From: Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
Date: Fri, 11 Aug 2023 12:44:06 +0000 (+0000)
Subject: Pull request #3954: http_inspect: disable rule evaluation caching for MIME attachments
X-Git-Tag: 3.1.69.0~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30d5d0cb690ac2e0508aa2724516d9b1597258e3;p=thirdparty%2Fsnort3.git

Pull request #3954: http_inspect: disable rule evaluation caching for MIME attachments

Merge in SNORT/snort3 from ~OSHUMEIK/snort3:http_multiple_detection to master

Squashed commit of the following:

commit 38d843d18168ea4895e1a040f7de243cfb72dfc7
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Thu Aug 10 15:42:06 2023 +0300

    http_inspect: disable rule evaluation caching for MIME attachments
---

diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index 161f572df..6ead8ac42 100644
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -750,6 +750,11 @@ bool HttpMsgBody::run_detection(snort::Packet* p)
             js_ctx_tmp = session_data->js_ctx[source_id];
             session_data->js_ctx[source_id] = acquire_js_ctx_mime();
 
+            // When multiple attachments appear in a single TCP segment,
+            // the detection engine caches the results of the rule options after
+            // evaluating on the first call. Setting this flag stops the caching.
+            p->packet_flags |= PKT_ALLOW_MULTIPLE_DETECT;
+
             DetectionEngine::detect(p);
 
             if (!is_last_attachment || last_attachment_complete)