Pull request #3954: http_inspect: disable rule evaluation caching for MIME attachments

Merge in SNORT/snort3 from ~OSHUMEIK/snort3:http_multiple_detection to master

Squashed commit of the following:

commit 38d843d18168ea4895e1a040f7de243cfb72dfc7
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Thu Aug 10 15:42:06 2023 +0300

    http_inspect: disable rule evaluation caching for MIME attachments

diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index 161f572df45003c2d58ceaea7ac0712df782d133..6ead8ac4297fdc64019477b0404c9be72c61fefe 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -750,6 +750,11 @@ bool HttpMsgBody::run_detection(snort::Packet* p)
             js_ctx_tmp = session_data->js_ctx[source_id];
             session_data->js_ctx[source_id] = acquire_js_ctx_mime();
 
+            // When multiple attachments appear in a single TCP segment,
+            // the detection engine caches the results of the rule options after
+            // evaluating on the first call. Setting this flag stops the caching.
+            p->packet_flags |= PKT_ALLOW_MULTIPLE_DETECT;
+
             DetectionEngine::detect(p);
 
             if (!is_last_attachment || last_attachment_complete)