From: Victor Julien Date: Wed, 15 Aug 2018 10:28:52 +0000 (+0200) Subject: detect: fix file_data detect issue with alert ip X-Git-Tag: suricata-4.1.0-rc2~117 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88277d04021bbec145ee1a13e23a94770648c4c8;p=thirdparty%2Fsuricata.git detect: fix file_data detect issue with alert ip Fix mpm progress being updated by irrelevant engines. Esp in the case of file_data engines, signature can contain multiple versions of the same engine, registered for different 'progress' values. This would lead to signatures being considered 'can't match' even in cases where they clearly could still match. Only consider those progress values that apply to the protocol in use. --- diff --git a/src/detect.c b/src/detect.c index 6aaa6996ad..f774417883 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1188,6 +1188,14 @@ static bool DetectRunTxInspectRule(ThreadVars *tv, if (!(inspect_flags & BIT_U32(engine->id)) && direction == engine->dir) { + const bool skip_engine = (engine->alproto != 0 && engine->alproto != f->alproto); + /* special case: file_data on 'alert tcp' will have engines + * in the list that are not for us. */ + if (unlikely(skip_engine)) { + engine = engine->next; + continue; + } + /* engines are sorted per progress, except that the one with * mpm/prefilter enabled is first */ if (tx->tx_progress < engine->progress) { @@ -1208,11 +1216,6 @@ static bool DetectRunTxInspectRule(ThreadVars *tv, if (unlikely(engine->stream && can->stream_stored)) { match = can->stream_result; TRACE_SID_TXS(s->id, tx, "stream skipped, stored result %d used instead", match); - /* special case: file_data on 'alert tcp' will have engines - * in the list that are not for us. Bypass with assume match */ - } else if (unlikely(engine->alproto != 0 && engine->alproto != f->alproto)) { - engine = engine->next; - continue; } else { KEYWORD_PROFILING_SET_LIST(det_ctx, engine->sm_list); if (engine->Callback) {