aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

protodetect: be more tolerant

Browse Source 
Do not mask protocols on both directions with only first packet

For instance :
When the first packet is no valid DNS but on port 53 (a junk request)
second packet (error response from server) does not get checked for DNS
as first packet bit masked away DNS for both directions

Ticket: #2757
pull/7423/head
Philippe Antoine 6 years ago committed by Victor Julien
parent b6407c4253
commit edd163252d
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File

6
src/app-layer-detect-proto.c
Unescape Escape View File

@ -556,7 +556,11 @@ again_midstream:
} else { } else {
/* first try the destination port */ /* first try the destination port */
pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.ctx_pp, ipproto, dp); pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.ctx_pp, ipproto, dp);
alproto_masks = &f->probing_parser_toclient_alproto_masks; if (dir == idir) {
// do not update alproto_masks to let a chance to second packet
// for instance when sending a junk packet to a DNS server
alproto_masks = &f->probing_parser_toclient_alproto_masks;
}
if (pp_port_dp != NULL) { if (pp_port_dp != NULL) {
SCLogDebug("toclient - Probing parser found for destination port %"PRIu16, dp); SCLogDebug("toclient - Probing parser found for destination port %"PRIu16, dp);

Write Preview
Loading…
Cancel
Save