From: Victor Julien <vjulien@oisf.net>
Date: Wed, 11 Sep 2024 08:18:58 +0000 (+0200)
Subject: detect/app-layer-proto: fix prefilter check
X-Git-Tag: suricata-7.0.7~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6aeec10b574700d9a350074d7f38753ba277b19;p=thirdparty%2Fsuricata.git

detect/app-layer-proto: fix prefilter check

Prefilter wasn't yet using `AppProtoEquals` which might lead to
mismatches with HTTP and DCERPC related signatures.
---

diff --git a/src/detect-app-layer-protocol.c b/src/detect-app-layer-protocol.c
index c5924f07a1..bd0da13a23 100644
--- a/src/detect-app-layer-protocol.c
+++ b/src/detect-app-layer-protocol.c
@@ -217,13 +217,13 @@ PrefilterPacketAppProtoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const vo
 
     if ((p->flags & PKT_PROTO_DETECT_TS_DONE) && (p->flowflags & FLOW_PKT_TOSERVER) &&
             p->flow->alproto_ts != ALPROTO_UNKNOWN) {
-        int r = (ctx->v1.u16[0] == p->flow->alproto_ts) ^ ctx->v1.u8[2];
+        int r = AppProtoEquals(ctx->v1.u16[0], p->flow->alproto_ts) ^ ctx->v1.u8[2];
         if (r) {
             PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
         }
     } else if ((p->flags & PKT_PROTO_DETECT_TC_DONE) && (p->flowflags & FLOW_PKT_TOCLIENT) &&
                p->flow->alproto_tc != ALPROTO_UNKNOWN) {
-        int r = (ctx->v1.u16[0] == p->flow->alproto_tc) ^ ctx->v1.u8[2];
+        int r = AppProtoEquals(ctx->v1.u16[0], p->flow->alproto_tc) ^ ctx->v1.u8[2];
         if (r) {
             PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
         }