From: Victor Julien <vjulien@oisf.net>
Date: Mon, 23 May 2022 11:59:31 +0000 (+0200)
Subject: detect/iponly: include postmatch in determination
X-Git-Tag: suricata-7.0.0-beta1~552
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=beecc1890fafb2381c42af2344d74eddd4064085;p=thirdparty%2Fsuricata.git

detect/iponly: include postmatch in determination
---

diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
index 813876eaca..9ac3e13936 100644
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@@ -227,9 +227,17 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
         return 0;
 
     SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
-    if (sm == NULL)
-        goto iponly;
-
+    for (; sm != NULL; sm = sm->next) {
+        if (!(sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT))
+            return 0;
+        /* we have enabled flowbits to be compatible with ip only sigs, as long
+         * as the sig only has a "set" flowbits */
+        if (sm->type == DETECT_FLOWBITS &&
+                (((DetectFlowbitsData *)sm->ctx)->cmd != DETECT_FLOWBITS_CMD_SET)) {
+            return 0;
+        }
+    }
+    sm = s->init_data->smlists[DETECT_SM_LIST_POSTMATCH];
     for ( ; sm != NULL; sm = sm->next) {
         if ( !(sigmatch_table[sm->type].flags & SIGMATCH_IPONLY_COMPAT))
             return 0;
@@ -241,7 +249,6 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
         }
     }
 
-iponly:
     if (!(de_ctx->flags & DE_QUIET)) {
         SCLogDebug("IP-ONLY (%" PRIu32 "): source %s, dest %s", s->id,
                    s->flags & SIG_FLAG_SRC_ANY ? "ANY" : "SET",