stream: still inspect packets dropped by stream

The detect engine would bypass packets that are set as dropped. This
seems sane, as these packets are going to be dropped anyway.

However, it lead to the following corner case: stream events that
triggered the drop could not be matched on the rules. The packet
with the event wouldn't make it to the detect engine due to the bypass.

This patch changes the logic to not bypass DROP packets anymore.
Packets that are dropped by the stream engine will set the no payload
inspection flag, so avoid needless cost.

diff --git a/src/detect.c b/src/detect.c
index ff5beac11d1bd869c1cbb54f543001f5452ded0c..efc4ba0c48dadc06f551a6f31d6596b6f4d7c334 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1487,10 +1487,7 @@ static void DetectFlow(ThreadVars *tv,
                        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
                        Packet *p)
 {
-    /* No need to perform any detection on this packet, if the the given flag is set.*/
-    if ((p->flags & PKT_NOPACKET_INSPECTION) ||
-        (PACKET_TEST_ACTION(p, ACTION_DROP)))
-    {
+    if (p->flags & PKT_NOPACKET_INSPECTION) {
         /* hack: if we are in pass the entire flow mode, we need to still
          * update the inspect_id forward. So test for the condition here,
          * and call the update code if necessary. */

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 20a73fcd35b05a584dcddc0dbeeea51babb7ffbd..81c46bffbe1a219c6ee84aa4d37462d7b3300676 100644 (file)
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -4699,6 +4699,10 @@ error:
     }
 
     if (StreamTcpInlineDropInvalid()) {
+        /* disable payload inspection as we're dropping this packet
+         * anyway. Doesn't disable all detection, so we can still
+         * match on the stream event that was set. */
+        DecodeSetNoPayloadInspectionFlag(p);
         PACKET_DROP(p);
     }
     SCReturnInt(-1);