From: Victor Julien <victor@inliniac.net>
Date: Fri, 17 Jul 2015 15:49:01 +0000 (+0200)
Subject: detect: set flow noinspect on pass in applayer/stream
X-Git-Tag: suricata-3.0RC1~229
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=06ee2bc87e77bcb981a56ffbe74e7e55757146bf;p=thirdparty%2Fsuricata.git

detect: set flow noinspect on pass in applayer/stream

If a pass rule matches in the reassembled stream and/or in the
app-layer state, it means the rest of the flow should not be
inspected.
---

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 8f91a4b837..c2d7e42065 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -293,7 +293,16 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
                 /* Ok, reset the alert cnt to end in the previous of pass
                  * so we ignore the rest with less prio */
                 p->alerts.cnt = i;
+
+                /* if an stream/app-layer match we enforce the pass for the flow */
+                if ((p->flow != NULL) &&
+                    (p->alerts.alerts[i].flags &
+                        (PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_STREAM_MATCH)))
+                {
+                    FlowLockSetNoPacketInspectionFlag(p->flow);
+                }
                 break;
+
             /* if the signature wants to drop, check if the
              * PACKET_ALERT_FLAG_DROP_FLOW flag is set. */
             } else if ((PACKET_TEST_ACTION(p, ACTION_DROP)) &&