From edd163252d9fb49fea7da12dea4761999e78a975 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 17 Jul 2019 15:19:30 +0200 Subject: [PATCH] protodetect: be more tolerant Do not mask protocols on both directions with only first packet For instance : When the first packet is no valid DNS but on port 53 (a junk request) second packet (error response from server) does not get checked for DNS as first packet bit masked away DNS for both directions Ticket: #2757 --- src/app-layer-detect-proto.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index b61d3c924d..3eb2752850 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -556,7 +556,11 @@ again_midstream: } else { /* first try the destination port */ pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.ctx_pp, ipproto, dp); - alproto_masks = &f->probing_parser_toclient_alproto_masks; + if (dir == idir) { + // do not update alproto_masks to let a chance to second packet + // for instance when sending a junk packet to a DNS server + alproto_masks = &f->probing_parser_toclient_alproto_masks; + } if (pp_port_dp != NULL) { SCLogDebug("toclient - Probing parser found for destination port %"PRIu16, dp);