Suricata

I have already inspected the changes.

A condition is changed when StreamTcpDetectLogFlush is called. But at this moment FLOW_NOPAYLOAD_INSPECTION flag is already set to the flow flags by the application layer (TLS).
Thus StreamTcpPseudoPacketCreateDetectLogFlush prepares a pseudo packet with PKT_NOPAYLOAD_INSPECTION flag. See stream-tcp.c:7090

It looks like a pattern of communication is not commonly used. "Application Data" chunks exist in the same packet with "Server Hello". The change did not take care of this possibility.

- if (FlowChangeProto(p->flow)) {
+ // this is the first packet that sets no payload inspection
+ bool setting_nopayload =
+ p->flow->alparser &&
+ AppLayerParserStateIssetFlag(p->flow->alparser, APP_LAYER_PARSER_NO_INSPECTION) &&
+ !(p->flags & PKT_NOPAYLOAD_INSPECTION);
+ if (FlowChangeProto(p->flow) || setting_nopayload) {
StreamTcpDetectLogFlush(tv, fw->stream_thread, p->flow, p, &fw->pq);
+ if (setting_nopayload) {
+ FlowSetNoPayloadInspectionFlag(p->flow);
+ }

A proposed fix, i'll prepare PR soon
The rationale - we have to inherit bypass options from the current packet instead of flow.
The flow object flags are already altered and must not be used at this stage.

--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@ -7083,10 +7083,10 @ static void StreamTcpPseudoPacketCreateDetectLogFlush(ThreadVars *tv,
np->vlan_idx = f->vlan_idx;
np->livedev = (struct LiveDevice_ *)f->livedev;

- if (f->flags & FLOW_NOPACKET_INSPECTION) {
+ if (parent->flags & PKT_NOPACKET_INSPECTION) {
DecodeSetNoPacketInspectionFlag(np);
}
- if (f->flags & FLOW_NOPAYLOAD_INSPECTION) {
+ if (parent->flags & PKT_NOPAYLOAD_INSPECTION) {
DecodeSetNoPayloadInspectionFlag(np);
}

SV PR: https://github.com/OISF/suricata-verify/pull/2026