From: Victor Julien <victor@inliniac.net>
Date: Tue, 11 Jul 2017 09:06:51 +0000 (+0200)
Subject: proto detect: improve 'failed' handling
X-Git-Tag: suricata-4.0.0-rc2~10
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1236578a7cbd95c8fe9c75f06cfba065042716dd;p=thirdparty%2Fsuricata.git

proto detect: improve 'failed' handling

Don't try to call parser for 'failed'. Also don't set one direction
warning if TS is failed and our direction is unknown/complete so failed
as well.
---

diff --git a/src/app-layer.c b/src/app-layer.c
index aa6dd6acf8..7a83eb60f8 100644
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -486,25 +486,29 @@ static int TCPProtoDetect(ThreadVars *tv,
                 if (data_len > 0)
                     ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
 
-                PACKET_PROFILING_APP_START(app_tctx, f->alproto);
-                int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
-                        f->alproto, flags,
-                        data, data_len);
-                PACKET_PROFILING_APP_END(app_tctx, f->alproto);
-
-                AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
-                        APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
-                StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
-                TcpSessionSetReassemblyDepth(ssn,
-                        AppLayerParserGetStreamDepth(f));
+                if (*alproto_otherdir != ALPROTO_FAILED) {
+                    PACKET_PROFILING_APP_START(app_tctx, f->alproto);
+                    int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
+                            f->alproto, flags,
+                            data, data_len);
+                    PACKET_PROFILING_APP_END(app_tctx, f->alproto);
+
+                    AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
+                            APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
+                    TcpSessionSetReassemblyDepth(ssn,
+                            AppLayerParserGetStreamDepth(f));
+
+                    *alproto = *alproto_otherdir;
+                    SCLogDebug("packet %u: pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
+                            (uint)p->pcap_cnt, *alproto, *alproto_otherdir, r);
+                    if (r < 0)
+                        goto failure;
+                }
                 *alproto = ALPROTO_FAILED;
+                StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
                 AppLayerIncFlowCounter(tv, f);
                 FlagPacketFlow(p, f, flags);
 
-                SCLogDebug("packet %u: pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
-                        (uint)p->pcap_cnt, *alproto, *alproto_otherdir, r);
-                if (r < 0)
-                    goto failure;
             }
         } else {
             /* both sides unknown, let's see if we need to give up */