Project

General

Profile

Actions
Copy link

Bug #1854

closed
JI JI

unified2: logging of tagged packets not working

Bug #1854: unified2: logging of tagged packets not working

Added by Jason Ish almost 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
3.1.2
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using a simple rule I was unable to get tagged packets to log:

alert tcp any any -> any any (msg:"MY TEST RULE"; content:"START LOGGING"; flow: established; tag: session, 1000, packets; sid: 1; rev: 1;)

For tagged packets, pa-> is always NULL (https://github.com/inliniac/suricata/blob/master/src/alert-unified2-alert.c#L1068) as the PacketAlert returned by PacketAlertGetTag() is always NULL.

The cause is that PacketAlertTagInit() is never called to initialize this structure.

It looks like a quick fix is to just call PacketAlertTagInit(), which does result in tagged packets being logged. However, they are logged with a GID:2 event which is unified1 behaviour, not unified2.

Unified2 logs the tagged packets as a Packet record without a preceding Event record. It uses the event_id, and event_second to associate the packet record with its initiating alert record, which is a better method than the unified2 way.

JI Updated by Jason Ish over 9 years ago Actions
Copy link
 #1

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.1.2

Fixed. See https://github.com/inliniac/suricata/pull/2190#issuecomment-240478312

Just the logging of tagged packets has been fixed. The records use for tagged packets have not been changed and should be put into another issue.

VJ Updated by Victor Julien over 9 years ago Actions
Copy link
 #2

  • Subject changed from unified2: logging of tagged packets not working (and wrong format) to unified2: logging of tagged packets not working
Actions
Copy link

Also available in: PDF Atom