detect: re-add app-layer to alerts on stream matches

The `guess-applayer-tx` work also removed the stream match condition for adding app-layer metadata to alerts. This is a behavior change that is not desired at this point, so this commit reverts that part of the changes. We keep the exising logging of app-layer metadata if the match was in the stream.
10 months ago · b025fe283d
parent 19a638611b
commit b025fe283d
1 changed files with 1 additions and 0 deletions
--- a/src/detect.c
+++ b/src/detect.c
@ -822,6 +822,7 @@ static inline void DetectRulePacketRules(
            uint8_t dir = (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER;
            txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir);
            if ((s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP) ||
+                    (alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) ||
                    (de_ctx->guess_applayer &&
                            AppLayerParserGetTxCnt(pflow, pflow->alstate) == txid + 1)) {
                // if there is a UDP specific app-layer signature,