From 4fc04f17d8d45e36d7bfbb4be31dae90890483a3 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 9 Aug 2018 17:33:19 +0200 Subject: [PATCH] detect/prefilter: fix alias for fast_pattern If prefilter is used on a content keyword, it acts as a simple fast_pattern statement. This was broken because the SIG_FLAG_PREFILTER flag bypasses MPM for a sig. This commits fixes this by not setting the flag when it should act as fast_pattern. --- src/detect-prefilter.c | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/src/detect-prefilter.c b/src/detect-prefilter.c index f2beac3d32..8eca6efb70 100644 --- a/src/detect-prefilter.c +++ b/src/detect-prefilter.c @@ -59,27 +59,23 @@ static int DetectPrefilterSetup (DetectEngineCtx *de_ctx, Signature *s, const ch { SCEnter(); - SigMatch *sm = NULL; - int ret = -1; - if (nullstr != NULL) { SCLogError(SC_ERR_INVALID_VALUE, "prefilter has value"); - goto end; + SCReturnInt(-1); } if (s->flags & SIG_FLAG_PREFILTER) { SCLogError(SC_ERR_INVALID_SIGNATURE, "prefilter already set"); - goto end; + SCReturnInt(-1); } - sm = DetectGetLastSM(s); + SigMatch *sm = DetectGetLastSM(s); if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "prefilter needs preceding match"); - goto end; + SCReturnInt(-1); } s->init_data->prefilter_sm = sm; - s->flags |= SIG_FLAG_PREFILTER; /* if the sig match is content, prefilter should act like * 'fast_pattern' w/o options. */ @@ -93,12 +89,12 @@ static int DetectPrefilterSetup (DetectEngineCtx *de_ctx, Signature *s, const ch { SCLogError(SC_ERR_INVALID_SIGNATURE, "prefilter; cannot be " "used with negated content, along with relative modifiers"); - goto end; + SCReturnInt(-1); } cd->flags |= DETECT_CONTENT_FAST_PATTERN; + } else { + s->flags |= SIG_FLAG_PREFILTER; } - ret = 0; - end: - SCReturnInt(ret); + SCReturnInt(0); } -- 2.47.2