From 06ee2bc87e77bcb981a56ffbe74e7e55757146bf Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 17 Jul 2015 17:49:01 +0200
Subject: [PATCH] detect: set flow noinspect on pass in applayer/stream

If a pass rule matches in the reassembled stream and/or in the
app-layer state, it means the rest of the flow should not be
inspected.
---
 src/detect-engine-alert.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 8f91a4b837..c2d7e42065 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -293,7 +293,16 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
                 /* Ok, reset the alert cnt to end in the previous of pass
                  * so we ignore the rest with less prio */
                 p->alerts.cnt = i;
+
+                /* if an stream/app-layer match we enforce the pass for the flow */
+                if ((p->flow != NULL) &&
+                    (p->alerts.alerts[i].flags &
+                        (PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_STREAM_MATCH)))
+                {
+                    FlowLockSetNoPacketInspectionFlag(p->flow);
+                }
                 break;
+
             /* if the signature wants to drop, check if the
              * PACKET_ALERT_FLAG_DROP_FLOW flag is set. */
             } else if ((PACKET_TEST_ACTION(p, ACTION_DROP)) &&
-- 
2.47.2