From 8f1c39bb1c5f12aa67036e8142ef1a1c06518869 Mon Sep 17 00:00:00 2001
From: Lukas Sismis <lsismis@oisf.net>
Date: Sun, 2 Apr 2023 10:41:08 +0200
Subject: [PATCH] policy: postpone evaluation of exception policy after setting
 the engine mode

Master exception policy queried engine mode earlier than it was
determined from the configuration file/command line. As a result it
used the default (IDS) mode. However, the engine mode could have been
reconfigured later on to the IPS mode. This lead into an undefined behavior
as master exception policy behaves according to the configured engine mode.

Ticket: #5960
---
 src/suricata.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/suricata.c b/src/suricata.c
index 29494f8ebf..f2127d1a2e 100644
--- a/src/suricata.c
+++ b/src/suricata.c
@@ -2671,13 +2671,13 @@ int PostConfLoadedSetup(SCInstance *suri)
 
     MacSetRegisterFlowStorage();
 
-    SetMasterExceptionPolicy();
-
     LiveDeviceFinalize(); // must be after EBPF extension registration
 
     RunModeEngineIsIPS(
             suricata.run_mode, suricata.runmode_custom_mode, suricata.capture_plugin_name);
 
+    SetMasterExceptionPolicy();
+
     AppLayerSetup();
 
     /* Suricata will use this umask if provided. By default it will use the
-- 
2.47.2