From: Philippe Antoine <pantoine@oisf.net>
Date: Sat, 30 Dec 2023 20:36:07 +0000 (+0100)
Subject: protodetect: run expected probing parser
X-Git-Tag: suricata-8.0.0-beta1~1463
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78b766048e5d7c88d164630515e2e0234c21dd82;p=thirdparty%2Fsuricata.git

protodetect: run expected probing parser

When there is a protocol change, and a specific protocol is
expected, like WebSeocket, always run it, no matter the port.
---

diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c
index 35fc39ced4..c47a437659 100644
--- a/src/app-layer-detect-proto.c
+++ b/src/app-layer-detect-proto.c
@@ -581,7 +581,10 @@ again_midstream:
         }
     }
 
-    if (dir == STREAM_TOSERVER && f->alproto_tc != ALPROTO_UNKNOWN) {
+    if (f->alproto_expect != ALPROTO_UNKNOWN) {
+        // needed for websocket which does not use ports
+        pe0 = AppLayerProtoDetectGetProbingParser(alpd_ctx.ctx_pp, ipproto, f->alproto_expect);
+    } else if (dir == STREAM_TOSERVER && f->alproto_tc != ALPROTO_UNKNOWN) {
         pe0 = AppLayerProtoDetectGetProbingParser(alpd_ctx.ctx_pp, ipproto, f->alproto_tc);
     } else if (dir == STREAM_TOCLIENT && f->alproto_ts != ALPROTO_UNKNOWN) {
         pe0 = AppLayerProtoDetectGetProbingParser(alpd_ctx.ctx_pp, ipproto, f->alproto_ts);