detect/stream_size: apply rule to packets & stream

The use of stream_size in combination with raw content matches is an
indication that the rule needs to be evaluated per packet, not just
per reassembled stream chunk.

diff --git a/src/detect-parse.c b/src/detect-parse.c
index dbb5dc66682eda082cfc4b1e26c947981d152f02..7e6068e94ba4588326d3d695a0ad9b3653e5b2cf 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1708,19 +1708,33 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
         }
     }
 
-    /* TCP: pkt vs stream vs depth/offset */
+    /* TCP: corner cases:
+     * - pkt vs stream vs depth/offset
+     * - pkt vs stream vs stream_size
+     */
     if (s->proto.proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
-        if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) {
-            s->flags |= SIG_FLAG_REQUIRE_STREAM;
-            sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
-            while (sm != NULL) {
-                if (sm->type == DETECT_CONTENT &&
-                        (((DetectContentData *)(sm->ctx))->flags &
-                         (DETECT_CONTENT_DEPTH | DETECT_CONTENT_OFFSET))) {
-                    s->flags |= SIG_FLAG_REQUIRE_PACKET;
-                    break;
+        if (s->init_data->smlists[DETECT_SM_LIST_PMATCH]) {
+            if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) {
+                s->flags |= SIG_FLAG_REQUIRE_STREAM;
+                sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
+                while (sm != NULL) {
+                    if (sm->type == DETECT_CONTENT &&
+                            (((DetectContentData *)(sm->ctx))->flags &
+                             (DETECT_CONTENT_DEPTH | DETECT_CONTENT_OFFSET))) {
+                        s->flags |= SIG_FLAG_REQUIRE_PACKET;
+                        break;
+                    }
+                    sm = sm->next;
+                }
+                /* if stream_size is in use, also inspect packets */
+                sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
+                while (sm != NULL) {
+                    if (sm->type == DETECT_STREAM_SIZE) {
+                        s->flags |= SIG_FLAG_REQUIRE_PACKET;
+                        break;
+                    }
+                    sm = sm->next;
                 }
-                sm = sm->next;
             }
         }
     }