app layer: set event if proto detect disabled for a stream, but we see data anyway.

diff --git a/src/app-layer.c b/src/app-layer.c
index 0ce187d9259f8d83349af165af350d5321795f40..7f380c809ffd31f2125f09e1d80e0e128e862906 100644 (file)
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -413,12 +413,14 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
                            StreamTcpGetStreamSize(&ssn->client) > alp_proto_ctx.toserver.async_max) {
                     SCLogDebug("%u bytes toserver and no proto, no data to "
                                "client, giving up", alp_proto_ctx.toserver.async_max);
+                    ssn->server.flags |= STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED;
                     flow_done = 1;
                 } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
                            StreamTcpGetStreamSize(&ssn->client) == 0 &&
                            StreamTcpGetStreamSize(&ssn->server) > alp_proto_ctx.toclient.async_max) {
                     SCLogDebug("%u bytes toclient and no proto, no data to "
                                "server, giving up", alp_proto_ctx.toclient.async_max);
+                    ssn->client.flags |= STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED;
                     flow_done = 1;
                 }
 

diff --git a/src/decode-events.c b/src/decode-events.c
index c6a94fa79e4532f126469b084ef29fc420b66d36..54d33796c05e2be9ee509c84b86943ce14425730 100644 (file)
--- a/src/decode-events.c
+++ b/src/decode-events.c
@@ -31,6 +31,8 @@ SCEnumCharMap app_layer_event_pkt_table[ ] = {
       APPLAYER_WRONG_DIRECTION_FIRST_DATA },
     { "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION",
       APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION },
+    { "APPLAYER_PROTO_DETECTION_SKIPPED",
+      APPLAYER_PROTO_DETECTION_SKIPPED },
     { NULL,
       -1 },
 };

diff --git a/src/decode-events.h b/src/decode-events.h
index e25942a1bbf944d7c2ef30218bd8f431d3ac8d72..b1dd84d8fed86b112c10eac9594a00c6fc9e055a 100644 (file)
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -229,6 +229,7 @@ enum {
     APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS,
     APPLAYER_WRONG_DIRECTION_FIRST_DATA,
     APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION,
+    APPLAYER_PROTO_DETECTION_SKIPPED,
 };
 
 #define DECODER_EVENTS_BUFFER_STEPS 5

diff --git a/src/stream-tcp-private.h b/src/stream-tcp-private.h
index f17f0bb4fdf753fb39af45a6fda944f6fb138fee..88f2a2cb2fb684627ca43b668f8c19fdfa9f25b7 100644 (file)
--- a/src/stream-tcp-private.h
+++ b/src/stream-tcp-private.h
@@ -164,6 +164,8 @@ enum
 #define STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP    0x40
 /** App proto detection completed */
 #define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED 0x80
+/** App proto detection skipped */
+#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED 0x100
 
 /*
  * Per SEGMENT flags

diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c
index 1ce3ecdbf7f902d8059137401e229688cc15023b..3fc162e6f971b3a6627e782b8ee2e817830ac465 100644 (file)
--- a/src/stream-tcp-reassemble.c
+++ b/src/stream-tcp-reassemble.c
@@ -1675,6 +1675,14 @@ int StreamTcpReassembleHandleSegmentHandleData(ThreadVars *tv, TcpReassemblyThre
     seg->payload_len = size;
     seg->seq = TCP_GET_SEQ(p);
 
+    /* proto detection skipped, but now we do get data. Set event. */
+    if (stream->seg_list == NULL &&
+        stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED) {
+
+        AppLayerDecoderEventsSetEventRaw(p->app_layer_events,
+                APPLAYER_PROTO_DETECTION_SKIPPED);
+    }
+
     if (StreamTcpReassembleInsertSegment(tv, ra_ctx, stream, seg, p) != 0) {
         SCLogDebug("StreamTcpReassembleInsertSegment failed");
         SCReturnInt(-1);