applayer: keep running detection on protocol change

ie do not stop on first try if we do not have enough data

diff --git a/src/app-layer.c b/src/app-layer.c
index 9ac05c7b1949e1f7f4d36ed2910ef92d7240fae6..001acf2d7de289ec6f14f409ce4aff9ed7ec401f 100644 (file)
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -635,10 +635,20 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
         AppLayerParserState *alparser = f->alparser;
         // we delay AppLayerParserStateCleanup because we may need previous parser state
         AppLayerProtoDetectReset(f);
+        StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->client);
+        StreamTcpResetStreamFlagAppProtoDetectionCompleted(&ssn->server);
         /* rerun protocol detection */
         int rd = TCPProtoDetect(tv, ra_ctx, app_tctx, p, f, ssn, stream, data, data_len, flags);
-        FlowUnsetChangeProtoFlag(f);
-        AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
+        if (f->alproto == ALPROTO_UNKNOWN) {
+            // not enough data, revert AppLayerProtoDetectReset to rerun detection
+            f->alparser = alparser;
+            f->alproto = f->alproto_orig;
+            f->alproto_tc = f->alproto_orig;
+            f->alproto_ts = f->alproto_orig;
+        } else {
+            FlowUnsetChangeProtoFlag(f);
+            AppLayerParserStateProtoCleanup(f->protomap, f->alproto_orig, alstate_orig, alparser);
+        }
         if (rd != 0) {
             SCLogDebug("proto detect failure");
             f->alstate = NULL;