From 910c3691afc4f65ba118458e9f0d939805c80d40 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Mon, 18 Feb 2019 22:31:26 +0100
Subject: [PATCH] detect-flowbits: error on some invalid syntax

The regular expression was accepting something like
"flowbits:!isset,isma;" without complaining even if it is not
correct and don't have the expected result.
---
 src/detect-flowbits.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c
index 23cd2036d3..efb946d66c 100644
--- a/src/detect-flowbits.c
+++ b/src/detect-flowbits.c
@@ -45,7 +45,7 @@
 #include "util-unittest.h"
 #include "util-debug.h"
 
-#define PARSE_REGEX         "([a-z]+)(?:,\\s*(.*))?"
+#define PARSE_REGEX         "^([a-z]+)(?:,\\s*(.*))?"
 static pcre *parse_regex;
 static pcre_extra *parse_regex_study;
 
@@ -769,6 +769,9 @@ static int FlowBitsTestSig02(void)
     s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"toggle rule need an option\"; flowbits:toggle; content:\"GET \"; sid:5;)");
     FAIL_IF_NOT_NULL(s);
 
+    s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"!set is not an option\"; flowbits:!set,myerr; content:\"GET \"; sid:6;)");
+    FAIL_IF_NOT_NULL(s);
+
     SigGroupBuild(de_ctx);
     DetectEngineCtxFree(de_ctx);
 
-- 
2.47.2