From: Victor Julien <vjulien@oisf.net>
Date: Fri, 6 Sep 2024 09:21:48 +0000 (+0200)
Subject: detect/app-layer-proto: don't run detection on ALPROTO_UNKNOWN
X-Git-Tag: suricata-7.0.7~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d922af7c1fbb70c940d9d2787cc2a44c0bec5d8;p=thirdparty%2Fsuricata.git

detect/app-layer-proto: don't run detection on ALPROTO_UNKNOWN

Don't return true for negated protocol check if no protocol has been
evaluated due to ALPROTO_UNKNOWN in the packet direction.

This leads to false positives for negated matching, as an expression
like "!tls" will match if checked against ALPROTO_UNKNOWN.

This patch readds missing check. The keyword returns no match as
long as the alproto is ALPROTO_UNKNOWN.

Fixes: bf9bbdd61285 ("detect: fix app-layer-protocol keyword for HTTP")

Ticket: #7242.
---

diff --git a/src/detect-app-layer-protocol.c b/src/detect-app-layer-protocol.c
index 26a5ce6235..c5924f07a1 100644
--- a/src/detect-app-layer-protocol.c
+++ b/src/detect-app-layer-protocol.c
@@ -86,6 +86,7 @@ static int DetectAppLayerProtocolPacketMatch(
             p->pcap_cnt,
             p->flowflags & (FLOW_PKT_TOCLIENT|FLOW_PKT_TOSERVER),
             f->alproto, f->alproto_ts, f->alproto_tc);
+        SCReturnInt(0);
     }
     r = r ^ data->negated;
     if (r) {
@@ -214,14 +215,14 @@ PrefilterPacketAppProtoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const vo
         SCReturn;
     }
 
-    if ((p->flags & PKT_PROTO_DETECT_TS_DONE) && (p->flowflags & FLOW_PKT_TOSERVER))
-    {
+    if ((p->flags & PKT_PROTO_DETECT_TS_DONE) && (p->flowflags & FLOW_PKT_TOSERVER) &&
+            p->flow->alproto_ts != ALPROTO_UNKNOWN) {
         int r = (ctx->v1.u16[0] == p->flow->alproto_ts) ^ ctx->v1.u8[2];
         if (r) {
             PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
         }
-    } else if ((p->flags & PKT_PROTO_DETECT_TC_DONE) && (p->flowflags & FLOW_PKT_TOCLIENT))
-    {
+    } else if ((p->flags & PKT_PROTO_DETECT_TC_DONE) && (p->flowflags & FLOW_PKT_TOCLIENT) &&
+               p->flow->alproto_tc != ALPROTO_UNKNOWN) {
         int r = (ctx->v1.u16[0] == p->flow->alproto_tc) ^ ctx->v1.u8[2];
         if (r) {
             PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);