detect/transform: Clarify transformation validation

Issue: 6439

Clarify the transform validation step. When a transform indicates that
the content/byte-array is not compatible, validation will stop.

Content is incompatible is some cases -- e.g., following the
to_lowercase transform with content containing uppercase characters.
An alert is not possible since the content contains uppercase and the
transform has converted the buffer into all lowercase.

diff --git a/src/detect-engine.c b/src/detect-engine.c
index e50a6fa505adfecee9857c24eff8a8326cb75ea6..3754c713225ac345010c27e9c21f174dae061453 100644 (file)
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -1690,8 +1690,8 @@ void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_l
  *  transform may validate that it's compatible with the transform.
  *
  *  When a transform indicates the byte array is incompatible, none of the
- *  subsequent transforms, if any, are invoked. This means the first positive
- *  validation result terminates the loop.
+ *  subsequent transforms, if any, are invoked. This means the first validation
+ *  failure terminates the loop.
  *
  *  \param de_ctx Detection engine context.
  *  \param sm_list The SM list id.