From: Shivani Bhardwaj <shivani@oisf.net>
Date: Wed, 1 Nov 2023 10:31:35 +0000 (+0530)
Subject: detect-engine: use only the exact match fn
X-Git-Tag: suricata-8.0.0-beta1~1988
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1f78a4fcd8cfd831b37916335af8a3f7518d3bff;p=thirdparty%2Fsuricata.git

detect-engine: use only the exact match fn

DetectFlagsSignatureNeedsSynPackets checks if TCP SYN flag is set among
other flags.
DetectFlagsSignatureNeedsSynOnlyPackets checks if only TCP SYN flag is
set and no other flag.

Since DetectFlagsSignatureNeedsSynOnlyPackets also already checks for
TCP SYN flag, it does not need to be used in combination with
DetectFlagsSignatureNeedsSynPackets as this fn seems to be the superset
of the former.
---

diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
index 8c01104c48..05f93169d1 100644
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@@ -1141,8 +1141,7 @@ static int RuleSetWhitelist(Signature *s)
             SCLogDebug("Rule %u No MPM. Payload inspecting. Whitelisting SGH's.", s->id);
             wl = 55;
 
-        } else if (DetectFlagsSignatureNeedsSynPackets(s) &&
-                   DetectFlagsSignatureNeedsSynOnlyPackets(s)) {
+        } else if (DetectFlagsSignatureNeedsSynOnlyPackets(s)) {
             SCLogDebug("Rule %u Needs SYN, so inspected often. Whitelisting SGH's.", s->id);
             wl = 33;
         }
@@ -1189,12 +1188,10 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, u
 
         /* see if we want to exclude directionless sigs that really care only for
          * to_server syn scans/floods */
-        if ((direction == SIG_FLAG_TOCLIENT) &&
-             DetectFlagsSignatureNeedsSynPackets(s) &&
-             DetectFlagsSignatureNeedsSynOnlyPackets(s) &&
-            ((s->flags & (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) == (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) &&
-            (!(s->dp->port == 0 && s->dp->port2 == 65535)))
-        {
+        if ((direction == SIG_FLAG_TOCLIENT) && DetectFlagsSignatureNeedsSynOnlyPackets(s) &&
+                ((s->flags & (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) ==
+                        (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) &&
+                (!(s->dp->port == 0 && s->dp->port2 == 65535))) {
             SCLogWarning("rule %u: SYN-only to port(s) %u:%u "
                          "w/o direction specified, disabling for toclient direction",
                     s->id, s->dp->port, s->dp->port2);