From: Jason Ish <jason.ish@oisf.net>
Date: Fri, 21 Feb 2020 21:49:36 +0000 (-0600)
Subject: detect/parse: softer error on unknown app-layer event
X-Git-Tag: suricata-6.0.0-beta1~660
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=947cfac62e5c1ad7669cba01291fa338d95c23f8;p=thirdparty%2Fsuricata.git

detect/parse: softer error on unknown app-layer event

On an unknown app-layer event, return -3 for "silent OK fail". A
warning will still be emitted, but its not considered a rule parse
error. This is to handle app-layer events being removed in a more
graceful manner for the user.

This allows -T to pass with an old app-layer events rule file
that may used removed app-layer event keywords.
---

diff --git a/src/detect-app-layer-event.c b/src/detect-app-layer-event.c
index f7b748d647..972daa5bd6 100644
--- a/src/detect-app-layer-event.c
+++ b/src/detect-app-layer-event.c
@@ -204,10 +204,17 @@ static int DetectAppLayerEventParseAppP2(DetectAppLayerEventData *data,
     }
 
     if (r < 0) {
-        SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword's "
-                   "protocol \"%s\" doesn't have event \"%s\" registered",
-                   alproto_name, p_idx + 1);
-        return -1;
+        if (SigMatchStrictEnabled(DETECT_AL_APP_LAYER_EVENT)) {
+            SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword's "
+                    "protocol \"%s\" doesn't have event \"%s\" registered",
+                    alproto_name, p_idx + 1);
+            return -1;
+        } else {
+            SCLogWarning(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword's "
+                    "protocol \"%s\" doesn't have event \"%s\" registered",
+                    alproto_name, p_idx + 1);
+            return -3;
+        }
     }
     data->event_id = event_id;
 
@@ -284,13 +291,14 @@ static int DetectAppLayerEventSetupP2(Signature *s,
 {
     AppLayerEventType event_type = 0;
 
-    if (DetectAppLayerEventParseAppP2((DetectAppLayerEventData *)sm->ctx, s->proto.proto,
-                                      &event_type) < 0) {
+    int ret = DetectAppLayerEventParseAppP2((DetectAppLayerEventData *)sm->ctx,
+            s->proto.proto, &event_type);
+    if (ret < 0) {
         /* DetectAppLayerEventParseAppP2 prints errors */
 
         /* sm has been removed from lists by DetectAppLayerEventPrepare */
         SigMatchFree(sm);
-        return -1;
+        return ret;
     }
     SigMatchAppendSMToList(s, sm, g_applayer_events_list_id);
     /* We should have set this flag already in SetupP1 */
@@ -363,7 +371,8 @@ int DetectAppLayerEventPrepare(Signature *s)
          * called by DetectAppLayerEventSetupP2
          */
         sm->next = sm->prev = NULL;
-        if (DetectAppLayerEventSetupP2(s, sm) < 0) {
+        int ret = DetectAppLayerEventSetupP2(s, sm);
+        if (ret < 0) {
             // current one was freed, let's free the next ones
             sm = smn;
             while(sm) {
@@ -371,7 +380,7 @@ int DetectAppLayerEventPrepare(Signature *s)
                 SigMatchFree(sm);
                 sm = smn;
             }
-            return -1;
+            return ret;
         }
         sm = smn;
     }
diff --git a/src/detect-parse.c b/src/detect-parse.c
index d5afe73e19..ae978178a0 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1901,8 +1901,13 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, const char *sigstr,
             AppLayerProtoDetectSupportedIpprotos(sig->alproto, sig->proto.proto);
     }
 
-    if (DetectAppLayerEventPrepare(sig) < 0)
+    ret = DetectAppLayerEventPrepare(sig);
+    if (ret == -2) {
+        de_ctx->sigerror_silent = true;
         goto error;
+    } else if (ret < 0) {
+        goto error;
+    }
 
     /* set the packet and app layer flags, but only if the
      * app layer flag wasn't already set in which case we