From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Thu, 7 Sep 2023 14:49:23 +0000 (-0400)
Subject: detect/alert: Drop packet if rule is pkt only
X-Git-Tag: suricata-6.0.20~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f485c46c1fa9c68664cfb93fd6c6b7b71d4b6ba;p=thirdparty%2Fsuricata.git

detect/alert: Drop packet if rule is pkt only

This commit modifies the logic used to determine the disposition of a
flow/packet.

If the rule doesn't require a stream and only contains properties for
packet matching, then the alert is not marked as applying to the
flow and hence, the flow won't be dropped.

Issue: 5578
---

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index a40f992ced..54b2e3e38d 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -326,6 +326,13 @@ static inline void FlowApplySignatureActions(
         if ((pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH | PACKET_ALERT_FLAG_STREAM_MATCH)) ||
                 (s->flags & (SIG_FLAG_IPONLY | SIG_FLAG_LIKE_IPONLY | SIG_FLAG_PDONLY |
                                     SIG_FLAG_APPLAYER))) {
+
+            /* No action when the signature doesn't require a stream */
+            if ((s->flags &
+                        (SIG_FLAG_APPLAYER | SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM)) ==
+                    (SIG_FLAG_APPLAYER | SIG_FLAG_REQUIRE_PACKET))
+                return;
+
             pa->flags |= PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW;
             SCLogDebug("packet %" PRIu64 " sid %u action %02x alert_flags %02x (set "
                        "PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)",