flow: complete stats for app_layer protocol counters

In the case of a gap, or in the case of a flow where one side is recognized, but the other is not before the end, we still increase the counters to have consistency between jq 'select(.event_type=="flow" and .app_proto=="ftp") | .app_proto' log/eve.json | wc -l jq 'select(.event_type=="stats") | .stats."app_layer".flow.ftp' log/eve.json Ticket: #5769
2 years ago · 27d2bce1a1
parent cfcb7df9dc
commit 27d2bce1a1
1 changed files with 5 additions and 0 deletions
--- a/src/app-layer.c
+++ b/src/app-layer.c
@ -603,6 +603,10 @@ static int TCPProtoDetect(ThreadVars *tv,
                AppLayerIncFlowCounter(tv, f);
                FlagPacketFlow(p, f, flags);

+            } else if (flags & STREAM_EOF) {
+                *alproto = f->alproto;
+                StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
+                AppLayerIncFlowCounter(tv, f);
            }
        } else {
            /* both sides unknown, let's see if we need to give up */
@ -676,6 +680,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
            if (f->alproto == ALPROTO_UNKNOWN) {
                goto failure;
            }
+            AppLayerIncFlowCounter(tv, f);
        }
        if (FlowChangeProto(f)) {
            FlowUnsetChangeProtoFlag(f);