From 88277d04021bbec145ee1a13e23a94770648c4c8 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 15 Aug 2018 12:28:52 +0200 Subject: [PATCH] detect: fix file_data detect issue with alert ip Fix mpm progress being updated by irrelevant engines. Esp in the case of file_data engines, signature can contain multiple versions of the same engine, registered for different 'progress' values. This would lead to signatures being considered 'can't match' even in cases where they clearly could still match. Only consider those progress values that apply to the protocol in use. --- src/detect.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/detect.c b/src/detect.c index 6aaa6996ad..f774417883 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1188,6 +1188,14 @@ static bool DetectRunTxInspectRule(ThreadVars *tv, if (!(inspect_flags & BIT_U32(engine->id)) && direction == engine->dir) { + const bool skip_engine = (engine->alproto != 0 && engine->alproto != f->alproto); + /* special case: file_data on 'alert tcp' will have engines + * in the list that are not for us. */ + if (unlikely(skip_engine)) { + engine = engine->next; + continue; + } + /* engines are sorted per progress, except that the one with * mpm/prefilter enabled is first */ if (tx->tx_progress < engine->progress) { @@ -1208,11 +1216,6 @@ static bool DetectRunTxInspectRule(ThreadVars *tv, if (unlikely(engine->stream && can->stream_stored)) { match = can->stream_result; TRACE_SID_TXS(s->id, tx, "stream skipped, stored result %d used instead", match); - /* special case: file_data on 'alert tcp' will have engines - * in the list that are not for us. Bypass with assume match */ - } else if (unlikely(engine->alproto != 0 && engine->alproto != f->alproto)) { - engine = engine->next; - continue; } else { KEYWORD_PROFILING_SET_LIST(det_ctx, engine->sm_list); if (engine->Callback) { -- 2.47.2