stream: fix false negative on bad RST

If a bad RST was received the stream inspection would not happen
for that packet, but it would still move the 'raw progress' tracker
forward. Following good packets would then fail to detect anything
before the 'raw progress' position.

Bug #2770

Reported-by: Alexey Vishnyakov

diff --git a/src/detect.c b/src/detect.c
index abe759ed47a444f8a31e56126b9997be97b1b152..20767184c987ccb0c42e3d3de9763c43fa9b46fd 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1443,7 +1443,9 @@ end:
         }
 
         /* update inspected tracker for raw reassembly */
-        if (p->proto == IPPROTO_TCP && pflow->protoctx != NULL) {
+        if (p->proto == IPPROTO_TCP && pflow->protoctx != NULL &&
+            (p->flags & PKT_STREAM_EST))
+        {
             StreamReassembleRawUpdateProgress(pflow->protoctx, p,
                     det_ctx->raw_stream_progress);