From 1f31eb9e58e351297207c3bee6d12ac06f557a67 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sun, 10 Apr 2022 20:21:18 +0200 Subject: [PATCH] app-layer: don't switch dir if proto already known (cherry picked from commit 86e8611f5edd461bc13aa5665a40f9d241c4f23d) --- src/app-layer.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/src/app-layer.c b/src/app-layer.c index 47c907ea4b..a80606b572 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -357,20 +357,26 @@ static int TCPProtoDetect(ThreadVars *tv, TcpSessionSetReassemblyDepth(ssn, AppLayerParserGetStreamDepth(f)); FlagPacketFlow(p, f, flags); + /* if protocol detection indicated that we need to reverse * the direction of the flow, do it now. We flip the flow, * packet and the direction flags */ if (reverse_flow && (ssn->flags & STREAMTCP_FLAG_MIDSTREAM)) { - SCLogDebug("reversing flow after proto detect told us so"); - PacketSwap(p); - FlowSwap(f); - SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT); - if (*stream == &ssn->client) { - *stream = &ssn->server; + /* but only if we didn't already detect it on the other side. */ + if (*alproto_otherdir == ALPROTO_UNKNOWN) { + SCLogDebug("reversing flow after proto detect told us so"); + PacketSwap(p); + FlowSwap(f); + SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT); + if (*stream == &ssn->client) { + *stream = &ssn->server; + } else { + *stream = &ssn->client; + } + direction = 1 - direction; } else { - *stream = &ssn->client; + // TODO event, error? } - direction = 1 - direction; } /* account flow if we have both sides */ -- 2.47.2