From: Victor Julien <victor@inliniac.net>
Date: Wed, 8 Feb 2017 12:55:34 +0000 (+0100)
Subject: detect: don't run IP inspection on non-IP packets
X-Git-Tag: suricata-3.2.1~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2549%2Fhead;p=thirdparty%2Fsuricata.git

detect: don't run IP inspection on non-IP packets

The code to get the rule group (sgh) would return the group for
IP proto 0 instead of nothing. This lead to certain types of rules
unintentionally matching (False Positive).

Since the packets weren't actually IP, the logged alert records
were missing the IP header.

Bug #2017.
---

diff --git a/src/detect.c b/src/detect.c
index 479d0db192..5660c28339 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -588,6 +588,11 @@ SigGroupHead *SigMatchSignaturesGetSgh(DetectEngineCtx *de_ctx, DetectEngineThre
      * the decoder events sgh we have. */
     if (p->proto == 0 && p->events.cnt > 0) {
         SCReturnPtr(de_ctx->decoder_event_sgh, "SigGroupHead");
+    } else if (p->proto == 0) {
+        if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) {
+            /* not IP, so nothing to do */
+            SCReturnPtr(NULL, "SigGroupHead");
+        }
     }
 
     /* select the flow_gh */