Optimization #7018
Updated by Juliana Fajardini Reichow 6 months ago
As seen with #7004, DNS over TCP transactions might not be seen by the stream detection engine until a later stage, unless the app-proto triggers the raw parsing of the stream once it knows there's enough data to be parsed. This could lead to whole transactions being overseen: they're marked as inspected by DetectRunTx, then AppLayerParserTransactionsCleanup frees them, and once it's time to stream rules to match, earlier transactions may not exist for the detection engine any longer, or exist as an id only, but not be retrievable for alert metadata logging. This is especially true if for some reason we have a DNS rule that doesn't use any DNS keywords, as to the engine this is a payload/stream-only rule.