From: Jason Ish Date: Tue, 4 Jul 2023 13:21:18 +0000 (-0600) Subject: file-data: better error for conflicting keywords X-Git-Tag: suricata-7.0.0~66 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a28f072981aa683995cb7f951e1f290562179c5;p=thirdparty%2Fsuricata.git file-data: better error for conflicting keywords Instead of just erroring out with "rule contains conflicting keywords", give an error that says what is actually wrong. --- diff --git a/src/detect-file-data.c b/src/detect-file-data.c index e8f70803de..2387135321 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -37,6 +37,7 @@ #include "detect-engine-file.h" #include "detect-file-data.h" +#include "app-layer.h" #include "app-layer-parser.h" #include "app-layer-htp.h" #include "app-layer-smtp.h" @@ -154,17 +155,21 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const cha { SCEnter(); - if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP) || - (s->alproto != ALPROTO_UNKNOWN && - !AppLayerParserSupportsFiles(IPPROTO_TCP, s->alproto))) { - SCLogError("rule contains conflicting keywords."); + if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP)) { + SCLogError("The 'file_data' keyword cannot be used with non-TCP protocols"); + return -1; + } + + if (s->alproto != ALPROTO_UNKNOWN && !AppLayerParserSupportsFiles(IPPROTO_TCP, s->alproto)) { + SCLogError("The 'file_data' keyword cannot be used with TCP protocol %s", + AppLayerGetProtoName(s->alproto)); return -1; } if (s->alproto == ALPROTO_SMTP && (s->init_data->init_flags & SIG_FLAG_INIT_FLOW) && !(s->flags & SIG_FLAG_TOSERVER) && (s->flags & SIG_FLAG_TOCLIENT)) { - SCLogError("Can't use file_data with " - "flow:to_client or flow:from_server with smtp."); + SCLogError("The 'file-data' keyword cannot be used with SMTP flow:to_client or " + "flow:from_server."); return -1; }