From 2423186bdec87eecc438af4f3d75aa403143f8c6 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 27 Nov 2023 17:07:21 +0100
Subject: [PATCH] detect: flush when setting no_inspection

Ticket: 6578

When a protocol such as SSH sets no_inspection, we still have to
flush the current streams and packets that contain clear-text
for detection.
---
 src/flow-worker.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/flow-worker.c b/src/flow-worker.c
index a20e053c59c9..5e8103dac63c 100644
--- a/src/flow-worker.c
+++ b/src/flow-worker.c
@@ -391,8 +391,19 @@ static inline void FlowWorkerStreamTCPUpdate(ThreadVars *tv, FlowWorkerThreadDat
     StreamTcp(tv, p, fw->stream_thread, &fw->pq);
     FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_STREAM);
 
-    if (FlowChangeProto(p->flow)) {
+    // this is the first packet that sets no payload inspection
+    bool setting_nopayload =
+            (p->flow->flags & FLOW_NOPAYLOAD_INSPECTION) && !(p->flags & PKT_NOPAYLOAD_INSPECTION);
+    if (FlowChangeProto(p->flow) || setting_nopayload) {
+        if (setting_nopayload) {
+            // We still need to flush detection on previous packets.
+            // The pseudo packets should not have NOPAYLOAD_INSPECTION set yet.
+            p->flow->flags &= ~FLOW_NOPAYLOAD_INSPECTION;
+        }
         StreamTcpDetectLogFlush(tv, fw->stream_thread, p->flow, p, &fw->pq);
+        if (setting_nopayload) {
+            p->flow->flags |= FLOW_NOPAYLOAD_INSPECTION;
+        }
         AppLayerParserStateSetFlag(p->flow->alparser, APP_LAYER_PARSER_EOF_TS);
         AppLayerParserStateSetFlag(p->flow->alparser, APP_LAYER_PARSER_EOF_TC);
     }