Bug #7449
open
app-layer metadata does not get logged for stream rules and unidirectional protocols
Added by Juliana Fajardini Reichow 17 days ago.
Updated 8 days ago.
Description
As brought up to me by Philippe, even though #7018 was merged, its related tests are failing
on master.
Investigate the case, and find a fix.
(Subject probably to be reworded later on)
- Status changed from New to In Review
- Assignee changed from Juliana Fajardini Reichow to Philippe Antoine
Changing assignee as Philippe took up on this one.
- Related to Bug #7199: detect: missing app-layer metadata in alerts added
- Blocks Task #7461: suricata-verify: pass all tests added
- Subject changed from investigate: dns raw stream reassembly tests fail on master to app-layer metadata does not get logged for stream rules and unidirectional protocols
App-layer metadata does not get logged for stream rules and unidirectional protocols :
This was highlighted by SV tests 7018... But they were skipped on master due to DNS V3 logging
The problematic sequence is (seen only in IDS mode)
1. request arrives - buffered due to not ackd
2. response arrives, acks request - request is now parsed, response isn't
3. ack for response, response parsed. Then detect runs for request, generates alert. We now have 2 txs. txid will be 0 from AppLayerParserGetTransactionInspectId
But txid 1 is unidirectional in the other way, so we can use txid 0 metadata for logging
Also available in: Atom
PDF