From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 25 Feb 2020 16:41:26 +0000 (-0600)
Subject: detect/parse: allow for OK signature parsing errors
X-Git-Tag: suricata-6.0.0-beta1~659
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8a643c893c4cae61a22e343f1b910461dd110a54;p=thirdparty%2Fsuricata.git

detect/parse: allow for OK signature parsing errors

The idea of an OK signature parsing error is an error that is
allowed to occur, but still lets test mode pass, unlike
silent errors which will still fail testing.

This is introduced to allow for app-layer event keywords to be
removed, but not have old rules fail out on this case. For example
the Rust DNS parser removes from DNS app-layer events that are
not used anymore.

To signal that an error is OK, -3 is returned. This also implies
silent.
---

diff --git a/src/detect-engine-loader.c b/src/detect-engine-loader.c
index 8285e8d0d3..fba37b8fa8 100644
--- a/src/detect-engine-loader.c
+++ b/src/detect-engine-loader.c
@@ -195,7 +195,9 @@ static int DetectLoadSigFile(DetectEngineCtx *de_ctx, char *sig_file,
             if (rule_engine_analysis_set) {
                 EngineAnalysisRulesFailure(line, sig_file, lineno - multiline);
             }
-            bad++;
+            if (!de_ctx->sigerror_ok) {
+                bad++;
+            }
         }
         multiline = 0;
     }
diff --git a/src/detect-parse.c b/src/detect-parse.c
index ae978178a0..e462070bb5 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1863,7 +1863,12 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, const char *sigstr,
     sig->gid = 1;
 
     int ret = SigParse(de_ctx, sig, sigstr, dir, &parser);
-    if (ret == -2) {
+    if (ret == -3) {
+        de_ctx->sigerror_silent = true;
+        de_ctx->sigerror_ok = true;
+        goto error;
+    }
+    else if (ret == -2) {
         de_ctx->sigerror_silent = true;
         goto error;
     } else if (ret < 0) {
@@ -1902,7 +1907,12 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, const char *sigstr,
     }
 
     ret = DetectAppLayerEventPrepare(sig);
-    if (ret == -2) {
+    if (ret == -3) {
+        de_ctx->sigerror_silent = true;
+        de_ctx->sigerror_ok = true;
+        goto error;
+    }
+    else if (ret == -2) {
         de_ctx->sigerror_silent = true;
         goto error;
     } else if (ret < 0) {
diff --git a/src/detect.h b/src/detect.h
index ca63c1ca70..ab37135c82 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -865,6 +865,7 @@ typedef struct DetectEngineCtx_ {
     char *rule_file;
     int rule_line;
     bool sigerror_silent;
+    bool sigerror_ok;
     const char *sigerror;
 
     /** list of keywords that need thread local ctxs */