detect: enforce flow drops earlier

author Victor Julien <victor@inliniac.net>

Fri, 10 Sep 2021 10:35:13 +0000 (12:35 +0200)

committer Victor Julien <vjulien@oisf.net>

Tue, 14 Jun 2022 19:12:17 +0000 (21:12 +0200)
author Victor Julien <victor@inliniac.net>
Fri, 10 Sep 2021 10:35:13 +0000 (12:35 +0200)
committer Victor Julien <vjulien@oisf.net>
Tue, 14 Jun 2022 19:12:17 +0000 (21:12 +0200)
diff --git a/src/detect.c b/src/detect.c

index 1986c2671cf3ef13f8446654883de1a1213f7b24..2c2900c52a163aafcbfe20634370bf58cf9395b8 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -547,12 +547,6 @@ static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx
              /* save in the flow that we scanned this direction... */
              FlowSetIPOnlyFlag(pflow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
          }
-        /* If we have a drop from IP only module,
-         * we will drop the rest of the flow packets
-         * This will apply only to inline/IPS */
-        if (pflow->flags & FLOW_ACTION_DROP) {
-            PACKET_DROP(p);
-        }
      } else { /* p->flags & PKT_HAS_FLOW */
          /* no flow */
  
@@ -1564,6 +1558,12 @@ static void DetectFlow(ThreadVars *tv,
          return;
      }
  
+    /* if flow is set to drop, we enforce that here */
+    if (p->flow->flags & FLOW_ACTION_DROP) {
+        PACKET_DROP(p);
+        SCReturn;
+    }
+
      /* see if the packet matches one or more of the sigs */
      (void)DetectRun(tv, de_ctx, det_ctx, p);
  }
author	Victor Julien <victor@inliniac.net>
	Fri, 10 Sep 2021 10:35:13 +0000 (12:35 +0200)
committer	Victor Julien <vjulien@oisf.net>
	Tue, 14 Jun 2022 19:12:17 +0000 (21:12 +0200)