Bug #1854
closedunified2: logging of tagged packets not working
Description
Using a simple rule I was unable to get tagged packets to log:
alert tcp any any -> any any (msg:"MY TEST RULE"; content:"START LOGGING"; flow: established; tag: session, 1000, packets; sid: 1; rev: 1;)
For tagged packets, pa-> is always NULL (https://github.com/inliniac/suricata/blob/master/src/alert-unified2-alert.c#L1068) as the PacketAlert returned by PacketAlertGetTag() is always NULL.
The cause is that PacketAlertTagInit() is never called to initialize this structure.
It looks like a quick fix is to just call PacketAlertTagInit(), which does result in tagged packets being logged. However, they are logged with a GID:2 event which is unified1 behaviour, not unified2.
Unified2 logs the tagged packets as a Packet record without a preceding Event record. It uses the event_id, and event_second to associate the packet record with its initiating alert record, which is a better method than the unified2 way.
Updated by Jason Ish over 8 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 3.1.2
Fixed. See https://github.com/inliniac/suricata/pull/2190#issuecomment-240478312
Just the logging of tagged packets has been fixed. The records use for tagged packets have not been changed and should be put into another issue.
Updated by Victor Julien about 8 years ago
- Subject changed from unified2: logging of tagged packets not working (and wrong format) to unified2: logging of tagged packets not working