diff --git a/src/stream-tcp-private.h b/src/stream-tcp-private.h index f7c1a2e6f4..0a1bbb9249 100644 --- a/src/stream-tcp-private.h +++ b/src/stream-tcp-private.h @@ -133,11 +133,15 @@ enum reassemble for raw reassembled data inspection */ -#define STREAMTCP_FLAG_DETECTION_EVASION_ATTEMPT 0x3000 /**< Flag to indicate +#define STREAMTCP_FLAG_DETECTION_EVASION_ATTEMPT 0x4000 /**< Flag to indicate that this session is possible trying to evade the detection (http://www.packetstan.com/2010/06/recently-ive-been-on-campaign-to-make.html) */ +#define STREAMTCP_FLAG_TOSERVER_REASSEMBLY_STARTED 0x8000 /**< Flag to indicate + that this session + has reassembled to_server + chunks */ #define SEGMENTTCP_FLAG_PROCESSED 0x01 /**< Flag to indicate that the current diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c index caf4420e94..f739153479 100644 --- a/src/stream-tcp-reassemble.c +++ b/src/stream-tcp-reassemble.c @@ -1522,6 +1522,11 @@ int StreamTcpReassembleHandleSegmentUpdateACK (TcpReassemblyThreadCtx *ra_ctx, Packet *p) { SCEnter(); + if (PKT_IS_TOSERVER(p) && !(ssn->flags & STREAMTCP_FLAG_TOSERVER_REASSEMBLY_STARTED)) { + SCLogDebug("toserver reassembling is not done yet , so " + "skipping reassembling at the moment for to_client"); + SCReturnInt(0); + } if (stream->seg_list == NULL) { /* send an empty EOF msg if we have no segments but TCP state @@ -2002,6 +2007,8 @@ int StreamTcpReassembleHandleSegmentUpdateACK (TcpReassemblyThreadCtx *ra_ctx, } } + ssn->flags |= STREAMTCP_FLAG_TOSERVER_REASSEMBLY_STARTED; + SCReturnInt(0); }