From 32160f4a12403f9a5ae098f12cefe0f9fc87735d Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Tue, 14 Nov 2023 08:23:43 -0500 Subject: [PATCH] detect/transform: Clarify transformation validation Issue: 6439 Clarify the transform validation step. When a transform indicates that the content/byte-array is not compatible, validation will stop. Content is incompatible is some cases -- e.g., following the to_lowercase transform with content containing uppercase characters. An alert is not possible since the content contains uppercase and the transform has converted the buffer into all lowercase. (cherry picked from commit a46779d866b1b121adc73164215ba6437f53c208) --- src/detect-engine.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/detect-engine.c b/src/detect-engine.c index d8f9f1880e..0d37befa32 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -1690,8 +1690,8 @@ void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_l * transform may validate that it's compatible with the transform. * * When a transform indicates the byte array is incompatible, none of the - * subsequent transforms, if any, are invoked. This means the first positive - * validation result terminates the loop. + * subsequent transforms, if any, are invoked. This means the first validation + * failure terminates the loop. * * \param de_ctx Detection engine context. * \param sm_list The SM list id. -- 2.47.2