diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index 2abff2212b..21047a0df5 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -327,6 +327,12 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx * keyword context for sessions and hosts */ if (!(p->flags & PKT_PSEUDO_STREAM_END)) TagHandlePacket(de_ctx, det_ctx, p); + + /* Set flag on flow to indicate that it has alerts */ + if (p->flow != NULL && p->alerts.cnt > 0) { + FlowSetHasAlertsFlag(p->flow); + } + } diff --git a/src/flow.c b/src/flow.c index df1dec39ff..df4a79a7af 100644 --- a/src/flow.c +++ b/src/flow.c @@ -157,6 +157,30 @@ void FlowSetIPOnlyFlag(Flow *f, int direction) return; } +/** \brief Set flag to indicate that flow has alerts + * + * \param f flow + */ +void FlowSetHasAlertsFlag(Flow *f) +{ + f->flags |= FLOW_HAS_ALERTS; +} + +/** \brief Check if flow has alerts + * + * \param f flow + * \retval 1 has alerts + * \retval 0 has not alerts + */ +int FlowHasAlerts(const Flow *f) +{ + if (f->flags & FLOW_HAS_ALERTS) { + return 1; + } + + return 0; +} + /** * \brief determine the direction of the packet compared to the flow * \retval 0 to_server diff --git a/src/flow.h b/src/flow.h index d215a58210..d6660dd00c 100644 --- a/src/flow.h +++ b/src/flow.h @@ -72,7 +72,8 @@ typedef struct AppLayerParserState_ AppLayerParserState; /** packet to client direction has been logged in drop file (only in IPS mode) */ #define FLOW_TOCLIENT_DROP_LOGGED BIT_U32(11) -// vacancy bit 12 +/** flow has alerts */ +#define FLOW_HAS_ALERTS BIT_U32(12) /** Pattern matcher alproto detection done */ #define FLOW_TS_PM_ALPROTO_DETECT_DONE BIT_U32(13) @@ -458,6 +459,8 @@ void FlowInitConfig (char); void FlowPrintQueueInfo (void); void FlowShutdown(void); void FlowSetIPOnlyFlag(Flow *, int); +void FlowSetHasAlertsFlag(Flow *); +int FlowHasAlerts(const Flow *); void FlowRegisterTests (void); int FlowSetProtoTimeout(uint8_t ,uint32_t ,uint32_t ,uint32_t);