From 7384744c3e52977b8db8a451df7f15a06cb8a2b8 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 22 Aug 2019 11:28:36 +0200 Subject: [PATCH] detect: fix FP on ICMP unreachable errors ICMP unreachable errors are linked to the flow they send an error for. This would lead to the detection engine calling the TX inspection engines on them. The stream inspect engine would default to a match for non-UDP and non-TCP as for ICMP we're not expected to use a TX inspect engine for stream data. This all would lead to a false positive match. This patch fixes this by making sure the TX engines are not called if the packet protocol and flow protocol are not the same. Bug #2769. --- src/detect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/detect.c b/src/detect.c index 7318aa0b30..62f430dc0b 100644 --- a/src/detect.c +++ b/src/detect.c @@ -130,8 +130,8 @@ static void DetectRun(ThreadVars *th_v, DetectRulePacketRules(th_v, de_ctx, det_ctx, p, pflow, &scratch); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_RULES); - /* run tx/state inspection */ - if (pflow && pflow->alstate) { + /* run tx/state inspection. Don't call for ICMP error msgs. */ + if (pflow && pflow->alstate && likely(pflow->proto == p->proto)) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX); DetectRunTx(th_v, de_ctx, det_ctx, p, pflow, &scratch); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX); -- 2.47.2