detect: don't run IP inspection on non-IP packets

The code to get the rule group (sgh) would return the group for
IP proto 0 instead of nothing. This lead to certain types of rules
unintentionally matching (False Positive).

Since the packets weren't actually IP, the logged alert records
were missing the IP header.

Bug #2017.

diff --git a/src/detect.c b/src/detect.c
index 479d0db192a2e0ac211989e344a2d5bd754de830..5660c28339a2c16420aa9207459a61355ee81d42 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -588,6 +588,11 @@ SigGroupHead *SigMatchSignaturesGetSgh(DetectEngineCtx *de_ctx, DetectEngineThre
      * the decoder events sgh we have. */
     if (p->proto == 0 && p->events.cnt > 0) {
         SCReturnPtr(de_ctx->decoder_event_sgh, "SigGroupHead");
+    } else if (p->proto == 0) {
+        if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) {
+            /* not IP, so nothing to do */
+            SCReturnPtr(NULL, "SigGroupHead");
+        }
     }
 
     /* select the flow_gh */