detect: run frames on pseudo flush packets

author Philippe Antoine <pantoine@oisf.net>

Thu, 20 Jun 2024 20:43:57 +0000 (22:43 +0200)

committer Victor Julien <victor@inliniac.net>

Thu, 1 Aug 2024 05:05:13 +0000 (07:05 +0200)
author Philippe Antoine <pantoine@oisf.net>
Thu, 20 Jun 2024 20:43:57 +0000 (22:43 +0200)
committer Victor Julien <victor@inliniac.net>
Thu, 1 Aug 2024 05:05:13 +0000 (07:05 +0200)
diff --git a/src/detect.c b/src/detect.c

index 0302a374b550d386f32c9d82b5db121df865676c..aeb2fb625c7728d783ba8720fdfce6dd46f63f61 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -150,7 +150,13 @@ static void DetectRun(ThreadVars *th_v,
                  goto end;
              }
              const TcpSession *ssn = p->flow->protoctx;
-            if (ssn && (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) == 0) {
+            bool setting_nopayload = p->flow->alparser &&
+                                     AppLayerParserStateIssetFlag(
+                                             p->flow->alparser, APP_LAYER_PARSER_NO_INSPECTION) &&
+                                     !(p->flags & PKT_NOPAYLOAD_INSPECTION);
+            // we may be right after disabling app-layer (ssh)
+            if (ssn &&
+                    ((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) == 0 || setting_nopayload)) {
                  // PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX);
                  DetectRunFrames(th_v, de_ctx, det_ctx, p, pflow, &scratch);
                  // PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX);
author	Philippe Antoine <pantoine@oisf.net>
	Thu, 20 Jun 2024 20:43:57 +0000 (22:43 +0200)
committer	Victor Julien <victor@inliniac.net>
	Thu, 1 Aug 2024 05:05:13 +0000 (07:05 +0200)