detect: set flow noinspect on pass in applayer/stream

If a pass rule matches in the reassembled stream and/or in the
app-layer state, it means the rest of the flow should not be
inspected.

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 8f91a4b8375d6c19510ed84527b2e69142cdc8b0..c2d7e4206524bea81e4860451904d48101758c7a 100644 (file)
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -293,7 +293,16 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
                 /* Ok, reset the alert cnt to end in the previous of pass
                  * so we ignore the rest with less prio */
                 p->alerts.cnt = i;
+
+                /* if an stream/app-layer match we enforce the pass for the flow */
+                if ((p->flow != NULL) &&
+                    (p->alerts.alerts[i].flags &
+                        (PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_STREAM_MATCH)))
+                {
+                    FlowLockSetNoPacketInspectionFlag(p->flow);
+                }
                 break;
+
             /* if the signature wants to drop, check if the
              * PACKET_ALERT_FLAG_DROP_FLOW flag is set. */
             } else if ((PACKET_TEST_ACTION(p, ACTION_DROP)) &&