]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 14d4221)
detect: flush when setting no_inspection
authorPhilippe Antoine <pantoine@oisf.net>
Mon, 27 Nov 2023 16:07:21 +0000 (17:07 +0100)
committerVictor Julien <vjulien@oisf.net>
Mon, 18 Mar 2024 16:09:24 +0000 (17:09 +0100)
Ticket: 6578

When a protocol such as SSH sets no_inspection, we still have to
flush the current streams and packets that contain clear-text
for detection.

(cherry picked from commit cc3b4b01ec285d481e7ddcc7e062d1c8ec3b542c)

src/app-layer-parser.c patch | blob | blame | history
src/flow-worker.c patch | blob | blame | history

diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c
index 7783c076b65b9605eb996286de598e81cd2a771a..e9b84ed6d37c7e2b73c9f094f2cf81a3c0f65648 100644 (file)
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@@ -1444,7 +1444,6 @@ int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow
     /* set the packets to no inspection and reassembly if required */
     if (pstate->flags & APP_LAYER_PARSER_NO_INSPECTION) {
         AppLayerParserSetEOF(pstate);
-        FlowSetNoPayloadInspectionFlag(f);
 
         if (f->proto == IPPROTO_TCP) {
             StreamTcpDisableAppLayer(f);
@@ -1466,6 +1465,9 @@ int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow
                     StreamTcpSetSessionBypassFlag(ssn);
                 }
             }
+        } else {
+            // for TCP, this is set after flushing
+            FlowSetNoPayloadInspectionFlag(f);
         }
     }
 
diff --git a/src/flow-worker.c b/src/flow-worker.c
index 50d690d3b9993f3c5e3ff7fa62f4ae4019a92418..32fbe09381d358604a4061424bf2b68357d3ad34 100644 (file)
--- a/src/flow-worker.c
+++ b/src/flow-worker.c
@@ -391,8 +391,16 @@ static inline void FlowWorkerStreamTCPUpdate(ThreadVars *tv, FlowWorkerThreadDat
     StreamTcp(tv, p, fw->stream_thread, &fw->pq);
     FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_STREAM);
 
-    if (FlowChangeProto(p->flow)) {
+    // this is the first packet that sets no payload inspection
+    bool setting_nopayload =
+            p->flow->alparser &&
+            AppLayerParserStateIssetFlag(p->flow->alparser, APP_LAYER_PARSER_NO_INSPECTION) &&
+            !(p->flags & PKT_NOPAYLOAD_INSPECTION);
+    if (FlowChangeProto(p->flow) || setting_nopayload) {
         StreamTcpDetectLogFlush(tv, fw->stream_thread, p->flow, p, &fw->pq);
+        if (setting_nopayload) {
+            FlowSetNoPayloadInspectionFlag(p->flow);
+        }
         AppLayerParserStateSetFlag(p->flow->alparser, APP_LAYER_PARSER_EOF_TS);
         AppLayerParserStateSetFlag(p->flow->alparser, APP_LAYER_PARSER_EOF_TC);
     }
Mirror of https://github.com/OISF/suricata.git