Optimization #2405
closedfiles: Use FileTruncateAllOpenFiles for every app layer protocol
Description
eve-log is able to add a parameter "gaps" for files where suricata saw a reassembly gap. Unfortunately, this flag is set by RUST parsers only.
This optimization involves being able to show this flag also for http/smtp.
To accomplish this result, we need to act on two sides:
1) use the "direction" parameter in StateTruncate handler. This parameter is actually a series of STREAM_* flags. One of the flags set by stream-tcp-reassemble is STREAM_GAP.
2) Add the parameter "flags" to FileTruncateAllOpenFiles function in util-file. "direction" variable will be passed as "flags". If the flag STREAM_GAP is present, we will set the related FILE_HAS_GAPS flag in the flags array of the File * pointer.
There is a caveat. setting the flag FILE_HAS_GAPS will cause the state to be updated to FILE_STATE_TRUNCATED (cfr. util-file.c:FileCloseFilePtr). Ths will cause the file logging to be performed even if the detection has not terminated yet (ex. when gaps happen before the minimal inspect size for buffer is reached). To force the detection phase, we prevent the state update to FILE_STATE_TRUNCATED. It must be noticed that the file->state will be updated anyway inside the logging module (cfr. output-file.c:OutputFileLog and output-filedata.c:OutputFiledataLog).
If anybody has a better idea in how to do it, please shout!
Updated by Victor Julien almost 7 years ago
- Status changed from New to Assigned
- Assignee set to Maurizio Abba
Updated by Victor Julien about 5 years ago
- Status changed from Assigned to New
- Assignee changed from Maurizio Abba to OISF Dev
Updated by Victor Julien almost 2 years ago
- Subject changed from Use FileTruncateAllOpenFiles for every app layer protocol to files: Use FileTruncateAllOpenFiles for every app layer protocol
- Status changed from New to Closed
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 7.0.0-beta1
This has been done as part of the file-tx work.