From 1236578a7cbd95c8fe9c75f06cfba065042716dd Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 11 Jul 2017 11:06:51 +0200
Subject: [PATCH] proto detect: improve 'failed' handling

Don't try to call parser for 'failed'. Also don't set one direction
warning if TS is failed and our direction is unknown/complete so failed
as well.
---
 src/app-layer.c | 34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/src/app-layer.c b/src/app-layer.c
index aa6dd6acf8..7a83eb60f8 100644
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -486,25 +486,29 @@ static int TCPProtoDetect(ThreadVars *tv,
                 if (data_len > 0)
                     ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
 
-                PACKET_PROFILING_APP_START(app_tctx, f->alproto);
-                int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
-                        f->alproto, flags,
-                        data, data_len);
-                PACKET_PROFILING_APP_END(app_tctx, f->alproto);
-
-                AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
-                        APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
-                StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
-                TcpSessionSetReassemblyDepth(ssn,
-                        AppLayerParserGetStreamDepth(f));
+                if (*alproto_otherdir != ALPROTO_FAILED) {
+                    PACKET_PROFILING_APP_START(app_tctx, f->alproto);
+                    int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f,
+                            f->alproto, flags,
+                            data, data_len);
+                    PACKET_PROFILING_APP_END(app_tctx, f->alproto);
+
+                    AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
+                            APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION);
+                    TcpSessionSetReassemblyDepth(ssn,
+                            AppLayerParserGetStreamDepth(f));
+
+                    *alproto = *alproto_otherdir;
+                    SCLogDebug("packet %u: pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
+                            (uint)p->pcap_cnt, *alproto, *alproto_otherdir, r);
+                    if (r < 0)
+                        goto failure;
+                }
                 *alproto = ALPROTO_FAILED;
+                StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream);
                 AppLayerIncFlowCounter(tv, f);
                 FlagPacketFlow(p, f, flags);
 
-                SCLogDebug("packet %u: pd done(us %u them %u), parser called (r==%d), APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION set",
-                        (uint)p->pcap_cnt, *alproto, *alproto_otherdir, r);
-                if (r < 0)
-                    goto failure;
             }
         } else {
             /* both sides unknown, let's see if we need to give up */