eve/alert: log ts_progress/tc_progress

This is mostly to help with debugging firewall rules, but can be useful in other places.
5 months ago · 7c8a55de54
parent 6f5fd77cb9
commit 7c8a55de54
2 changed files with 29 additions and 2 deletions
--- a/etc/schema.json
+++ b/etc/schema.json
@ -66,6 +66,12 @@
        "payload": {
            "type": "string"
        },
+        "ts_progress": {
+            "type": "string"
+        },
+        "tc_progress": {
+            "type": "string"
+        },
        "payload_length": {
            "type": "integer"
        },
@ -6198,7 +6204,7 @@
                            "type": "object",
                            "error": {
                                "description":
-                                    "Consolidated stats on how many times app-layer error exception policy was applied, and which one",
+                                        "Consolidated stats on how many times app-layer error exception policy was applied, and which one",
                                "$ref": "#/$defs/exceptionPolicy"
                            }
                        },
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@ -323,6 +323,14 @@ static void AlertAddAppLayer(
        if (state) {
            void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
            if (tx) {
+                const int ts =
+                        AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
+                const int tc =
+                        AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
+                SCJbSetString(jb, "ts_progress",
+                        AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
+                SCJbSetString(jb, "tc_progress",
+                        AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
                SCJbGetMark(jb, &mark);
                switch (proto) {
                    // first check some protocols need special options for alerts logging
@ -345,6 +353,20 @@ static void AlertAddAppLayer(
        }
        return;
    }
+    void *state = FlowGetAppState(p->flow);
+    if (state) {
+        void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
+        if (tx) {
+            const int ts =
+                    AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOSERVER);
+            const int tc =
+                    AppLayerParserGetStateProgress(p->flow->proto, proto, tx, STREAM_TOCLIENT);
+            SCJbSetString(jb, "ts_progress",
+                    AppLayerParserGetStateNameById(p->flow->proto, proto, ts, STREAM_TOSERVER));
+            SCJbSetString(jb, "tc_progress",
+                    AppLayerParserGetStateNameById(p->flow->proto, proto, tc, STREAM_TOCLIENT));
+        }
+    }
    switch (proto) {
        case ALPROTO_HTTP1:
            // TODO: Could result in an empty http object being logged.
@ -409,7 +431,6 @@ static void AlertAddAppLayer(
            }
            break;
        case ALPROTO_DCERPC: {
-            void *state = FlowGetAppState(p->flow);
            if (state) {
                void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
                if (tx) {