From: Victor Julien <vjulien@oisf.net>
Date: Fri, 23 Sep 2022 15:13:55 +0000 (+0200)
Subject: detect/flowbits: more permissive parsing by default
X-Git-Tag: suricata-6.0.7~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7183e766f9338800f97ec3025ebb4310fc66caea;p=thirdparty%2Fsuricata.git

detect/flowbits: more permissive parsing by default

To get strict parsing, `--strict-rule-keywords=flowbits` command line
option can be used.

Bug: #5547.
---

diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c
index fd65f086e4..f1805b084d 100644
--- a/src/detect-flowbits.c
+++ b/src/detect-flowbits.c
@@ -284,8 +284,15 @@ static int DetectFlowbitParse(
             strlcpy(name, token, sizeof(name));
             name_set = true;
         } else {
-            SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid flowbits keyword: %s", token);
-            return -1;
+            if (!SigMatchStrictEnabled(DETECT_FLOWBITS)) {
+                SCLogWarning(SC_ERR_INVALID_SIGNATURE,
+                        "Invalid flowbits keyword: %s. This will become an error in Suricata 7.0.",
+                        token);
+                return -4;
+            } else {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid flowbits keyword: %s", token);
+                return -1;
+            }
         }
         token = strtok_r(NULL, ",", &context);
     }
@@ -327,7 +334,7 @@ int DetectFlowbitSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr
 
     int result = DetectFlowbitParse(de_ctx, rawstr, &cd);
     if (result < 0) {
-        return -1;
+        return result;
     } else if (result == 0 && cd == NULL) {
         s->flags |= SIG_FLAG_NOALERT;
         return 0;