stream: still inspect packets dropped by stream

The detect engine would bypass packets that are set as dropped. This
seems sane, as these packets are going to be dropped anyway.

However, it lead to the following corner case: stream events that
triggered the drop could not be matched on the rules. The packet
with the event wouldn't make it to the detect engine due to the bypass.

This patch changes the logic to not bypass DROP packets anymore.
Packets that are dropped by the stream engine will set the no payload
inspection flag, so avoid needless cost.

diff --git a/src/detect.c b/src/detect.c
index 3b8ee921c53f80f9ccf9aa7b8ce858acba0983e4..b034d86551352571aab678422252a21e87813753 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1610,10 +1610,7 @@ static void DetectFlow(ThreadVars *tv,
                        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
                        Packet *p)
 {
-    /* No need to perform any detection on this packet, if the the given flag is set.*/
-    if ((p->flags & PKT_NOPACKET_INSPECTION) ||
-        (PACKET_TEST_ACTION(p, ACTION_DROP)))
-    {
+    if (p->flags & PKT_NOPACKET_INSPECTION) {
         /* hack: if we are in pass the entire flow mode, we need to still
          * update the inspect_id forward. So test for the condition here,
          * and call the update code if necessary. */
@@ -1629,6 +1626,8 @@ static void DetectFlow(ThreadVars *tv,
             flags = FlowGetDisruptionFlags(p->flow, flags);
             DeStateUpdateInspectTransactionId(p->flow, flags, true);
         }
+        SCLogDebug("p->pcap %"PRIu64": no detection on packet, "
+                "PKT_NOPACKET_INSPECTION is set", p->pcap_cnt);
         return;
     }
 

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 46f53740f7f4e50b6234fef974d31c481c583cf3..aea3ff152b2a2ef606c668761fd8a7174f76e111 100644 (file)
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -4739,6 +4739,10 @@ error:
     }
 
     if (StreamTcpInlineDropInvalid()) {
+        /* disable payload inspection as we're dropping this packet
+         * anyway. Doesn't disable all detection, so we can still
+         * match on the stream event that was set. */
+        DecodeSetNoPayloadInspectionFlag(p);
         PACKET_DROP(p);
     }
     SCReturnInt(-1);