protodetect: be more tolerant

Do not mask protocols on both directions with only first packet For instance : When the first packet is no valid DNS but on port 53 (a junk request) second packet (error response from server) does not get checked for DNS as first packet bit masked away DNS for both directions Ticket: OISF#2757
catenacyber · Apr 27, 2022 · b51c79e · b51c79e
1 parent ddf9c9d
commit b51c79e
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c
@@ -556,7 +556,11 @@ static AppProto AppLayerProtoDetectPPGetProto(Flow *f, const uint8_t *buf, uint3
     } else {
         /* first try the destination port */
         pp_port_dp = AppLayerProtoDetectGetProbingParsers(alpd_ctx.ctx_pp, ipproto, dp);
-        alproto_masks = &f->probing_parser_toclient_alproto_masks;
+        if (dir == idir) {
+            // do not update alproto_masks to let a chance to second packet
+            // for instance when sending a junk packet to a DNS server
+            alproto_masks = &f->probing_parser_toclient_alproto_masks;
+        }
         if (pp_port_dp != NULL) {
             SCLogDebug("toclient - Probing parser found for destination port %"PRIu16, dp);