From: Victor Julien Date: Fri, 7 Jul 2017 10:18:28 +0000 (+0200) Subject: detect: fix mix of pass and noalert X-Git-Tag: suricata-4.0.0-rc2~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3c05379cbd430a06714537632ddba9f033cd87f1;p=thirdparty%2Fsuricata.git detect: fix mix of pass and noalert Noalert rules did not apply pass logic to the flow. Bug #1888. --- diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index 794331d117..4a44888bab 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -287,20 +287,12 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx } /* set actions on packet */ - DetectSignatureApplyActions(p, p->alerts.alerts[i].s); + DetectSignatureApplyActions(p, p->alerts.alerts[i].s, p->alerts.alerts[i].flags); if (PACKET_TEST_ACTION(p, ACTION_PASS)) { /* Ok, reset the alert cnt to end in the previous of pass * so we ignore the rest with less prio */ p->alerts.cnt = i; - - /* if an stream/app-layer match we enforce the pass for the flow */ - if ((p->flow != NULL) && - (p->alerts.alerts[i].flags & - (PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_STREAM_MATCH))) - { - FlowSetNoPacketInspectionFlag(p->flow); - } break; /* if the signature wants to drop, check if the diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c index 28264b434b..0bf283f256 100644 --- a/src/detect-engine-iponly.c +++ b/src/detect-engine-iponly.c @@ -1096,7 +1096,7 @@ void IPOnlyMatchPacket(ThreadVars *tv, PacketAlertAppend(det_ctx, s, p, 0, 0); } else { /* apply actions for noalert/rule suppressed as well */ - DetectSignatureApplyActions(p, s); + DetectSignatureApplyActions(p, s, 0); } } } diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index e1b339347e..957966c19d 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -471,7 +471,8 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, PacketAlertAppend(det_ctx, s, p, tx_id, PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_TX); } else { - DetectSignatureApplyActions(p, s); + DetectSignatureApplyActions(p, s, + PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_TX); } alert_cnt = 1; SCLogDebug("MATCH: tx %u packet %u", (uint)tx_id, (uint)p->pcap_cnt); diff --git a/src/detect.c b/src/detect.c index 4ea8ffa006..adbdab17ee 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1378,7 +1378,7 @@ void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineT PacketAlertAppend(det_ctx, s, p, 0, alert_flags); } else { /* apply actions even if not alerting */ - DetectSignatureApplyActions(p, s); + DetectSignatureApplyActions(p, s, alert_flags); } next: DetectVarProcessList(det_ctx, pflow, p); @@ -1446,7 +1446,8 @@ end: /** \brief Apply action(s) and Set 'drop' sig info, * if applicable */ -void DetectSignatureApplyActions(Packet *p, const Signature *s) +void DetectSignatureApplyActions(Packet *p, + const Signature *s, const uint8_t alert_flags) { PACKET_UPDATE_ACTION(p, s->action); @@ -1456,6 +1457,14 @@ void DetectSignatureApplyActions(Packet *p, const Signature *s) p->alerts.drop.action = s->action; p->alerts.drop.s = (Signature *)s; } + } else if (s->action & ACTION_PASS) { + /* if an stream/app-layer match we enforce the pass for the flow */ + if ((p->flow != NULL) && + (alert_flags & (PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_STREAM_MATCH))) + { + FlowSetNoPacketInspectionFlag(p->flow); + } + } } diff --git a/src/detect.h b/src/detect.h index 0b8c396ccc..d377cbd032 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1415,7 +1415,7 @@ void *DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *, int); int SigMatchSignaturesRunPostMatch(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s); -void DetectSignatureApplyActions(Packet *p, const Signature *s); +void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t); #endif /* __DETECT_H__ */