if a sig's set as stream sig only, don't updated it as both stream and pkt sig if...

bug #495 - update rule analyzer to not warn on offset_depth-tcp_pkt update if sig is stream only

bug #497 - rule_warnings fixed

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index d802cbc6e4c4c7b93810adc822d48de5b58fa06a..3f4776e075ab63d87d1c14a7d930a1a35233f4ce 100644 (file)
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -210,6 +210,8 @@ void EngineAnalysisRules(Signature *s, char *line)
     uint32_t warn_method_serverbody = 0;
     uint32_t warn_pcre_method = 0;
     uint32_t warn_encoding_norm_http_buf = 0;
+    uint32_t warn_offset_depth_pkt_stream = 0;
+    uint32_t warn_offset_depth_alproto = 0;
 
     if (s->init_flags & SIG_FLAG_INIT_BIDIREC) {
         rule_bidirectional = 1;
@@ -437,6 +439,14 @@ void EngineAnalysisRules(Signature *s, char *line)
             warn_pcre_method = 1;
         }
     }
+    if (rule_content_offset_depth > 0 && stream_buf && packet_buf) {
+        rule_warning += 1;
+        warn_offset_depth_pkt_stream = 1;
+    }
+    if (rule_content_offset_depth > 0 && !stream_buf && packet_buf && s->alproto != ALPROTO_UNKNOWN) {
+        rule_warning += 1;
+        warn_offset_depth_alproto = 1;
+    }
 
     if (!rule_warnings_only || (rule_warnings_only && rule_warning > 0)) {
         fprintf(rule_engine_analysis_FD, "== Sid: %u ==\n", s->id);
@@ -514,7 +524,7 @@ void EngineAnalysisRules(Signature *s, char *line)
                                && (rule_pcre > 0 || rule_pcre_http > 0)*/) {
             fprintf(rule_engine_analysis_FD, "    Warning: Rule uses pcre with only a http_method content; possible performance issue.\n");
         }
-        if (rule_content_offset_depth > 0 && s->flags & SIG_FLAG_REQUIRE_STREAM) {
+        if (warn_offset_depth_pkt_stream) {
             fprintf(rule_engine_analysis_FD, "    Warning: Rule has depth"
                     "/offset with raw content keywords.  Please note the "
                     "offset/depth will be checked against both packet "
@@ -522,7 +532,7 @@ void EngineAnalysisRules(Signature *s, char *line)
                     "depth checked against just the payload, you can update "
                     "the signature as \"alert tcp-pkt...\"\n");
         }
-        if (rule_content_offset_depth > 0 && s->alproto != ALPROTO_UNKNOWN) {
+        if (warn_offset_depth_alproto) {
             fprintf(rule_engine_analysis_FD, "    Warning: Rule has "
                     "offset/depth set along with a match on a specific "
                     "app layer protocol - %d.  This can lead to FNs if we "

diff --git a/src/detect-parse.c b/src/detect-parse.c
index 62eada830744b5b8e91dc9395ee3b21234893c21..bd766b8fffb1e6d182af4bb36cb810c5ccec49ab 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1121,7 +1121,7 @@ static int SigValidate(Signature *s) {
         }
     }
 
-    if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
+    if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) {
         s->flags |= SIG_FLAG_REQUIRE_STREAM;
         SigMatch *sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
         while (sm != NULL) {