detect: do not run tx detection on non established packets#10304
detect: do not run tx detection on non established packets#10304catenacyber wants to merge 1 commit intoOISF:masterfrom
Conversation
catenacyber
changed the title
| /* run tx/state inspection. Don't call for ICMP error msgs. */ | ||
| if (pflow && pflow->alstate && likely(pflow->proto == p->proto)) { | ||
| if (pflow && pflow->alstate && likely(pflow->proto == p->proto) && | ||
| (p->flags & PKT_STREAM_EST)) { |
There was a problem hiding this comment.
one thing I would like to know here is if TCP fast open, data on syn, IPS mode (so app-layer is called immediately) also sets this flag
There was a problem hiding this comment.
should a similar check be done before the tx logging is called?
There was a problem hiding this comment.
should a similar check be done before the tx logging is called?
There are likely other places where this optimization can happen
There was a problem hiding this comment.
also the flag will only be set for TCP I think
There was a problem hiding this comment.
one thing I would like to know here is if TCP fast open, data on syn, IPS mode (so app-layer is called immediately) also sets this flag
I do not think it does :
Code should get into StreamTcpPacketStateNone, case if (p->tcph->th_flags & TH_SYN) and TCP_HAS_TFO so not going to set PKT_STREAM_EST because not in same code path as StreamTcpPacketStateNone
|
replaced by #10307 can you open tickets for: |
https://redmine.openinfosecfoundation.org/issues/6743 |
2 participants
Follows commit 2fb5059, concurrent against #10286
Link to redmine ticket:
Should there be one specific for this ?
Describe changes:
StreamTcpStateDispatchreturning an error value)SV_BRANCH=OISF/suricata-verify#1623
#10299 alternative to run less code when packet is not flagged as established (instead of flagging more packets as established)