exception: in ids mode, only REJECT the packet

In case of 'EXCEPTION_POLICY_REJECT', we were applying the same behavior
regardless of being in IDS or IPS mode.
This meant that (at least) the 'flow.action' was changed to drop when we
hit an exception policy in IDS mode.

Bug #6109

(cherry picked from commit 8f324e3b3d4137b1092b877e8f0dab42e7c824fd)

diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c
index 65fd5f4cec591289356328d4942aed1ff23db90e..d3a50fb4cceb696c8e8da3e6bfaa2353e8c2e8f3 100644 (file)
--- a/src/util-exception-policy.c
+++ b/src/util-exception-policy.c
@@ -67,6 +67,9 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro
         case EXCEPTION_POLICY_REJECT:
             SCLogDebug("EXCEPTION_POLICY_REJECT");
             PacketDrop(p, ACTION_REJECT, drop_reason);
+            if (!EngineModeIsIPS()) {
+                break;
+            }
             /* fall through */
         case EXCEPTION_POLICY_DROP_FLOW:
             SCLogDebug("EXCEPTION_POLICY_DROP_FLOW");