From: Ilya Bakhtin <ilya.bakhtin@gmail.com>
Date: Sat, 31 Aug 2024 11:44:25 +0000 (+0200)
Subject: detect: pseudo-packets inherit inspect flags from parent packet
X-Git-Tag: suricata-8.0.0-beta1~838
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=976dec7f332624e31f57a936e6e6275c01dd8da5;p=thirdparty%2Fsuricata.git

detect: pseudo-packets inherit inspect flags from parent packet

Instead of inheriting from flow, because encrypted protocols like TLS
and SSH may have just set the flow flags to indicate rest of stream is
encrypted and does not need to run stream inspection. But inspection
still needs to be run detection on this last flushing packet.

Ticket: #7235.
---

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 1ae7c013ae..6417d024e6 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -6723,10 +6723,10 @@ static void StreamTcpPseudoPacketCreateDetectLogFlush(ThreadVars *tv,
     np->vlan_idx = f->vlan_idx;
     np->livedev = (struct LiveDevice_ *)f->livedev;
 
-    if (f->flags & FLOW_NOPACKET_INSPECTION) {
+    if (parent->flags & PKT_NOPACKET_INSPECTION) {
         DecodeSetNoPacketInspectionFlag(np);
     }
-    if (f->flags & FLOW_NOPAYLOAD_INSPECTION) {
+    if (parent->flags & PKT_NOPAYLOAD_INSPECTION) {
         DecodeSetNoPayloadInspectionFlag(np);
     }