detect: fix mix of pass and noalert

author Victor Julien <victor@inliniac.net>

Fri, 7 Jul 2017 10:18:28 +0000 (12:18 +0200)

committer Victor Julien <victor@inliniac.net>

Fri, 7 Jul 2017 10:18:28 +0000 (12:18 +0200)
author Victor Julien <victor@inliniac.net>
Fri, 7 Jul 2017 10:18:28 +0000 (12:18 +0200)
committer Victor Julien <victor@inliniac.net>
Fri, 7 Jul 2017 10:18:28 +0000 (12:18 +0200)
diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c

index 794331d11700ea5e51b87ca3939511d5bf617973..4a44888bab324be4aa94d70850573f74e9d98a28 100644 (file)
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -287,20 +287,12 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
              }
  
              /* set actions on packet */
-            DetectSignatureApplyActions(p, p->alerts.alerts[i].s);
+            DetectSignatureApplyActions(p, p->alerts.alerts[i].s, p->alerts.alerts[i].flags);
  
              if (PACKET_TEST_ACTION(p, ACTION_PASS)) {
                  /* Ok, reset the alert cnt to end in the previous of pass
                   * so we ignore the rest with less prio */
                  p->alerts.cnt = i;
-
-                /* if an stream/app-layer match we enforce the pass for the flow */
-                if ((p->flow != NULL) &&
-                    (p->alerts.alerts[i].flags &
-                        (PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_STREAM_MATCH)))
-                {
-                    FlowSetNoPacketInspectionFlag(p->flow);
-                }
                  break;
  
              /* if the signature wants to drop, check if the
diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c

index 28264b434b4932527c852a399a6b4bbd64b06dcc..0bf283f256d7b33bfd826e040133aed182d82ba7 100644 (file)
--- a/src/detect-engine-iponly.c
+++ b/src/detect-engine-iponly.c
@@ -1096,7 +1096,7 @@ void IPOnlyMatchPacket(ThreadVars *tv,
                              PacketAlertAppend(det_ctx, s, p, 0, 0);
                      } else {
                          /* apply actions for noalert/rule suppressed as well */
-                        DetectSignatureApplyActions(p, s);
+                        DetectSignatureApplyActions(p, s, 0);
                      }
                  }
              }
diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c

index e1b339347e7e95dc66e4e793e8d776e7fac32028..957966c19d8cdeaf285f6c1e52c36c1f1008ca7e 100644 (file)
--- a/src/detect-engine-state.c
+++ b/src/detect-engine-state.c
@@ -471,7 +471,8 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                  PacketAlertAppend(det_ctx, s, p, tx_id,
                          PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_TX);
              } else {
-                DetectSignatureApplyActions(p, s);
+                DetectSignatureApplyActions(p, s,
+                        PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_TX);
              }
              alert_cnt = 1;
              SCLogDebug("MATCH: tx %u packet %u", (uint)tx_id, (uint)p->pcap_cnt);
diff --git a/src/detect.c b/src/detect.c

index 4ea8ffa0062bbe0fba7dd9d8a46079263a74479d..adbdab17ee68a0d1c7e6c5401e0db5f8ca288ebf 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1378,7 +1378,7 @@ void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineT
                  PacketAlertAppend(det_ctx, s, p, 0, alert_flags);
          } else {
              /* apply actions even if not alerting */
-            DetectSignatureApplyActions(p, s);
+            DetectSignatureApplyActions(p, s, alert_flags);
          }
  next:
          DetectVarProcessList(det_ctx, pflow, p);
@@ -1446,7 +1446,8 @@ end:
  
  /** \brief Apply action(s) and Set 'drop' sig info,
   *         if applicable */
-void DetectSignatureApplyActions(Packet *p, const Signature *s)
+void DetectSignatureApplyActions(Packet *p,
+        const Signature *s, const uint8_t alert_flags)
  {
      PACKET_UPDATE_ACTION(p, s->action);
  
@@ -1456,6 +1457,14 @@ void DetectSignatureApplyActions(Packet *p, const Signature *s)
              p->alerts.drop.action = s->action;
              p->alerts.drop.s = (Signature *)s;
          }
+    } else if (s->action & ACTION_PASS) {
+        /* if an stream/app-layer match we enforce the pass for the flow */
+        if ((p->flow != NULL) &&
+                (alert_flags & (PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_STREAM_MATCH)))
+        {
+            FlowSetNoPacketInspectionFlag(p->flow);
+        }
+
      }
  }
  
diff --git a/src/detect.h b/src/detect.h

index 0b8c396cccda65ab54a96bc9dec5af6cd3477ef9..d377cbd032b2e5d82dfe3acce9116961d49956cf 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -1415,7 +1415,7 @@ void *DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *, int);
  int SigMatchSignaturesRunPostMatch(ThreadVars *tv,
                                     DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p,
                                     const Signature *s);
-void DetectSignatureApplyActions(Packet *p, const Signature *s);
+void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t);
  
  #endif /* __DETECT_H__ */
author	Victor Julien <victor@inliniac.net>
	Fri, 7 Jul 2017 10:18:28 +0000 (12:18 +0200)
committer	Victor Julien <victor@inliniac.net>
	Fri, 7 Jul 2017 10:18:28 +0000 (12:18 +0200)
src/detect-engine-alert.c		patch \| blob \| blame \| history
src/detect-engine-iponly.c		patch \| blob \| blame \| history
src/detect-engine-state.c		patch \| blob \| blame \| history
src/detect.c		patch \| blob \| blame \| history
src/detect.h		patch \| blob \| blame \| history