From: Juliana Fajardini <jufajardini@oisf.net>
Date: Mon, 5 Jun 2023 16:02:26 +0000 (-0300)
Subject: exception: in ids mode, only REJECT the packet
X-Git-Tag: suricata-7.0.0-rc2~56
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f324e3b3d4137b1092b877e8f0dab42e7c824fd;p=thirdparty%2Fsuricata.git

exception: in ids mode, only REJECT the packet

In case of 'EXCEPTION_POLICY_REJECT', we were applying the same behavior
regardless of being in IDS or IPS mode.
This meant that (at least) the 'flow.action' was changed to drop when we
hit an exception policy in IDS mode.

Bug #6109
---

diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c
index 3716447015..4513bbb0f2 100644
--- a/src/util-exception-policy.c
+++ b/src/util-exception-policy.c
@@ -72,6 +72,9 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro
         case EXCEPTION_POLICY_REJECT:
             SCLogDebug("EXCEPTION_POLICY_REJECT");
             PacketDrop(p, ACTION_REJECT, drop_reason);
+            if (!EngineModeIsIPS()) {
+                break;
+            }
             /* fall through */
         case EXCEPTION_POLICY_DROP_FLOW:
             SCLogDebug("EXCEPTION_POLICY_DROP_FLOW");