From: Victor Julien <victor@inliniac.net>
Date: Fri, 22 Nov 2013 17:11:10 +0000 (+0100)
Subject: detect: don't consider smsgs for no inspect flag
X-Git-Tag: suricata-2.0beta2~140
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5330b1cae1b1761e2911e9ddc0a9a94a2a55c034;p=thirdparty%2Fsuricata.git

detect: don't consider smsgs for no inspect flag

When the PKT_NOPAYLOAD_INSPECTION flag is set, don't apply it to smsgs.
This way we can still inspect the outstanding smsgs.

The PKT_NOPAYLOAD_INSPECTION is set for encrypted traffic, and is combined
with disabling stream reassembly. So we only inspect the smsgs up to the
point of the disable detection point.
---

diff --git a/src/detect.c b/src/detect.c
index 2e57f87786..a6b47f4ed2 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -2045,7 +2045,8 @@ static void
 PacketCreateMask(Packet *p, SignatureMask *mask, uint16_t alproto, void *alstate, StreamMsg *smsg,
         int app_decoder_events)
 {
-    if (!(p->flags & PKT_NOPAYLOAD_INSPECTION) && (p->payload_len > 0 || smsg != NULL)) {
+    /* no payload inspect flag doesn't apply to smsg */
+    if (smsg != NULL || (!(p->flags & PKT_NOPAYLOAD_INSPECTION) && p->payload_len > 0)) {
         SCLogDebug("packet has payload");
         (*mask) |= SIG_MASK_REQUIRE_PAYLOAD;
     } else {