From: Victor Julien <victor@inliniac.net>
Date: Mon, 7 Sep 2020 14:46:39 +0000 (+0200)
Subject: detect/app-layer-events: improve warnings/errors
X-Git-Tag: suricata-6.0.0-rc1~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6492fe0841166dec88b49e279c99762690e448e7;p=thirdparty%2Fsuricata.git

detect/app-layer-events: improve warnings/errors

Improve handling of outdated events that are no longer supported by the engine.
---

diff --git a/src/detect-app-layer-event.c b/src/detect-app-layer-event.c
index 686131bf34..e6b4499ad4 100644
--- a/src/detect-app-layer-event.c
+++ b/src/detect-app-layer-event.c
@@ -165,6 +165,16 @@ static DetectAppLayerEventData *DetectAppLayerEventParsePkt(const char *arg,
     return aled;
 }
 
+static bool OutdatedEvent(const char *raw)
+{
+    if (strcmp(raw, "tls.certificate_missing_element") == 0 ||
+            strcmp(raw, "tls.certificate_unknown_element") == 0 ||
+            strcmp(raw, "tls.certificate_invalid_string") == 0) {
+        return true;
+    }
+    return false;
+}
+
 /** \retval int 0 ok
   * \retval int -1 error
   * \retval int -3 non-fatal error: sig will be rejected w/o raising error
@@ -178,6 +188,18 @@ static int DetectAppLayerEventParseAppP2(DetectAppLayerEventData *data,
     char alproto_name[MAX_ALPROTO_NAME];
     int r = 0;
 
+    if (OutdatedEvent(data->arg)) {
+        if (SigMatchStrictEnabled(DETECT_AL_APP_LAYER_EVENT)) {
+            SCLogError(SC_ERR_INVALID_SIGNATURE,
+                    "app-layer-event keyword no longer supports event \"%s\"", data->arg);
+            return -1;
+        } else {
+            SCLogWarning(SC_ERR_INVALID_SIGNATURE,
+                    "app-layer-event keyword no longer supports event \"%s\"", data->arg);
+            return -3;
+        }
+    }
+
     const char *p_idx = strchr(data->arg, '.');
     if (strlen(data->arg) > MAX_ALPROTO_NAME) {
         SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword is too long or malformed");