we now support offset, depth inspection against all packet payloads and stream messages

diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c
index 020c87062e42205b309572168f76824aea4031cd..599901a4b0d2c6f7f7f7cbc08cb29f4ef4942944 100644 (file)
--- a/src/detect-engine-mpm.c
+++ b/src/detect-engine-mpm.c
@@ -118,7 +118,7 @@ int SignatureHasStreamContent(Signature *s) {
         SCReturnInt(0);
     }
 
-    if (SignatureHasPacketContent(s)) {
+    if (!(s->proto.proto[6 / 8] & 1 << (6 % 8))) {
         SCReturnInt(0);
     }
 
@@ -127,6 +127,10 @@ int SignatureHasStreamContent(Signature *s) {
         SCReturnInt(0);
     }
 
+    if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) {
+        SCReturnInt(0);
+    }
+
     SCReturnInt(1);
 }
 

diff --git a/src/detect-parse.c b/src/detect-parse.c
index d2639d32b9bf918e5ef218005f1407ccf6892d3d..753bb586f16b144b0cd3e7a1827fd8713b145894 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -525,6 +525,8 @@ int SigParseProto(Signature *s, const char *protostr) {
         SCReturnInt(-1);
     }
 
+    /* if any of these flags are set they are set in a mutually exclusive
+     * manner */
     if (s->proto.flags & DETECT_PROTO_ONLY_PKT) {
         s->flags |= SIG_FLAG_REQUIRE_PACKET;
     } else if (s->proto.flags & DETECT_PROTO_ONLY_STREAM) {
@@ -1019,7 +1021,8 @@ static int SigValidate(Signature *s) {
 
     if (s->flags & SIG_FLAG_REQUIRE_PACKET &&
         s->flags & SIG_FLAG_REQUIRE_STREAM) {
-        SCLogError(SC_ERR_INVALID_SIGNATURE, "can't mix packet keywords with tcp-stream or flow:only_stream.");
+        SCLogError(SC_ERR_INVALID_SIGNATURE, "can't mix packet keywords with "
+                   "tcp-stream or flow:only_stream.  Invalidating signature.");
         SCReturnInt(0);
     }
 
@@ -1128,6 +1131,20 @@ static int SigValidate(Signature *s) {
         }
     }
 
+    if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
+        s->flags |= SIG_FLAG_REQUIRE_STREAM;
+        SigMatch *sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+        while (sm != NULL) {
+            if (sm->type == DETECT_CONTENT &&
+                (((DetectContentData *)(sm->ctx))->flags &
+                 (DETECT_CONTENT_DEPTH | DETECT_CONTENT_OFFSET))) {
+                s->flags |= SIG_FLAG_REQUIRE_PACKET;
+                break;
+            }
+            sm = sm->next;
+        }
+    }
+
 #ifdef DEBUG
     int i;
     for (i = 0; i < DETECT_SM_LIST_MAX; i++) {

diff --git a/src/detect.c b/src/detect.c
index 7572ff35bbdbe76316bf7ce37d417f8f0561b8bf..a03a38808bf110e7929bde07d7197b9880a4f55e 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1568,7 +1568,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
         if (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
             /* if we have stream msgs, inspect against those first,
              * but not for a "dsize" signature */
-            if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
+            if (s->flags & SIG_FLAG_REQUIRE_STREAM) {
                 char pmatch = 0;
                 if (smsg != NULL) {
                     uint8_t pmq_idx = 0;
@@ -1602,8 +1602,10 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                 if (pmatch == 0) {
                     SCLogDebug("no match in smsg, fall back to packet payload");
 
-                    if (p->flags & PKT_STREAM_ADD)
-                        goto next;
+                    if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
+                        if (p->flags & PKT_STREAM_ADD)
+                            goto next;
+                    }
 
                     if (sms_runflags & SMS_USED_PM) {
                         if (s->flags & SIG_FLAG_MPM_PACKET && !(s->flags & SIG_FLAG_MPM_PACKET_NEG) &&