From: Victor Julien <vjulien@oisf.net>
Date: Mon, 30 Jan 2023 12:55:52 +0000 (+0100)
Subject: decode/events: add strict mode for udp.hlen_invalid; remove rule
X-Git-Tag: suricata-6.0.10~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=777d88bd216d56dd9003321d22457fdd1e9daf9b;p=thirdparty%2Fsuricata.git

decode/events: add strict mode for udp.hlen_invalid; remove rule
---

diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules
index 612058f48a..867715aa93 100644
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@@ -67,7 +67,7 @@ alert pkthdr any any -> any any (msg:"SURICATA TCP option invalid length"; decod
 alert pkthdr any any -> any any (msg:"SURICATA TCP duplicated option"; decode-event:tcp.opt_duplicate; classtype:protocol-command-decode; sid:2200037; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA UDP packet too small"; decode-event:udp.pkt_too_small; classtype:protocol-command-decode; sid:2200038; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA UDP header length too small"; decode-event:udp.hlen_too_small; classtype:protocol-command-decode; sid:2200039; rev:2;)
-alert pkthdr any any -> any any (msg:"SURICATA UDP invalid header length"; decode-event:udp.hlen_invalid; classtype:protocol-command-decode; sid:2200040; rev:2;)
+# 2200040 "udp.hlen_invalid" has been retired.
 alert pkthdr any any -> any any (msg:"SURICATA UDP invalid length field in the header"; decode-event:udp.len_invalid; classtype:protocol-command-decode; sid:2200120; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA SLL packet too small"; decode-event:sll.pkt_too_small; classtype:protocol-command-decode; sid:2200041; rev:2;)
 alert pkthdr any any -> any any (msg:"SURICATA Ethernet packet too small"; decode-event:ethernet.pkt_too_small; classtype:protocol-command-decode; sid:2200042; rev:2;)
diff --git a/src/detect-engine-event.c b/src/detect-engine-event.c
index 029a71f06a..89015852cf 100644
--- a/src/detect-engine-event.c
+++ b/src/detect-engine-event.c
@@ -173,8 +173,13 @@ static DetectEngineEventData *DetectEngineEventParse (const char *rawstr)
     }
 
     if (OutdatedEvent(rawstr)) {
-        SCLogWarning(
-                SC_WARN_DEPRECATED, "decode-event keyword no longer supports event \"%s\"", rawstr);
+        if (SigMatchStrictEnabled(DETECT_DECODE_EVENT)) {
+            SCLogError(SC_WARN_DEPRECATED, "decode-event keyword no longer supports event \"%s\"",
+                    rawstr);
+            goto error;
+        } else {
+            SCLogNotice("decode-event keyword no longer supports event \"%s\"", rawstr);
+        }
     }
 
     return de;