detect/transform: Clarify transformation validation

Issue: 6439

Clarify the transform validation step. When a transform indicates that
the content/byte-array is not compatible, validation will stop.

Content is incompatible is some cases -- e.g., following the
to_lowercase transform with content containing uppercase characters.
An alert is not possible since the content contains uppercase and the
transform has converted the buffer into all lowercase.

(cherry picked from commit a46779d866b1b121adc73164215ba6437f53c208)

diff --git a/src/detect-engine.c b/src/detect-engine.c
index d8f9f1880e56494088198c7f325d3a1a90727686..0d37befa3245d450f8982431daf7089024f04fd1 100644 (file)
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -1690,8 +1690,8 @@ void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_l
  *  transform may validate that it's compatible with the transform.
  *
  *  When a transform indicates the byte array is incompatible, none of the
- *  subsequent transforms, if any, are invoked. This means the first positive
- *  validation result terminates the loop.
+ *  subsequent transforms, if any, are invoked. This means the first validation
+ *  failure terminates the loop.
  *
  *  \param de_ctx Detection engine context.
  *  \param sm_list The SM list id.