Feature #904
closedstore tx id when generating an alert
Description
The output modules have no way of knowing which TX generated an alert currently. The detection engine has this information available, but that can't be accessed by outputs.
It's probably enough to add a tx_id field to the PacketAlert struct, plus a flag to it's flag field to indicate the TX id field is used. The outputs can then use this info.
A use case is this XFF patch: https://github.com/inliniac/suricata/pull/241/files#pullrequestreviewcomment-3095686, it retrieves the XFF field from the TX, but this needs to be the XFF field from the correct TX.
When implemented, please also add the TX id to the output of alert-debug.log.
Updated by Anoop Saldanha over 10 years ago
What if multiple txs generated alerts?
Updated by Anoop Saldanha over 10 years ago
Nevermind. The id would have to be stored per alert instance and not per packet.
Updated by Victor Julien over 10 years ago
- Assignee changed from Anoop Saldanha to Victor Julien
Updated by Victor Julien over 10 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Merged through https://github.com/inliniac/suricata/pull/577