diff --git a/src/alert-debuglog.c b/src/alert-debuglog.c index 7367c4b758..08c3f10af7 100644 --- a/src/alert-debuglog.c +++ b/src/alert-debuglog.c @@ -31,6 +31,7 @@ #include "flow.h" #include "conf.h" #include "stream.h" +#include "app-layer-protos.h" #include "threads.h" #include "threadvars.h" @@ -222,7 +223,7 @@ TmEcode AlertDebugLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE", p->flow->alflags & FLOW_AL_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE"); fprintf(aft->file_ctx->fp, "FLOW APP_LAYER: DETECTED: %s, PROTO %"PRIu16"\n", - p->flow->alflags & FLOW_AL_PROTO_DETECT_DONE ? "TRUE" : "FALSE", p->flow->alproto); + (p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto); AlertDebugLogFlowVars(aft, p); AlertDebugLogFlowBits(aft, p); SCMutexUnlock(&p->flow->m); @@ -316,7 +317,7 @@ TmEcode AlertDebugLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE", p->flow->alflags & FLOW_AL_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE"); fprintf(aft->file_ctx->fp, "FLOW APP_LAYER: DETECTED: %s, PROTO %"PRIu16"\n", - p->flow->alflags & FLOW_AL_PROTO_DETECT_DONE ? "TRUE" : "FALSE", p->flow->alproto); + (p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto); AlertDebugLogFlowVars(aft, p); AlertDebugLogFlowBits(aft, p); SCMutexUnlock(&p->flow->m); diff --git a/src/app-layer.c b/src/app-layer.c index 50223ed049..e54e440d0b 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -149,7 +149,6 @@ int AppLayerHandleTCPData(AlpProtoDetectThreadCtx *dp_ctx, Flow *f, * only run the proto detection once. */ if (alproto == ALPROTO_UNKNOWN && flags & STREAM_GAP) { ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED; - f->alflags |= FLOW_AL_PROTO_DETECT_DONE; SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f); StreamTcpSetSessionNoReassemblyFlag(ssn, 0); } else if (alproto == ALPROTO_UNKNOWN && flags & STREAM_START) { @@ -170,22 +169,18 @@ int AppLayerHandleTCPData(AlpProtoDetectThreadCtx *dp_ctx, Flow *f, FlowL7DataPtrInit(f); f->alproto = alproto; ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED; - f->alflags |= FLOW_AL_PROTO_DETECT_DONE; - r = AppLayerParse(f, alproto, flags, data, data_len); } else { if (flags & STREAM_TOSERVER) { SCLogDebug("alp_proto_ctx.toserver.max_len %u", alp_proto_ctx.toserver.max_len); if (data_len >= alp_proto_ctx.toserver.max_len) { ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED; - f->alflags |= FLOW_AL_PROTO_DETECT_DONE; SCLogDebug("ALPROTO_UNKNOWN flow %p", f); StreamTcpSetSessionNoReassemblyFlag(ssn, 0); } } else if (flags & STREAM_TOCLIENT) { if (data_len >= alp_proto_ctx.toclient.max_len) { ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED; - f->alflags |= FLOW_AL_PROTO_DETECT_DONE; SCLogDebug("ALPROTO_UNKNOWN flow %p", f); StreamTcpSetSessionNoReassemblyFlag(ssn, 1); } @@ -353,7 +348,6 @@ int AppLayerHandleMsg(AlpProtoDetectThreadCtx *dp_ctx, StreamMsg *smsg) FlowL7DataPtrInit(smsg->flow); smsg->flow->alproto = alproto; ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED; - smsg->flow->alflags |= FLOW_AL_PROTO_DETECT_DONE; r = AppLayerParse(smsg->flow, alproto, smsg->flow->alflags, smsg->data.data, smsg->data.data_len); @@ -362,14 +356,14 @@ int AppLayerHandleMsg(AlpProtoDetectThreadCtx *dp_ctx, StreamMsg *smsg) if (smsg->data.data_len >= alp_proto_ctx.toserver.max_len) { /* protocol detection has failed */ ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED; - smsg->flow->alflags |= FLOW_AL_PROTO_DETECT_DONE|FLOW_AL_NO_APPLAYER_INSPECTION; + smsg->flow->alflags |= FLOW_AL_NO_APPLAYER_INSPECTION; SCLogDebug("ALPROTO_UNKNOWN flow %p", smsg->flow); } } else if (smsg->flags & STREAM_TOCLIENT) { if (smsg->data.data_len >= alp_proto_ctx.toclient.max_len) { /* protocol detection has failed */ ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED; - smsg->flow->alflags |= FLOW_AL_PROTO_DETECT_DONE|FLOW_AL_NO_APPLAYER_INSPECTION; + smsg->flow->alflags |= FLOW_AL_NO_APPLAYER_INSPECTION; SCLogDebug("ALPROTO_UNKNOWN flow %p", smsg->flow); } } @@ -492,7 +486,7 @@ int AppLayerHandleUdp(AlpProtoDetectThreadCtx *dp_ctx, Flow *f, Packet *p) * initializer message, we run proto detection. * We receive 2 stream init msgs (one for each direction) but we * only run the proto detection once. */ - if (alproto == ALPROTO_UNKNOWN && !(f->alflags & FLOW_AL_PROTO_DETECT_DONE)) { + if (alproto == ALPROTO_UNKNOWN && !(f->flags & FLOW_ALPROTO_DETECT_DONE)) { SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")", p->payload_len); @@ -506,12 +500,12 @@ int AppLayerHandleUdp(AlpProtoDetectThreadCtx *dp_ctx, Flow *f, Packet *p) /* store the proto and setup the L7 data array */ FlowL7DataPtrInit(f); f->alproto = alproto; - f->alflags |= FLOW_AL_PROTO_DETECT_DONE; + f->flags |= FLOW_ALPROTO_DETECT_DONE; r = AppLayerParse(f, alproto, f->alflags, p->payload, p->payload_len); } else { - f->alflags |= FLOW_AL_PROTO_DETECT_DONE; + f->flags |= FLOW_ALPROTO_DETECT_DONE; SCLogDebug("ALPROTO_UNKNOWN flow %p", f); } } else { diff --git a/src/flow.h b/src/flow.h index ccd39b7f60..9a4ec12a88 100644 --- a/src/flow.h +++ b/src/flow.h @@ -73,6 +73,8 @@ #define FLOW_TOSERVER_DROP_LOGGED 0x2000 /** packet to client direction has been logged in drop file (only in IPS mode) */ #define FLOW_TOCLIENT_DROP_LOGGED 0x4000 +/** alproto detect done. Right now we need it only for udp */ +#define FLOW_ALPROTO_DETECT_DONE 0x8000 /* pkt flow flags */ #define FLOW_PKT_TOSERVER 0x01 @@ -213,7 +215,6 @@ typedef struct Flow_ } Flow; /** Flow Application Level flags */ -#define FLOW_AL_PROTO_DETECT_DONE 0x02 #define FLOW_AL_NO_APPLAYER_INSPECTION 0x04 /** \todo move to flow flags later */ #define FLOW_AL_STREAM_TOSERVER 0x20 #define FLOW_AL_STREAM_TOCLIENT 0x40