From c6aeec10b574700d9a350074d7f38753ba277b19 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Wed, 11 Sep 2024 10:18:58 +0200
Subject: [PATCH] detect/app-layer-proto: fix prefilter check

Prefilter wasn't yet using `AppProtoEquals` which might lead to
mismatches with HTTP and DCERPC related signatures.
---
 src/detect-app-layer-protocol.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/detect-app-layer-protocol.c b/src/detect-app-layer-protocol.c
index c5924f07a1..bd0da13a23 100644
--- a/src/detect-app-layer-protocol.c
+++ b/src/detect-app-layer-protocol.c
@@ -217,13 +217,13 @@ PrefilterPacketAppProtoMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const vo
 
     if ((p->flags & PKT_PROTO_DETECT_TS_DONE) && (p->flowflags & FLOW_PKT_TOSERVER) &&
             p->flow->alproto_ts != ALPROTO_UNKNOWN) {
-        int r = (ctx->v1.u16[0] == p->flow->alproto_ts) ^ ctx->v1.u8[2];
+        int r = AppProtoEquals(ctx->v1.u16[0], p->flow->alproto_ts) ^ ctx->v1.u8[2];
         if (r) {
             PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
         }
     } else if ((p->flags & PKT_PROTO_DETECT_TC_DONE) && (p->flowflags & FLOW_PKT_TOCLIENT) &&
                p->flow->alproto_tc != ALPROTO_UNKNOWN) {
-        int r = (ctx->v1.u16[0] == p->flow->alproto_tc) ^ ctx->v1.u8[2];
+        int r = AppProtoEquals(ctx->v1.u16[0], p->flow->alproto_tc) ^ ctx->v1.u8[2];
         if (r) {
             PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
         }
-- 
2.47.2