.json b/etc/schema.json index f03e89c3fb..c6ac4d7a41 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -6602,6 +6602,10 @@ "tc_max_regions": { "type": "integer" }, + "tc_urgent_oob_data": { + "description": "Number of Out-of-Band bytes sent by server using TCP urgent packets", + "type": "integer" + }, "tcp_flags": { "type": "string" }, @@ -6617,6 +6621,10 @@ "ts_max_regions": { "type": "integer" }, + "ts_urgent_oob_data": { + "description": "Number of Out-of-Band bytes sent by client using TCP urgent packets", + "type": "integer" + }, "urg": { "type": "boolean" } diff --git a/src/output-json-flow.c b/src/output-json-flow.c index 051d530fb1..015c72f8c7 100644 --- a/src/output-json-flow.c +++ b/src/output-json-flow.c @@ -318,6 +318,11 @@ static void EveFlowLogJSON(OutputJsonThreadCtx *aft, JsonBuilder *jb, Flow *f) jb_set_uint(jb, "ts_max_regions", ssn->client.sb.max_regions); jb_set_uint(jb, "tc_max_regions", ssn->server.sb.max_regions); + + if (ssn->urg_offset_ts) + jb_set_uint(jb, "ts_urgent_oob_data", ssn->urg_offset_ts); + if (ssn->urg_offset_tc) + jb_set_uint(jb, "tc_urgent_oob_data", ssn->urg_offset_tc); } /* Close tcp. */ -- 2.47.2