[Oisf-devel] [PATCH 1/2] Add transaction id to alert.
Eric Leblond
eric at regit.org
Tue Oct 4 19:38:55 UTC 2011
---
src/decode.h | 1 +
src/detect-engine-alert.c | 15 +++++++++++++++
2 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/src/decode.h b/src/decode.h
index 73f6547..4893308 100644
--- a/src/decode.h
+++ b/src/decode.h
@@ -222,6 +222,7 @@ typedef struct PacketAlert_ {
SigIntId order_id; /* Internal num, used for sorting */
uint8_t action; /* Internal num, used for sorting */
uint8_t flags;
+ int tx_id; /* Transaction id */
/** Pointer to smsg this signature matched on, or
* NULL if the sig didn't match on a smsg */
diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index bb8b383..7b7c73e 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -22,6 +22,8 @@
#include "detect-engine-threshold.h"
#include "detect-engine-tag.h"
+#include "app-layer-parser.h"
+
#include "decode.h"
#include "flow.h"
@@ -182,6 +184,19 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p, u
p->alerts.alerts[i].s = s;
}
+ if (p->flow) {
+ int ret = 0;
+
+ SCMutexLock(&p->flow->m);
+ ret = AppLayerTransactionGetInspectId(p->flow);
+ SCMutexUnlock(&p->flow->m);
+ if (ret == -1) {
+ p->alerts.alerts[i].tx_id = 0;
+ } else {
+ p->alerts.alerts[i].tx_id = ret;
+ }
+ }
+
/* Update the count */
p->alerts.cnt++;
--
1.7.6.3
More information about the Oisf-devel
mailing list