From: Philippe Antoine Date: Wed, 22 Dec 2021 21:44:54 +0000 (+0100) Subject: detect: fix app-layer-protocol keyword for HTTP X-Git-Tag: suricata-7.0.0-beta1~1097 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf9bbdd6128568d74d88c4f4eb08be910488f6e0;p=thirdparty%2Fsuricata.git detect: fix app-layer-protocol keyword for HTTP Ticket: 4920 Completes commit c8dbe24fb6202550bbca1fab452ddbe864b2c9e2 which introduced AppProtoEquals to have a generic check for http in signature can mean http1 or http2 in traffic. This commit missed this case, as I only looked for git grep "alproto ==" and here we deal with alproto_tc and alproto_ts, but not alproto by itself. --- diff --git a/src/detect-app-layer-protocol.c b/src/detect-app-layer-protocol.c index c4802e827a..b99e8ecf34 100644 --- a/src/detect-app-layer-protocol.c +++ b/src/detect-app-layer-protocol.c @@ -43,7 +43,7 @@ static int DetectAppLayerProtocolPacketMatch( { SCEnter(); - int r = 0; + bool r = false; const DetectAppLayerProtocolData *data = (const DetectAppLayerProtocolData *)ctx; /* if the sig is PD-only we only match when PD packet flags are set */ @@ -67,16 +67,14 @@ static int DetectAppLayerProtocolPacketMatch( SCLogDebug("toserver packet %"PRIu64": looking for %u/neg %u, got %u", p->pcap_cnt, data->alproto, data->negated, f->alproto_ts); - r = (data->negated) ? (f->alproto_ts != data->alproto) : - (f->alproto_ts == data->alproto); + r = AppProtoEquals(data->alproto, f->alproto_ts); } else if ((f->alproto_tc != ALPROTO_UNKNOWN) && (p->flowflags & FLOW_PKT_TOCLIENT)) { SCLogDebug("toclient packet %"PRIu64": looking for %u/neg %u, got %u", p->pcap_cnt, data->alproto, data->negated, f->alproto_tc); - r = (data->negated) ? (f->alproto_tc != data->alproto) : - (f->alproto_tc == data->alproto); + r = AppProtoEquals(data->alproto, f->alproto_tc); } else { SCLogDebug("packet %"PRIu64": default case: direction %02x, approtos %u/%u/%u", @@ -84,8 +82,11 @@ static int DetectAppLayerProtocolPacketMatch( p->flowflags & (FLOW_PKT_TOCLIENT|FLOW_PKT_TOSERVER), f->alproto, f->alproto_ts, f->alproto_tc); } - - SCReturnInt(r); + r = r ^ data->negated; + if (r) { + SCReturnInt(1); + } + SCReturnInt(0); } static DetectAppLayerProtocolData *DetectAppLayerProtocolParse(const char *arg, bool negate)