detect/mark: use postmatch instead of tag list

Keep the tag list for just tags. Post match list is better so the
keyword also works with pass and noalert rules.

diff --git a/src/detect-mark.c b/src/detect-mark.c
index bdb8fe0e215f54d5afee2568bb87a715b836a783..093f1b126ff08553c8c80f672c7fda310aa2871b 100644 (file)
--- a/src/detect-mark.c
+++ b/src/detect-mark.c
@@ -200,8 +200,9 @@ static int DetectMarkSetup (DetectEngineCtx *de_ctx, Signature *s, const char *r
     sm->type = DETECT_MARK;
     sm->ctx = (SigMatchCtx *)data;
 
-    /* Append it to the list of tags */
-    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_TMATCH);
+    /* Append it to the list of post match, so the mark is set if the
+     * full signature matches. */
+    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
     return 0;
 #endif
 }