Don't always loop over each alert, but only do so if context was used.
/** Flag to indicate that packet contents should not be inspected */
#define PKT_NOPAYLOAD_INSPECTION BIT_U32(2)
-// vacancy
+
+/** set if PacketAlerts may contain json context data */
+#define PKT_ALERT_CTX_USED BIT_U32(3)
/** Packet has matched a tag */
#define PKT_HAS_TAG BIT_U32(4)
if (det_ctx->alert_queue_size > 0) {
PacketAlertFinalizeProcessQueue(de_ctx, det_ctx, p);
+ if (det_ctx->json_content_len)
+ p->flags |= PKT_ALERT_CTX_USED;
}
/* At this point, we should have all the new alerts. Now check the tag
p->app_update_direction = 0;
p->sig_mask = 0;
p->pkt_hooks = 0;
+ const uint32_t pflags = p->flags;
p->flags = 0;
p->flowflags = 0;
p->pkt_src = 0;
p->alerts.suppressed = 0;
p->alerts.drop.action = 0;
if (p->alerts.cnt > 0) {
- PacketAlertRecycle(p->alerts.alerts, p->alerts.cnt);
+ if (pflags & PKT_ALERT_CTX_USED)
+ PacketAlertRecycle(p->alerts.alerts, p->alerts.cnt);
p->alerts.cnt = 0;
}
p->pcap_cnt = 0;
projects / thirdparty / suricata.git / commitdiff
