detect/classtype: warn on duplicate classtype

Issue warning instead of erroring and invalidating the rule.

It's not a very serious issue, so don't error out.

diff --git a/src/detect-classtype.c b/src/detect-classtype.c
index b01870ac35f9c578618ea81ceacbf7ad9bcb2d45..13e8452ca25014bdce51f8cd3422996afd4d218e 100644 (file)
--- a/src/detect-classtype.c
+++ b/src/detect-classtype.c
@@ -108,6 +108,12 @@ static int DetectClasstypeSetup(DetectEngineCtx *de_ctx, Signature *s, const cha
     char parsed_ct_name[1024] = "";
     SCClassConfClasstype *ct = NULL;
 
+    if ((s->class > 0) || (s->class_msg != NULL)) {
+        SCLogWarning(SC_ERR_CONFLICTING_RULE_KEYWORDS, "duplicated 'classtype' "
+                "keyword detected. Using first occurence in the rule");
+        return 0;
+    }
+
     if (DetectClasstypeParseRawString(rawstr, parsed_ct_name, sizeof(parsed_ct_name)) < 0) {
         SCLogError(SC_ERR_PCRE_PARSE, "invalid value for classtype keyword: "
                 "\"%s\"", rawstr);
@@ -121,12 +127,6 @@ static int DetectClasstypeSetup(DetectEngineCtx *de_ctx, Signature *s, const cha
         goto error;
     }
 
-    if ((s->class > 0) || (s->class_msg != NULL))
-    {
-        SCLogError(SC_ERR_INVALID_RULE_ARGUMENT, "duplicated 'classtype' keyword detected");
-        goto error;
-    }
-
     /* if we have retrieved the classtype, assign the message to be displayed
      * for this Signature by fast.log, if a Packet matches this Signature */
     s->class = ct->classtype_id;