rule analyzer updated for sigs with offset/depth set + alproto set

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index 74346a493b63eb3cb53807fc25aacb64d01b8379..8b3ec5f97b2406b661068b09d317e40395d43a0e 100644 (file)
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -181,6 +181,7 @@ void EngineAnalysisRules(Signature *s, char *line)
     uint32_t rule_flowint = 0;
     //uint32_t rule_flowvar = 0;
     uint32_t rule_content_http = 0;
+    uint32_t rule_content_offset_depth = 0;
     uint32_t list_id = 0;
     uint32_t rule_warning = 0;
     uint32_t raw_http_buf = 0;
@@ -216,8 +217,7 @@ void EngineAnalysisRules(Signature *s, char *line)
 
     if (s->flags & SIG_FLAG_REQUIRE_PACKET) {
         packet_buf += 1;
-    }
-    else {
+    } else if (s->flags & SIG_FLAG_REQUIRE_PACKET) {
         stream_buf += 1;
     }
     for (list_id = 0; list_id < DETECT_SM_LIST_MAX; list_id++) {
@@ -303,13 +303,13 @@ void EngineAnalysisRules(Signature *s, char *line)
                 }
                 else if (list_id == DETECT_SM_LIST_HCBDMATCH) {
                     rule_content_http += 1;
-                    http_client_body_buf += 1;
                     raw_http_buf += 1;
+                    http_client_body_buf += 1;
                 }
                 else if (list_id == DETECT_SM_LIST_HSBDMATCH) {
                     rule_content_http += 1;
-                    http_server_body_buf += 1;
                     raw_http_buf += 1;
+                    http_server_body_buf += 1;
                 }
                 else if (list_id == DETECT_SM_LIST_HRHDMATCH) {
                     rule_content_http += 1;
@@ -333,11 +333,16 @@ void EngineAnalysisRules(Signature *s, char *line)
                 }
                 else if (list_id == DETECT_SM_LIST_HMDMATCH) {
                     rule_content_http += 1;
-                    http_method_buf += 1;
                     raw_http_buf += 1;
+                    http_method_buf += 1;
                 }
-                else {
+                else if (list_id == DETECT_SM_LIST_PMATCH) {
                     rule_content += 1;
+                    DetectContentData *cd = (DetectContentData *)sm->ctx;
+                    if (cd->flags &
+                        (DETECT_CONTENT_OFFSET | DETECT_CONTENT_DEPTH)) {
+                        rule_content_offset_depth++;
+                    }
                 }
             }
             else if (sm->type == DETECT_FLOW) {
@@ -508,6 +513,22 @@ void EngineAnalysisRules(Signature *s, char *line)
                                && (rule_pcre > 0 || rule_pcre_http > 0)*/) {
             fprintf(rule_engine_analysis_FD, "    Warning: Rule uses pcre with only a http_method content; possible performance issue.\n");
         }
+        if (rule_content_offset_depth > 0) {
+            fprintf(rule_engine_analysis_FD, "    Warning: Rule has depth"
+                    "/offset with raw content keywords.  Please note the "
+                    "offset/depth will be checked against both packet "
+                    "payloads and stream.  If you meant to have the offset/"
+                    "depth checked against just the payload, you can update "
+                    "the signature as \"alert tcp-pkt...\"\n");
+        }
+        if (rule_content_offset_depth > 0 && s->alproto != ALPROTO_UNKNOWN) {
+            fprintf(rule_engine_analysis_FD, "    Warning: Rule has "
+                    "offset/depth set along with a match on a specific "
+                    "app layer protocol - %d.  This can lead to FNs if we "
+                    "have a offset/depth content match on a packet payload "
+                    "before we can detect the app layer protocol for the "
+                    "flow.\n", s->alproto);
+        }
         if (rule_warning == 0) {
             fprintf(rule_engine_analysis_FD, "    No warnings for this rule.\n");
         }