detect/app-layer-proto: don't run detection on ALPROTO_UNKNOWN

Don't return true for negated protocol check if no protocol has been
evaluated due to ALPROTO_UNKNOWN in the packet direction.

This leads to false positives for negated matching, as an expression
like "!tls" will match if checked against ALPROTO_UNKNOWN.

This patch readds missing check. The keyword returns no match as
long as the alproto is ALPROTO_UNKNOWN.

Fixes: bf9bbdd61285 ("detect: fix app-layer-protocol keyword for HTTP")
Ticket: #7242.

diff --git a/src/detect-app-layer-protocol.c b/src/detect-app-layer-protocol.c
index 26a5ce6235aa3107ab0df495498c4bb16cd13210..c5924f07a1579381473838c35e8d77994555a0e7 100644 (file)
--- a/src/detect-app-layer-protocol.c
+++ b/src/detect-app-layer-protocol.c
@@ -86,6 +86,7 @@ static int DetectAppLayerProtocolPacketMatch(
             p->pcap_cnt,
             p->flowflags & (FLOW_PKT_TOCLIENT|FLOW_PKT_TOSERVER),
             f->alproto, f->alproto_ts, f->alproto_tc);
+        SCReturnInt(0);
     }
     r = r ^ data->negated;
     if (r) {
@@ -214,14 +215,14 @@ PrefilterPacketAppProtoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const vo
         SCReturn;
     }
 
-    if ((p->flags & PKT_PROTO_DETECT_TS_DONE) && (p->flowflags & FLOW_PKT_TOSERVER))
-    {
+    if ((p->flags & PKT_PROTO_DETECT_TS_DONE) && (p->flowflags & FLOW_PKT_TOSERVER) &&
+            p->flow->alproto_ts != ALPROTO_UNKNOWN) {
         int r = (ctx->v1.u16[0] == p->flow->alproto_ts) ^ ctx->v1.u8[2];
         if (r) {
             PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
         }
-    } else if ((p->flags & PKT_PROTO_DETECT_TC_DONE) && (p->flowflags & FLOW_PKT_TOCLIENT))
-    {
+    } else if ((p->flags & PKT_PROTO_DETECT_TC_DONE) && (p->flowflags & FLOW_PKT_TOCLIENT) &&
+               p->flow->alproto_tc != ALPROTO_UNKNOWN) {
         int r = (ctx->v1.u16[0] == p->flow->alproto_tc) ^ ctx->v1.u8[2];
         if (r) {
             PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);