From: Victor Julien <victor@inliniac.net>
Date: Wed, 25 Mar 2020 14:07:39 +0000 (+0100)
Subject: flow/tcp: consider pkts established based on 3whs
X-Git-Tag: suricata-6.0.0-beta1~102
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f65bf4c7eac75992151b0983ec9a36c7512cb96d;p=thirdparty%2Fsuricata.git

flow/tcp: consider pkts established based on 3whs
---

diff --git a/src/flow.c b/src/flow.c
index ad0001441e..ca42f73be0 100644
--- a/src/flow.c
+++ b/src/flow.c
@@ -475,14 +475,17 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p)
         SCLogDebug("pkt %p FLOW_PKT_ESTABLISHED", p);
         p->flowflags |= FLOW_PKT_ESTABLISHED;
 
+    } else if (f->proto == IPPROTO_TCP) {
+        TcpSession *ssn = (TcpSession *)f->protoctx;
+        if (ssn != NULL && ssn->state >= TCP_ESTABLISHED) {
+            p->flowflags |= FLOW_PKT_ESTABLISHED;
+        }
     } else if ((f->flags & (FLOW_TO_DST_SEEN|FLOW_TO_SRC_SEEN)) ==
             (FLOW_TO_DST_SEEN|FLOW_TO_SRC_SEEN)) {
         SCLogDebug("pkt %p FLOW_PKT_ESTABLISHED", p);
         p->flowflags |= FLOW_PKT_ESTABLISHED;
 
-        if (f->proto != IPPROTO_TCP) {
-            FlowUpdateState(f, FLOW_STATE_ESTABLISHED);
-        }
+        FlowUpdateState(f, FLOW_STATE_ESTABLISHED);
     }
 
     /*set the detection bypass flags*/