If alproto for the current direction was not detected but the opposite
side was successfully detected, if the Pattern Matching and Pattern
Probing on the flow was also successfully done and the current
direction's alproto is still unknown, a decoder event is set to indicate
that the protocol detection only happened in one direction.
This event is set after having sent the current data to the applayer
parser. Now, the respective applayer parser may or may not successfully
parse the data. However, the alproto on flow is already set from the
other direction so there will be a flow event generated by Suricata. In
order to keep this consistent with the stats, also make sure to
increment the flow counter when the decode event is set so that the flow
counter is incremented irrespective of the parsing status reported by
the applayer parser.
This patch makes stats for several specific applayer flow count equal to
the number of flow events logged for those specific applayer protocols.
Bug 7238
APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
TcpSessionSetReassemblyDepth(ssn,
AppLayerParserGetStreamDepth(f));
+ AppLayerIncFlowCounter(tv, f);
*alproto = *alproto_otherdir;
SCLogDebug("packet %"PRIu64": pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
}
*alproto = ALPROTO_FAILED;
StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
- AppLayerIncFlowCounter(tv, f);
FlagPacketFlow(p, f, flags);
} else if (flags & STREAM_EOF) {
projects / thirdparty / suricata.git / commitdiff
