detect/file_data: Reject invalid protocols

Issue: #4895

This commit causes Suricata to reject signatures that combine TCP-based
alerts using file_data with NFS keywords.

file_data doesn't support the NFS protocol.

diff --git a/src/detect-file-data.c b/src/detect-file-data.c
index 4a798a4b2bd081453d229a6ae659d3b03f745e4c..ae95ca685c9c668228d3bc080dec1c04629980bd 100644 (file)
--- a/src/detect-file-data.c
+++ b/src/detect-file-data.c
@@ -55,6 +55,8 @@ static int DetectFiledataSetup (DetectEngineCtx *, Signature *, const char *);
 #ifdef UNITTESTS
 static void DetectFiledataRegisterTests(void);
 #endif
+static _Bool DetectFiledataValidateCallback(const Signature *s,
+                                        const char **sigerror);
 static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
                                         Signature *s);
 static int g_file_data_buffer_id = 0;
@@ -112,6 +114,8 @@ void DetectFiledataRegister(void)
             DetectEngineInspectFiledata, NULL);
     DetectBufferTypeRegisterSetupCallback("file_data",
             DetectFiledataSetupCallback);
+    DetectBufferTypeRegisterValidateCallback("file_data",
+            DetectFiledataValidateCallback);
     DetectAppLayerInspectEngineRegister2("file_data",
             ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
             DetectEngineInspectFiledata, NULL);
@@ -194,6 +198,18 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const cha
     return 0;
 }
 
+static _Bool DetectFiledataValidateCallback(const Signature *s,
+                                        const char **sigerror)
+{
+    if (s->alproto == ALPROTO_NFS) {
+        *sigerror = "Can't use file_data with NFS keywords";
+        SCLogError(SC_ERR_INVALID_SIGNATURE,
+                "Can't use file_data with NFS keywords");
+        return FALSE;
+    }
+    return TRUE;
+}
+
 static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
                                         Signature *s)
 {