detect: use direction-based tx for app-layer logging

When we only have stream matches. Ticket: 6846 This solves the case where another transaction was created by parsing data in the other direction, before running the detection. Like 1. get data in direction 1 2. acked data: parse it, but do not run detection in dir 1 3. other data in direction 2 4. other data acked : parse it and create new tx, then run detection for direction 1 with data from first packet
11 months ago · 7274ad58aa
parent f6635ea960
commit 7274ad58aa
1 changed files with 4 additions and 2 deletions
--- a/src/detect.c
+++ b/src/detect.c
@ -812,9 +812,11 @@ static inline void DetectRulePacketRules(
                (s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP)) {
            // if there is a stream match (TCP), or
            // a UDP specific app-layer signature,
-            // try to use the last tx
+            // try to use the good tx for the packet direction
            if (pflow->alstate) {
-                txid = AppLayerParserGetTxCnt(pflow, pflow->alstate) - 1;
+                uint8_t dir =
+                        (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER;
+                txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir);
                alert_flags |= PACKET_ALERT_FLAG_TX;
            }
        }