From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 30 Mar 2022 13:24:32 +0000 (+0200)
Subject: detect: not an iponly signature if it needs app-layer
X-Git-Tag: suricata-6.0.5~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=483194893e55b978d90ff45acda5df196c73bea4;p=thirdparty%2Fsuricata.git

detect: not an iponly signature if it needs app-layer

Ticket: 4972

This may happen with `config` keyword which is postmatch,
but may require a transaction

(cherry picked from commit 0cba561fecffe93596d38691561d4316c3b8efb2)
---

diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
index b7b344cbaa..73f876718d 100644
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@@ -194,6 +194,10 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
     if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
         return 0;
 
+    // may happen for 'config' keyword, postmatch
+    if (s->flags & SIG_FLAG_APPLAYER)
+        return 0;
+
     /* if flow dir is set we can't process it in ip-only */
     if (!(((s->flags & (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) == 0) ||
             (s->flags & (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) ==