From: Philippe Antoine Date: Tue, 25 Feb 2025 09:49:41 +0000 (+0100) Subject: detect: reset signature groups when reversing flow X-Git-Tag: suricata-8.0.0-beta1~310 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d74bc774b75bcca613e5f48d907a425c3b46056a;p=thirdparty%2Fsuricata.git detect: reset signature groups when reversing flow Ticket: 7552 When we use midstream, and the first packet we see of a flow is a response from server, and we want to match on some signature to client : - we had first set sgh_toserver/FLOW_SGH_TOSERVER as we first thought this was a packet to server - we then swap/reverse the flow, so sgh_toclient becomes sgh_toserver but it contains signatures to server and cannot match our to_client signature The detect engine with DetectRunSetup will set again the signatures group heads properly --- diff --git a/src/app-layer.c b/src/app-layer.c index e5efcdf361..448cdc1066 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -460,6 +460,8 @@ static int TCPProtoDetect(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, SCLogDebug("reversing flow after proto detect told us so"); PacketSwap(p); FlowSwap(f); + // Will reset signature groups in DetectRunSetup + f->de_ctx_version = UINT32_MAX; SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT); if (*stream == &ssn->client) { *stream = &ssn->server;