From e1ef57c848bbe4e567d5d4b66d346a742e3f77a1 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 24 Jan 2018 15:59:14 +0100 Subject: [PATCH] stream: still inspect packets dropped by stream The detect engine would bypass packets that are set as dropped. This seems sane, as these packets are going to be dropped anyway. However, it lead to the following corner case: stream events that triggered the drop could not be matched on the rules. The packet with the event wouldn't make it to the detect engine due to the bypass. This patch changes the logic to not bypass DROP packets anymore. Packets that are dropped by the stream engine will set the no payload inspection flag, so avoid needless cost. --- src/detect.c | 7 +++---- src/stream-tcp.c | 4 ++++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/detect.c b/src/detect.c index 3b8ee921c5..b034d86551 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1610,10 +1610,7 @@ static void DetectFlow(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p) { - /* No need to perform any detection on this packet, if the the given flag is set.*/ - if ((p->flags & PKT_NOPACKET_INSPECTION) || - (PACKET_TEST_ACTION(p, ACTION_DROP))) - { + if (p->flags & PKT_NOPACKET_INSPECTION) { /* hack: if we are in pass the entire flow mode, we need to still * update the inspect_id forward. So test for the condition here, * and call the update code if necessary. */ @@ -1629,6 +1626,8 @@ static void DetectFlow(ThreadVars *tv, flags = FlowGetDisruptionFlags(p->flow, flags); DeStateUpdateInspectTransactionId(p->flow, flags, true); } + SCLogDebug("p->pcap %"PRIu64": no detection on packet, " + "PKT_NOPACKET_INSPECTION is set", p->pcap_cnt); return; } diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 46f53740f7..aea3ff152b 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -4739,6 +4739,10 @@ error: } if (StreamTcpInlineDropInvalid()) { + /* disable payload inspection as we're dropping this packet + * anyway. Doesn't disable all detection, so we can still + * match on the stream event that was set. */ + DecodeSetNoPayloadInspectionFlag(p); PACKET_DROP(p); } SCReturnInt(-1);