From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Tue, 14 Nov 2023 13:23:43 +0000 (-0500)
Subject: detect/transform: Clarify transformation validation
X-Git-Tag: suricata-8.0.0-beta1~2080
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a46779d866b1b121adc73164215ba6437f53c208;p=thirdparty%2Fsuricata.git

detect/transform: Clarify transformation validation

Issue: 6439

Clarify the transform validation step. When a transform indicates that
the content/byte-array is not compatible, validation will stop.

Content is incompatible is some cases -- e.g., following the
to_lowercase transform with content containing uppercase characters.
An alert is not possible since the content contains uppercase and the
transform has converted the buffer into all lowercase.
---

diff --git a/src/detect-engine.c b/src/detect-engine.c
index e50a6fa505..3754c71322 100644
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -1690,8 +1690,8 @@ void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_l
  *  transform may validate that it's compatible with the transform.
  *
  *  When a transform indicates the byte array is incompatible, none of the
- *  subsequent transforms, if any, are invoked. This means the first positive
- *  validation result terminates the loop.
+ *  subsequent transforms, if any, are invoked. This means the first validation
+ *  failure terminates the loop.
  *
  *  \param de_ctx Detection engine context.
  *  \param sm_list The SM list id.