detect/parse: allow for OK signature parsing errors

The idea of an OK signature parsing error is an error that is
allowed to occur, but still lets test mode pass, unlike
silent errors which will still fail testing.

This is introduced to allow for app-layer event keywords to be
removed, but not have old rules fail out on this case. For example
the Rust DNS parser removes from DNS app-layer events that are
not used anymore.

To signal that an error is OK, -3 is returned. This also implies
silent.

diff --git a/src/detect-engine-loader.c b/src/detect-engine-loader.c
index 8285e8d0d377fdfae76d990b8b0c7951b720f2b9..fba37b8fa84d5aa82cddff9068d207b6f9e62025 100644 (file)
--- a/src/detect-engine-loader.c
+++ b/src/detect-engine-loader.c
@@ -195,7 +195,9 @@ static int DetectLoadSigFile(DetectEngineCtx *de_ctx, char *sig_file,
             if (rule_engine_analysis_set) {
                 EngineAnalysisRulesFailure(line, sig_file, lineno - multiline);
             }
-            bad++;
+            if (!de_ctx->sigerror_ok) {
+                bad++;
+            }
         }
         multiline = 0;
     }

diff --git a/src/detect-parse.c b/src/detect-parse.c
index ae978178a06b5bbc2f98d875b76f5aafab1d4bd6..e462070bb50b8cb4585333b846ac846c9dbf2ca2 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1863,7 +1863,12 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, const char *sigstr,
     sig->gid = 1;
 
     int ret = SigParse(de_ctx, sig, sigstr, dir, &parser);
-    if (ret == -2) {
+    if (ret == -3) {
+        de_ctx->sigerror_silent = true;
+        de_ctx->sigerror_ok = true;
+        goto error;
+    }
+    else if (ret == -2) {
         de_ctx->sigerror_silent = true;
         goto error;
     } else if (ret < 0) {
@@ -1902,7 +1907,12 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, const char *sigstr,
     }
 
     ret = DetectAppLayerEventPrepare(sig);
-    if (ret == -2) {
+    if (ret == -3) {
+        de_ctx->sigerror_silent = true;
+        de_ctx->sigerror_ok = true;
+        goto error;
+    }
+    else if (ret == -2) {
         de_ctx->sigerror_silent = true;
         goto error;
     } else if (ret < 0) {

diff --git a/src/detect.h b/src/detect.h
index ca63c1ca70c0d4e5c73bbfd24520fa18b6dbc1c2..ab37135c82df28b858e606f1f9985a91b3c96c45 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -865,6 +865,7 @@ typedef struct DetectEngineCtx_ {
     char *rule_file;
     int rule_line;
     bool sigerror_silent;
+    bool sigerror_ok;
     const char *sigerror;
 
     /** list of keywords that need thread local ctxs */