Pull request #4966: appid: fix ssh service detection on mid-stream sessions

Merge in SNORT/snort3 from ~YEFURMAN/snort3:ssh_service_detection_fix to master

Squashed commit of the following:

commit 21a4f27f6cda49e6b176f6ae1461d24db1a28611
Author: yefurman <yefurman@cisco.com>
Date:   Fri Oct 24 09:49:36 2025 -0400

    appid: fix ssh service detection with dropped packets

diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc
index f6ef159e094ce92b2e19de0f66f5df0ad1e849b1..eef226fdbac6a0ccb118ee0b3458608c3ab89ca7 100644 (file)
--- a/src/network_inspectors/appid/appid_discovery.cc
+++ b/src/network_inspectors/appid/appid_discovery.cc
@@ -411,6 +411,7 @@ void AppIdDiscovery::do_port_based_discovery(Packet* p, AppIdSession& asd, IpPro
     // Do port-based detection only for responder packets.
     if (asd.get_session_flags(APPID_SESSION_PORT_SERVICE_DONE) or
         !asd.get_session_flags(APPID_SESSION_PAYLOAD_SEEN) or
+        asd.get_session_flags(APPID_SESSION_WAIT_FOR_EXTERNAL) or
         (direction != APP_ID_FROM_RESPONDER))
         return;
 

diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc
index ec2dfdae457867228b205b7960cdf92565df8a61..fdabe32d66e9798c7c907df21d14ed2f6ec9d669 100644 (file)
--- a/src/network_inspectors/appid/tp_appid_utils.cc
+++ b/src/network_inspectors/appid/tp_appid_utils.cc
@@ -613,7 +613,7 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I
         assert(hsession);
     }
 
-    if (tp_app_id == APP_ID_SSH)
+    if (tp_app_id == APP_ID_SSH and !(p->flow->get_session_flags() & SSNFLAG_MIDSTREAM))
     {
         APPID_LOG(p, TRACE_DEBUG_LEVEL, "Setting the ignore and early detection flag\n");
          asd.get_odp_ctxt().get_app_info_mgr().set_app_info_flags(tp_app_id, APPINFO_FLAG_IGNORE);