IPBasedAnalyzer/TCPSessionAdapter: Fix TCP reassembly decision for known port analyzers

This seems to be an age-old bug. Reported by mchen on discourse [1]. The TCPSessionAdapter decides in AddExtraAnalyzers() whether to enable reassembly or not. When dpd_reassemble_first_packets is F, this boils down to ! GetChildren().empty(). The intention being that if any analyzers have been added to the connection based on known ports, reassembly is to be enabled. However, GetChildren() does not take into account new_children and so ! GetChildren().empty() is always false here and reassembly solely based on dpd_reassemble_first_packets=F (or the tcp_content... options). Ouch. Call AppendNewChildren() before AddExtraAnalyzers() as a fix. Without this, the new test does not produce an http.log and service "http" isn't in conn.log. [1] https://community.zeek.org/t/how-to-activate-an-application-layer-analyzer-when-signature-dpd-reassemble-first-packets-is-off/6763
2025-10-08 09:38:19 +00:00 · 2022-10-25 15:42:46 +02:00 · 2022-10-25 15:42:46 +02:00 · f3f593c523
commit f3f593c523
parent 5aa7d80e88
4 changed files with 34 additions and 0 deletions
--- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
+++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
@ -216,6 +216,9 @@ void IPBasedAnalyzer::BuildSessionAnalyzerTree(Connection* conn)
 			}
 		}

+	// Make analyzers added above through known ports visible via GetChildren()
+	root->AppendNewChildren();
+
 	root->AddExtraAnalyzers(conn);

 	if ( pia )