From: Anoop Saldanha <anoopsaldanha@gmail.com>
Date: Mon, 9 Sep 2013 11:25:13 +0000 (+0530)
Subject: If we have proto mismatch from 2 directions, use one of the protos, instead of errori... 
X-Git-Tag: suricata-2.0beta2~284
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6bef5fda06d756663bdf07f94761ae5d23cc1966;p=thirdparty%2Fsuricata.git

If we have proto mismatch from 2 directions, use one of the protos, instead of erroring out and not sending the data further to the parser.

The logic we use currently is if we have already sent some data to
a parser before we figure out we have a proto mismatch, we use the
proto from the first direction from which we have already sent the
data to the parser, else we stick to the the to client direction.
---

diff --git a/src/app-layer.c b/src/app-layer.c
index f42f09e9d4..6e9b3bed3b 100644
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -185,11 +185,19 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
             if (*alproto_otherdir != ALPROTO_UNKNOWN && *alproto_otherdir != *alproto) {
                 AppLayerDecoderEventsSetEventRaw(p->app_layer_events,
                                                  APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS);
-                f->alproto = f->alproto_ts = f->alproto_tc = ALPROTO_UNKNOWN;
                 FlowSetSessionNoApplayerInspectionFlag(f);
                 StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->client);
                 StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->server);
-            } else {
+                if (ssn->data_first_seen_dir == 0x01) {
+                    f->alproto = *alproto = *alproto_otherdir;
+                } else {
+                    if (flags & STREAM_TOCLIENT)
+                        f->alproto = *alproto_otherdir = *alproto;
+                    else
+                        f->alproto = *alproto = *alproto_otherdir;
+                }
+            }
+
                 f->alproto = *alproto;
                 StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
 
@@ -242,7 +250,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
                 r = AppLayerParse(dp_ctx->alproto_local_storage[*alproto], f, *alproto, flags, data + data_al_so_far, data_len - data_al_so_far);
                 PACKET_PROFILING_APP_END(dp_ctx, *alproto);
                 f->data_al_so_far[dir] = 0;
-            }
+
         } else {
             if (*alproto_otherdir != ALPROTO_UNKNOWN) {
                 PACKET_PROFILING_APP_START(dp_ctx, *alproto_otherdir);
@@ -2177,9 +2185,9 @@ static int AppLayerTest07(void)
         goto end;
     if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
         !StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
-        f.alproto != ALPROTO_UNKNOWN ||
-        f.alproto_ts != ALPROTO_UNKNOWN ||
-        f.alproto_tc != ALPROTO_UNKNOWN ||
+        f.alproto != ALPROTO_HTTP ||
+        f.alproto_ts != ALPROTO_HTTP ||
+        f.alproto_tc != ALPROTO_HTTP ||
         f.data_al_so_far[0] != 0 ||
         f.data_al_so_far[1] != 0 ||
         !(f.flags & FLOW_NO_APPLAYER_INSPECTION) ||
@@ -2415,9 +2423,9 @@ static int AppLayerTest08(void)
         goto end;
     if (!StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->server) ||
         !StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(&ssn->client) ||
-        f.alproto != ALPROTO_UNKNOWN ||
-        f.alproto_ts != ALPROTO_UNKNOWN ||
-        f.alproto_tc != ALPROTO_UNKNOWN ||
+        f.alproto != ALPROTO_DCERPC ||
+        f.alproto_ts != ALPROTO_DCERPC ||
+        f.alproto_tc != ALPROTO_DCERPC ||
         f.data_al_so_far[0] != 0 ||
         f.data_al_so_far[1] != 0 ||
         !(f.flags & FLOW_NO_APPLAYER_INSPECTION) ||