detect/app-layer-events: improve warnings/errors

Improve handling of outdated events that are no longer supported by the engine.

diff --git a/src/detect-app-layer-event.c b/src/detect-app-layer-event.c
index 686131bf34750f033bc24f2965c722e2bdf001b8..e6b4499ad4dd204f1aeb964bc924058258ad8f29 100644 (file)
--- a/src/detect-app-layer-event.c
+++ b/src/detect-app-layer-event.c
@@ -165,6 +165,16 @@ static DetectAppLayerEventData *DetectAppLayerEventParsePkt(const char *arg,
     return aled;
 }
 
+static bool OutdatedEvent(const char *raw)
+{
+    if (strcmp(raw, "tls.certificate_missing_element") == 0 ||
+            strcmp(raw, "tls.certificate_unknown_element") == 0 ||
+            strcmp(raw, "tls.certificate_invalid_string") == 0) {
+        return true;
+    }
+    return false;
+}
+
 /** \retval int 0 ok
   * \retval int -1 error
   * \retval int -3 non-fatal error: sig will be rejected w/o raising error
@@ -178,6 +188,18 @@ static int DetectAppLayerEventParseAppP2(DetectAppLayerEventData *data,
     char alproto_name[MAX_ALPROTO_NAME];
     int r = 0;
 
+    if (OutdatedEvent(data->arg)) {
+        if (SigMatchStrictEnabled(DETECT_AL_APP_LAYER_EVENT)) {
+            SCLogError(SC_ERR_INVALID_SIGNATURE,
+                    "app-layer-event keyword no longer supports event \"%s\"", data->arg);
+            return -1;
+        } else {
+            SCLogWarning(SC_ERR_INVALID_SIGNATURE,
+                    "app-layer-event keyword no longer supports event \"%s\"", data->arg);
+            return -3;
+        }
+    }
+
     const char *p_idx = strchr(data->arg, '.');
     if (strlen(data->arg) > MAX_ALPROTO_NAME) {
         SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword is too long or malformed");