From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 17 Jul 2019 13:19:30 +0000 (+0200)
Subject: protodetect: be more tolerant
X-Git-Tag: suricata-7.0.0-beta1~591
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=edd163252d9fb49fea7da12dea4761999e78a975;p=thirdparty%2Fsuricata.git

protodetect: be more tolerant

Do not mask protocols on both directions with only first packet

For instance :
When the first packet is no valid DNS but on port 53 (a junk request)
second packet (error response from server) does not get checked for DNS
as first packet bit masked away DNS for both directions

Ticket: #2757
---

diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c
index b61d3c924d..3eb2752850 100644
--- a/src/app-layer-detect-proto.c
+++ b/src/app-layer-detect-proto.c
@@ -556,7 +556,11 @@ again_midstream:
     } else {
         /* first try the destination port */
         pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.ctx_pp, ipproto, dp);
-        alproto_masks = &f->probing_parser_toclient_alproto_masks;
+        if (dir == idir) {
+            // do not update alproto_masks to let a chance to second packet
+            // for instance when sending a junk packet to a DNS server
+            alproto_masks = &f->probing_parser_toclient_alproto_masks;
+        }
         if (pp_port_dp != NULL) {
             SCLogDebug("toclient - Probing parser found for destination port %"PRIu16, dp);