From: Victor Julien <victor@inliniac.net>
Date: Sat, 16 Mar 2019 07:07:14 +0000 (+0100)
Subject: detect/mark: use postmatch instead of tag list
X-Git-Tag: suricata-5.0.0-beta1~126
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6bf35a42f194789ee4dd2a9aea624e9a9fd61656;p=thirdparty%2Fsuricata.git

detect/mark: use postmatch instead of tag list

Keep the tag list for just tags. Post match list is better so the
keyword also works with pass and noalert rules.
---

diff --git a/src/detect-mark.c b/src/detect-mark.c
index bdb8fe0e21..093f1b126f 100644
--- a/src/detect-mark.c
+++ b/src/detect-mark.c
@@ -200,8 +200,9 @@ static int DetectMarkSetup (DetectEngineCtx *de_ctx, Signature *s, const char *r
     sm->type = DETECT_MARK;
     sm->ctx = (SigMatchCtx *)data;
 
-    /* Append it to the list of tags */
-    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_TMATCH);
+    /* Append it to the list of post match, so the mark is set if the
+     * full signature matches. */
+    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
     return 0;
 #endif
 }