eve/drop: don't log drops unless packet is dropped

In pass/drop combinations where the pass rule took precendence over the drop, a "drop" false positive could still be logged due to the storing of the drop record in the packet drop alert store. Bug: #5867. (cherry picked from commit 09348564f0)
3 years ago · 517132b6ad
parent 7838fc8b82
commit 517132b6ad
1 changed files with 5 additions and 3 deletions
--- a/src/output-json-drop.c
+++ b/src/output-json-drop.c
@ -357,6 +357,10 @@ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
        return FALSE;
    }

+    if (!PACKET_TEST_ACTION(p, ACTION_DROP)) {
+        return FALSE;
+    }
+
    if (g_droplog_flows_start && p->flow != NULL) {
        int ret = FALSE;

@ -373,11 +377,9 @@ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
            ret = TRUE;

        return ret;
-    } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
-        return TRUE;
    }

-    return FALSE;
+    return TRUE;
 }

 void JsonDropLogRegister (void)