detect: Add negated MPM to non-MPM array

Treat negated MPM sigs as if non-MPM, so we consider them always.

As MPM results and non-MPM rules lists are now merged and considered
for further inspection, rules that need to be considerd when a pattern
is absent are caught in the middle.

As a HACK/workaround this patch adds them to the non-MPM list. This
causes them to be inspected each time.

diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c
index 3dc16d46b4022276d394ae9a62386e8373fb599b..f5397baa26f9fc47236f517faf55432b5e280f38 100644 (file)
--- a/src/detect-engine-siggroup.c
+++ b/src/detect-engine-siggroup.c
@@ -1721,6 +1721,8 @@ int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 
         if (s->mpm_sm == NULL)
             non_mpm++;
+        else if (s->flags & (SIG_FLAG_MPM_PACKET_NEG|SIG_FLAG_MPM_STREAM_NEG|SIG_FLAG_MPM_APPLAYER_NEG))
+            non_mpm++;
     }
 
     if (non_mpm == 0) {
@@ -1736,11 +1738,14 @@ int SigGroupHeadBuildNonMpmArray(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
         s = sgh->match_array[sig];
         if (s == NULL)
             continue;
-        if (s->mpm_sm != NULL)
-            continue;
 
-        BUG_ON(sgh->non_mpm_id_cnt >= non_mpm);
-        sgh->non_mpm_id_array[sgh->non_mpm_id_cnt++] = s->num;
+        if (s->mpm_sm == NULL) {
+            BUG_ON(sgh->non_mpm_id_cnt >= non_mpm);
+            sgh->non_mpm_id_array[sgh->non_mpm_id_cnt++] = s->num;
+        } else if (s->flags & (SIG_FLAG_MPM_PACKET_NEG|SIG_FLAG_MPM_STREAM_NEG|SIG_FLAG_MPM_APPLAYER_NEG)) {
+            BUG_ON(sgh->non_mpm_id_cnt >= non_mpm);
+            sgh->non_mpm_id_array[sgh->non_mpm_id_cnt++] = s->num;
+        }
     }
     return 0;
 }