detect/prefilter: fix prefilter setup

If `prefilter` is used it should override automatic fast pattern
selection.

Fixes: d6b56929d3c6 ("detect: set mpm/prefilter during signature parsing")
Ticket: #7523.

diff --git a/src/detect-parse.c b/src/detect-parse.c
index 65719286bb25e4af5882738b187f1b5a66cc8990..ab3f43b11e5d5cb38eb7b0717df3a3566267c591 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1908,26 +1908,41 @@ extern int g_skip_prefilter;
 static void SigSetupPrefilter(DetectEngineCtx *de_ctx, Signature *s)
 {
     SCEnter();
-    if (s->init_data->prefilter_sm != NULL || s->init_data->mpm_sm != NULL) {
-        SCReturn;
-    }
-
     SCLogDebug("s %u: set up prefilter/mpm", s->id);
-    RetrieveFPForSig(de_ctx, s);
-    if (s->init_data->mpm_sm != NULL) {
-        s->flags |= SIG_FLAG_PREFILTER;
-        SCReturn;
+    DEBUG_VALIDATE_BUG_ON(s->init_data->mpm_sm != NULL);
+
+    if (s->init_data->prefilter_sm != NULL) {
+        if (s->init_data->prefilter_sm->type == DETECT_CONTENT) {
+            RetrieveFPForSig(de_ctx, s);
+            if (s->init_data->mpm_sm != NULL) {
+                s->flags |= SIG_FLAG_PREFILTER;
+                SCLogDebug("%u: RetrieveFPForSig set", s->id);
+                SCReturn;
+            }
+            /* fall through, this can happen if the mpm doesn't support the pattern */
+        } else {
+            s->flags |= SIG_FLAG_PREFILTER;
+            SCReturn;
+        }
+    } else {
+        SCLogDebug("%u: RetrieveFPForSig", s->id);
+        RetrieveFPForSig(de_ctx, s);
+        if (s->init_data->mpm_sm != NULL) {
+            s->flags |= SIG_FLAG_PREFILTER;
+            SCLogDebug("%u: RetrieveFPForSig set", s->id);
+            SCReturn;
+        }
     }
 
     SCLogDebug("s %u: no mpm; prefilter? de_ctx->prefilter_setting %u "
                "s->init_data->has_possible_prefilter %s",
             s->id, de_ctx->prefilter_setting, BOOL2STR(s->init_data->has_possible_prefilter));
 
-    if (!s->init_data->has_possible_prefilter)
+    if (!s->init_data->has_possible_prefilter || g_skip_prefilter)
         SCReturn;
 
-    if (!g_skip_prefilter && de_ctx->prefilter_setting == DETECT_PREFILTER_AUTO &&
-            !(s->flags & SIG_FLAG_PREFILTER)) {
+    DEBUG_VALIDATE_BUG_ON(s->flags & SIG_FLAG_PREFILTER);
+    if (de_ctx->prefilter_setting == DETECT_PREFILTER_AUTO) {
         int prefilter_list = DETECT_TBLSIZE;
         /* get the keyword supporting prefilter with the lowest type */
         for (int i = 0; i < DETECT_SM_LIST_MAX; i++) {

diff --git a/src/detect-prefilter.c b/src/detect-prefilter.c
index f38b56bf8b9ccf68fba1bf8d6397c713658793eb..78b1a3c14b7967c89049607f2926ac54fd150394 100644 (file)
--- a/src/detect-prefilter.c
+++ b/src/detect-prefilter.c
@@ -92,7 +92,6 @@ static int DetectPrefilterSetup (DetectEngineCtx *de_ctx, Signature *s, const ch
             SCLogError("prefilter is not supported for %s", sigmatch_table[sm->type].name);
             SCReturnInt(-1);
         }
-        s->flags |= SIG_FLAG_PREFILTER;
 
         /* make sure setup function runs for this type. */
         de_ctx->sm_types_prefilter[sm->type] = true;