From: Victor Julien <vjulien@oisf.net>
Date: Thu, 30 Nov 2023 10:59:45 +0000 (+0100)
Subject: detect/frames: avoid IPS rescanning
X-Git-Tag: suricata-8.0.0-beta1~1203
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=683363b42df9ed702ca4b4e8dd912806ef87601f;p=thirdparty%2Fsuricata.git

detect/frames: avoid IPS rescanning

Make sure to only scan the data when the app layer has been updated
as well.

Ticket: #6718.
---

diff --git a/src/detect.c b/src/detect.c
index 989f1133da..7c7536a227 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1627,6 +1627,15 @@ static void DetectRunFrames(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngin
     const SigGroupHead *const sgh = scratch->sgh;
     const AppProto alproto = f->alproto;
 
+    /* for TCP, limit inspection to pseudo packets or real packet that did
+     * an app-layer update. */
+    if (p->proto == IPPROTO_TCP && !PKT_IS_PSEUDOPKT(p) &&
+            ((PKT_IS_TOSERVER(p) && (f->flags & FLOW_TS_APP_UPDATED) == 0) ||
+                    (PKT_IS_TOCLIENT(p) && (f->flags & FLOW_TC_APP_UPDATED) == 0))) {
+        SCLogDebug("pcap_cnt %" PRIu64 ": %s: skip frame inspection for TCP w/o APP UPDATE",
+                p->pcap_cnt, PKT_IS_TOSERVER(p) ? "toserver" : "toclient");
+        return;
+    }
     FramesContainer *frames_container = AppLayerFramesGetContainer(f);
     if (frames_container == NULL) {
         return;