From: Victor Julien <victor@inliniac.net>
Date: Mon, 24 Jul 2017 16:48:23 +0000 (+0200)
Subject: stream/bypass: more liberal policy if no detection
X-Git-Tag: suricata-4.0.0~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5eb0bbe32ad18ea6c1f8c0dd575a338858cdb8e;p=thirdparty%2Fsuricata.git

stream/bypass: more liberal policy if no detection

The reason the stream engine can't easily decide to bypass streams
is that there can be non-stream dependent rules that wouldn't match
if bypassing is done too aggressively.

However, if there is no detection engine, there is no reason to hold
back. In this case we can bypass as soon as the stream engine is done
with a session.
---

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index c43331d982..dfc956c13a 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -106,6 +106,8 @@ static int StreamTcpHandleTimestamp(TcpSession * , Packet *);
 static int StreamTcpValidateRst(TcpSession * , Packet *);
 static inline int StreamTcpValidateAck(TcpSession *ssn, TcpStream *, Packet *);
 
+extern int g_detect_disabled;
+
 static PoolThread *ssn_pool = NULL;
 static SCMutex ssn_pool_mutex = SCMUTEX_INITIALIZER; /**< init only, protect initializing and growing pool */
 #ifdef DEBUG
@@ -4654,6 +4656,15 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
             if (StreamTcpBypassEnabled()) {
                 PacketBypassCallback(p);
             }
+
+        /* if stream is dead and we have no detect engine at all, bypass. */
+        } else if (g_detect_disabled &&
+                (ssn->client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) &&
+                (ssn->server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) &&
+                StreamTcpBypassEnabled())
+        {
+            SCLogDebug("bypass as stream is dead and we have no rules");
+            PacketBypassCallback(p);
         }
     }