From: Victor Julien Date: Tue, 10 Dec 2024 09:16:51 +0000 (+0100) Subject: eve/flow: add per flow TCP oob urg data counter X-Git-Tag: suricata-7.0.8~3 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=c4d8790db85164714c92556fbc8e849e9df6355b;p=thirdparty%2Fsuricata.git eve/flow: add per flow TCP oob urg data counter If TCP urgent handling is set to the OOB processing, the number of OOB bytes is tracked for SEQ offset calculations. If this offset is non-zero, add the field to the flow record. Ticket: #7411. (cherry picked from commit 779f9d8ba35c3f9b5abfa327d3a4209861bd2eb8) --- diff --git a/etc/schema.json b/etc/schema.json index debdd274da..31e39dbdf9 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -5365,6 +5365,10 @@ "tc_max_regions": { "type": "integer" }, + "tc_urgent_oob_data": { + "description": "Number of Out-of-Band bytes sent by server using TCP urgent packets", + "type": "integer" + }, "tcp_flags": { "type": "string" }, @@ -5380,6 +5384,10 @@ "ts_max_regions": { "type": "integer" }, + "ts_urgent_oob_data": { + "description": "Number of Out-of-Band bytes sent by client using TCP urgent packets", + "type": "integer" + }, "urg": { "type": "boolean" } diff --git a/src/output-json-flow.c b/src/output-json-flow.c index 487185f2ed..d31b6575e8 100644 --- a/src/output-json-flow.c +++ b/src/output-json-flow.c @@ -317,6 +317,11 @@ static void EveFlowLogJSON(OutputJsonThreadCtx *aft, JsonBuilder *jb, Flow *f) jb_set_uint(jb, "ts_max_regions", ssn->client.sb.max_regions); jb_set_uint(jb, "tc_max_regions", ssn->server.sb.max_regions); + + if (ssn->urg_offset_ts) + jb_set_uint(jb, "ts_urgent_oob_data", ssn->urg_offset_ts); + if (ssn->urg_offset_tc) + jb_set_uint(jb, "tc_urgent_oob_data", ssn->urg_offset_tc); } /* Close tcp. */