]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d3ccff5)
detect-engine: use only the exact match fn
authorShivani Bhardwaj <shivani@oisf.net>
Wed, 1 Nov 2023 10:31:35 +0000 (16:01 +0530)
committerVictor Julien <victor@inliniac.net>
Tue, 5 Dec 2023 10:33:09 +0000 (11:33 +0100)
DetectFlagsSignatureNeedsSynPackets checks if TCP SYN flag is set among
other flags.
DetectFlagsSignatureNeedsSynOnlyPackets checks if only TCP SYN flag is
set and no other flag.

Since DetectFlagsSignatureNeedsSynOnlyPackets also already checks for
TCP SYN flag, it does not need to be used in combination with
DetectFlagsSignatureNeedsSynPackets as this fn seems to be the superset
of the former.

src/detect-engine-build.c patch | blob | blame | history

diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
index 8c01104c48dedf76ab98991d167fe869ea645cb0..05f93169d142c56f2684fb9e9e82daa7a5247dcb 100644 (file)
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@@ -1141,8 +1141,7 @@ static int RuleSetWhitelist(Signature *s)
             SCLogDebug("Rule %u No MPM. Payload inspecting. Whitelisting SGH's.", s->id);
             wl = 55;
 
-        } else if (DetectFlagsSignatureNeedsSynPackets(s) &&
-                   DetectFlagsSignatureNeedsSynOnlyPackets(s)) {
+        } else if (DetectFlagsSignatureNeedsSynOnlyPackets(s)) {
             SCLogDebug("Rule %u Needs SYN, so inspected often. Whitelisting SGH's.", s->id);
             wl = 33;
         }
@@ -1189,12 +1188,10 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, u
 
         /* see if we want to exclude directionless sigs that really care only for
          * to_server syn scans/floods */
-        if ((direction == SIG_FLAG_TOCLIENT) &&
-             DetectFlagsSignatureNeedsSynPackets(s) &&
-             DetectFlagsSignatureNeedsSynOnlyPackets(s) &&
-            ((s->flags & (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) == (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) &&
-            (!(s->dp->port == 0 && s->dp->port2 == 65535)))
-        {
+        if ((direction == SIG_FLAG_TOCLIENT) && DetectFlagsSignatureNeedsSynOnlyPackets(s) &&
+                ((s->flags & (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) ==
+                        (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) &&
+                (!(s->dp->port == 0 && s->dp->port2 == 65535))) {
             SCLogWarning("rule %u: SYN-only to port(s) %u:%u "
                          "w/o direction specified, disabling for toclient direction",
                     s->id, s->dp->port, s->dp->port2);
Mirror of https://github.com/OISF/suricata.git