From: Victor Julien <victor@inliniac.net>
Date: Mon, 2 Dec 2013 14:04:08 +0000 (+0100)
Subject: app layer: set event if proto detect disabled for a stream, but we see data anyway.
X-Git-Tag: suricata-2.0beta2~97
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3f8947ff3d786364c5af593dac4ef37874a22726;p=thirdparty%2Fsuricata.git

app layer: set event if proto detect disabled for a stream, but we see data anyway.
---

diff --git a/src/app-layer.c b/src/app-layer.c
index 0ce187d925..7f380c809f 100644
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -413,12 +413,14 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
                            StreamTcpGetStreamSize(&ssn->client) > alp_proto_ctx.toserver.async_max) {
                     SCLogDebug("%u bytes toserver and no proto, no data to "
                                "client, giving up", alp_proto_ctx.toserver.async_max);
+                    ssn->server.flags |= STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED;
                     flow_done = 1;
                 } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
                            StreamTcpGetStreamSize(&ssn->client) == 0 &&
                            StreamTcpGetStreamSize(&ssn->server) > alp_proto_ctx.toclient.async_max) {
                     SCLogDebug("%u bytes toclient and no proto, no data to "
                                "server, giving up", alp_proto_ctx.toclient.async_max);
+                    ssn->client.flags |= STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED;
                     flow_done = 1;
                 }
 
diff --git a/src/decode-events.c b/src/decode-events.c
index c6a94fa79e..54d33796c0 100644
--- a/src/decode-events.c
+++ b/src/decode-events.c
@@ -31,6 +31,8 @@ SCEnumCharMap app_layer_event_pkt_table[ ] = {
       APPLAYER_WRONG_DIRECTION_FIRST_DATA },
     { "APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION",
       APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION },
+    { "APPLAYER_PROTO_DETECTION_SKIPPED",
+      APPLAYER_PROTO_DETECTION_SKIPPED },
     { NULL,
       -1 },
 };
diff --git a/src/decode-events.h b/src/decode-events.h
index e25942a1bb..b1dd84d8fe 100644
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -229,6 +229,7 @@ enum {
     APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS,
     APPLAYER_WRONG_DIRECTION_FIRST_DATA,
     APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION,
+    APPLAYER_PROTO_DETECTION_SKIPPED,
 };
 
 #define DECODER_EVENTS_BUFFER_STEPS 5
diff --git a/src/stream-tcp-private.h b/src/stream-tcp-private.h
index f17f0bb4fd..88f2a2cb2f 100644
--- a/src/stream-tcp-private.h
+++ b/src/stream-tcp-private.h
@@ -164,6 +164,8 @@ enum
 #define STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP    0x40
 /** App proto detection completed */
 #define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED 0x80
+/** App proto detection skipped */
+#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED 0x100
 
 /*
  * Per SEGMENT flags
diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c
index 1ce3ecdbf7..3fc162e6f9 100644
--- a/src/stream-tcp-reassemble.c
+++ b/src/stream-tcp-reassemble.c
@@ -1675,6 +1675,14 @@ int StreamTcpReassembleHandleSegmentHandleData(ThreadVars *tv, TcpReassemblyThre
     seg->payload_len = size;
     seg->seq = TCP_GET_SEQ(p);
 
+    /* proto detection skipped, but now we do get data. Set event. */
+    if (stream->seg_list == NULL &&
+        stream->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED) {
+
+        AppLayerDecoderEventsSetEventRaw(p->app_layer_events,
+                APPLAYER_PROTO_DETECTION_SKIPPED);
+    }
+
     if (StreamTcpReassembleInsertSegment(tv, ra_ctx, stream, seg, p) != 0) {
         SCLogDebug("StreamTcpReassembleInsertSegment failed");
         SCReturnInt(-1);