detect/tag: add a tag for first packet

We may need to know that a packet has been tagged but is the first one (and thus is not tagged).
4 years ago · 9f4d59b3f7
parent 6cfc3343e7
commit 9f4d59b3f7
2 changed files with 2 additions and 0 deletions
--- a/src/decode.h
+++ b/src/decode.h
@ -1222,6 +1222,7 @@ void DecodeUnregisterCounters(void);

 /** We had no alert on flow before this packet */
 #define PKT_FIRST_ALERTS BIT_U32(29)
+#define PKT_FIRST_TAG    BIT_U32(30)

 /** \brief return 1 if the packet is a pseudo packet */
 #define PKT_IS_PSEUDOPKT(p) \
--- a/src/detect-engine-tag.c
+++ b/src/detect-engine-tag.c
@ -276,6 +276,7 @@ static void TagHandlePacketFlow(Flow *f, Packet *p)
         * to log it (the alert will log it) */
        if (!(iter->flags & TAG_ENTRY_FLAG_SKIPPED_FIRST)) {
            iter->flags |= TAG_ENTRY_FLAG_SKIPPED_FIRST;
+            p->flags |= PKT_FIRST_TAG;
        } else {
            /* Update metrics; remove if tag expired; and set alerts */
            switch (iter->metric) {