From: Yehor Furman -X (yefurman - SOFTSERVE INC at Cisco) Date: Mon, 3 Nov 2025 15:01:27 +0000 (+0000) Subject: Pull request #4966: appid: fix ssh service detection on mid-stream sessions X-Git-Tag: 3.9.7.0~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c3fbff007157585a2116b42c94b0c9eb6c731e07;p=thirdparty%2Fsnort3.git Pull request #4966: appid: fix ssh service detection on mid-stream sessions Merge in SNORT/snort3 from ~YEFURMAN/snort3:ssh_service_detection_fix to master Squashed commit of the following: commit 21a4f27f6cda49e6b176f6ae1461d24db1a28611 Author: yefurman Date: Fri Oct 24 09:49:36 2025 -0400 appid: fix ssh service detection with dropped packets --- diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index f6ef159e0..eef226fdb 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -411,6 +411,7 @@ void AppIdDiscovery::do_port_based_discovery(Packet* p, AppIdSession& asd, IpPro // Do port-based detection only for responder packets. if (asd.get_session_flags(APPID_SESSION_PORT_SERVICE_DONE) or !asd.get_session_flags(APPID_SESSION_PAYLOAD_SEEN) or + asd.get_session_flags(APPID_SESSION_WAIT_FOR_EXTERNAL) or (direction != APP_ID_FROM_RESPONDER)) return; diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index ec2dfdae4..fdabe32d6 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -613,7 +613,7 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I assert(hsession); } - if (tp_app_id == APP_ID_SSH) + if (tp_app_id == APP_ID_SSH and !(p->flow->get_session_flags() & SSNFLAG_MIDSTREAM)) { APPID_LOG(p, TRACE_DEBUG_LEVEL, "Setting the ignore and early detection flag\n"); asd.get_odp_ctxt().get_app_info_mgr().set_app_info_flags(tp_app_id, APPINFO_FLAG_IGNORE);