output: optimize loop for finding alert http xff

Ticket: 8156 In case of non-tx alerts, we try to loop over all the txs to find the xff header. Do not start from tx_id 0, but from min_id as AppLayerParserTransactionsCleanup to skip txs that were freed (cherry picked from commit 3b1a6c1711)
4 months ago · 754c4e9bde
parent d767dfadcd
commit 754c4e9bde
3 changed files with 9 additions and 1 deletions
--- a/src/app-layer-htp-xff.c
+++ b/src/app-layer-htp-xff.c
@ -177,7 +177,7 @@ int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg,
 int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
 {
    HtpState *htp_state = NULL;
-    uint64_t tx_id = 0;
+    uint64_t tx_id = AppLayerParserGetMinId(f->alparser);
    uint64_t total_txs = 0;

    htp_state = (HtpState *)FlowGetAppState(f);
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@ -705,6 +705,13 @@ uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate)
    SCReturnCT((pstate == NULL) ? 0 : pstate->log_id, "uint64_t");
 }

+uint64_t AppLayerParserGetMinId(AppLayerParserState *pstate)
+{
+    SCEnter();
+
+    SCReturnCT((pstate == NULL) ? 0 : pstate->min_id, "uint64_t");
+}
+
 void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id)
 {
    SCEnter();
--- a/src/app-layer-parser.h
+++ b/src/app-layer-parser.h
@ -230,6 +230,7 @@ void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto a


 uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate);
+uint64_t AppLayerParserGetMinId(AppLayerParserState *pstate);
 void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id);

 uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction);