From 1907b9f225ca8e0f8592a60638024f668b509034 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 25 Feb 2025 10:49:41 +0100 Subject: [PATCH] detect: reset signature groups when reversing flow Ticket: 7552 When we use midstream, and the first packet we see of a flow is a response from server, and we want to match on some signature to client : - we had first set sgh_toserver/FLOW_SGH_TOSERVER as we first thought this was a packet to server - we then swap/reverse the flow, so sgh_toclient becomes sgh_toserver but it contains signatures to server and cannot match our to_client signature The detect engine with DetectRunSetup will set again the signatures group heads properly (cherry picked from commit d74bc774b75bcca613e5f48d907a425c3b46056a) --- src/app-layer.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/app-layer.c b/src/app-layer.c index 3c416eef75..b0cebd4de0 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -410,6 +410,8 @@ static int TCPProtoDetect(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, SCLogDebug("reversing flow after proto detect told us so"); PacketSwap(p); FlowSwap(f); + // Will reset signature groups in DetectRunSetup + f->de_ctx_version = UINT32_MAX; SWAP_FLAGS(flags, STREAM_TOSERVER, STREAM_TOCLIENT); if (*stream == &ssn->client) { *stream = &ssn->server; -- 2.47.2