From c3b97b4d08ea8f539a3dc3efd83e06013c25c89f Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Mon, 5 Jun 2023 13:02:26 -0300
Subject: [PATCH] exception: in ids mode, only REJECT the packet

In case of 'EXCEPTION_POLICY_REJECT', we were applying the same behavior
regardless of being in IDS or IPS mode.
This meant that (at least) the 'flow.action' was changed to drop when we
hit an exception policy in IDS mode.

Bug #6109

(cherry picked from commit 8f324e3b3d4137b1092b877e8f0dab42e7c824fd)
---
 src/util-exception-policy.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c
index 65fd5f4cec..d3a50fb4cc 100644
--- a/src/util-exception-policy.c
+++ b/src/util-exception-policy.c
@@ -67,6 +67,9 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro
         case EXCEPTION_POLICY_REJECT:
             SCLogDebug("EXCEPTION_POLICY_REJECT");
             PacketDrop(p, ACTION_REJECT, drop_reason);
+            if (!EngineModeIsIPS()) {
+                break;
+            }
             /* fall through */
         case EXCEPTION_POLICY_DROP_FLOW:
             SCLogDebug("EXCEPTION_POLICY_DROP_FLOW");
-- 
2.47.2