From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 18 Sep 2020 12:44:40 +0000 (+0200)
Subject: protodetect: rerun probing parser if pattern matched
X-Git-Tag: suricata-6.0.0~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d57275fa6495dee491ce86a55fb4df97eb8bd59b;p=thirdparty%2Fsuricata.git

protodetect: rerun probing parser if pattern matched

If a pattern matches in the other direction, after
probing parser finished without finding a protocol,
we will rerun the probing parser, which will include
the newly protocol found by its pattern
---

diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c
index 0ebaec2d1f..9c27e0703a 100644
--- a/src/app-layer-detect-proto.c
+++ b/src/app-layer-detect-proto.c
@@ -1552,6 +1552,16 @@ AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx,
         if (pm_matches > 0) {
             alproto = pm_results[0];
 
+            // rerun probing parser for other direction if it is unknown
+            uint8_t reverse_dir = (direction & STREAM_TOSERVER) ? STREAM_TOCLIENT : STREAM_TOSERVER;
+            if (FLOW_IS_PP_DONE(f, reverse_dir)) {
+                AppProto rev_alproto =
+                        (direction & STREAM_TOSERVER) ? f->alproto_tc : f->alproto_ts;
+                if (rev_alproto == ALPROTO_UNKNOWN) {
+                    FLOW_RESET_PP_DONE(f, reverse_dir);
+                }
+            }
+
             /* HACK: if detected protocol is dcerpc/udp, we run PP as well
              * to avoid misdetecting DNS as DCERPC. */
             if (!(ipproto == IPPROTO_UDP && alproto == ALPROTO_DCERPC))