From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 18 Aug 2020 16:39:42 +0000 (-0600)
Subject: app-layer: handle unidirectional transactions
X-Git-Tag: suricata-5.0.4~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=443937a16a93064343ad64736983090915324087;p=thirdparty%2Fsuricata.git

app-layer: handle unidirectional transactions

(cherry picked from commit 60ebc27c4eb755800e6d3f4ec1a5d55a5230a214)
---

diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c
index 31d475880b..dc3d13be86 100644
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@@ -932,6 +932,8 @@ void AppLayerParserTransactionsCleanup(Flow *f)
     uint64_t new_min = min;
     SCLogDebug("start min %"PRIu64, min);
     bool skipped = false;
+    const bool is_unidir = AppLayerParserGetOptionFlags(f->protomap, f->alproto)
+            & APP_LAYER_PARSER_OPT_UNIDIR_TXS;
 
     while (1) {
         AppLayerGetTxIterTuple ires = IterFunc(ipproto, alproto, alstate, i, total_txs, &state);
@@ -955,6 +957,7 @@ void AppLayerParserTransactionsCleanup(Flow *f)
             skipped = true;
             goto next;
         }
+        bool inspected = false;
         if (has_tx_detect_flags) {
             if (f->sgh_toserver != NULL) {
                 uint64_t detect_flags_ts = AppLayerParserGetTxDetectFlags(ipproto, alproto, tx, STREAM_TOSERVER);
@@ -962,7 +965,8 @@ void AppLayerParserTransactionsCleanup(Flow *f)
                     SCLogDebug("%p/%"PRIu64" skipping: TS inspect not done: ts:%"PRIx64,
                             tx, i, detect_flags_ts);
                     skipped = true;
-                    goto next;
+                } else {
+                    inspected = true;
                 }
             }
             if (f->sgh_toclient != NULL) {
@@ -971,10 +975,26 @@ void AppLayerParserTransactionsCleanup(Flow *f)
                     SCLogDebug("%p/%"PRIu64" skipping: TC inspect not done: tc:%"PRIx64,
                             tx, i, detect_flags_tc);
                     skipped = true;
-                    goto next;
+                } else {
+                    inspected = true;
                 }
             }
         }
+
+        /* If not a unidirectional transaction both sides are required to have
+         * been inspected. */
+        if (!is_unidir && skipped) {
+            goto next;
+        }
+
+        /* If this is a unidirectional transaction require only one side to be
+         * inspected, which the inspected flag tells us. This is also guarded
+         * with skip to limit this check to transactions that actually had the
+         * tx inspected flag checked. */
+        if (is_unidir && skipped && !inspected) {
+            goto next;
+        }
+
         if (logger_expectation != 0) {
             LoggerId tx_logged = AppLayerParserGetTxLogged(f, alstate, tx);
             if (tx_logged != logger_expectation) {