Modify handling of negated content.

The old behaviour of returning a failure if we found a pattern while
matching on negated content is now changed to continuing searching
for other combinations where we don't find the pattern for the
negated content.

Thanks to Will Metcalf for reporting this.

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index b3a680c0ea35e58b78c4531e6c808f067b4f238a..d81527e5dba37b315c0dce60c3ad69bdda62c42d 100644 (file)
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -286,7 +286,8 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
                 SCLogDebug("content %"PRIu32" matched at offset %"PRIu32", but negated so no match", cd->id, match_offset);
                 /* don't bother carrying recursive matches now, for preceding
                  * relative keywords */
-                det_ctx->discontinue_matching = 1;
+                if (DETECT_CONTENT_IS_SINGLE(cd))
+                    det_ctx->discontinue_matching = 1;
                 SCReturnInt(0);
             } else {
                 match_offset = (uint32_t)((found - buffer) + cd->content_len);

diff --git a/src/detect-engine-dcepayload.c b/src/detect-engine-dcepayload.c
index 6548b1aebb95133e91af250e13946c51589d2a42..8b482f786bb6bc8a00f9c6e4cac2d5214227d532 100644 (file)
--- a/src/detect-engine-dcepayload.c
+++ b/src/detect-engine-dcepayload.c
@@ -9557,7 +9557,7 @@ int DcePayloadTest42(void)
     SCMutexUnlock(&f.m);
     /* detection phase */
     SigMatchSignatures(&tv, de_ctx, det_ctx, p);
-    if ((PacketAlertCheck(p, 1))) {
+    if (!(PacketAlertCheck(p, 1))) {
         printf("sid 1 matched but shouldn't have for packet: ");
         goto end;
     }

diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c
index 75ac13746702903f61aa595297d050462a46b6a7..cc7f86479f2ede01073a88032ebdb9772a045dba 100644 (file)
--- a/src/detect-engine-payload.c
+++ b/src/detect-engine-payload.c
@@ -307,7 +307,7 @@ static int PayloadTestSig08(void)
     char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
         "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
 
-    if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 1) {
+    if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) != 1) {
         goto end;
     }
 

diff --git a/src/detect-engine-uri.c b/src/detect-engine-uri.c
index e789ae9610df77d09e80f3a9103f5486c0b02ec7..9a1d79002a3d05eb1fa9e638a819dc504aa99f2e 100644 (file)
--- a/src/detect-engine-uri.c
+++ b/src/detect-engine-uri.c
@@ -2453,7 +2453,7 @@ static int UriTestSig21(void)
     /* do detect */
     SigMatchSignatures(&tv, de_ctx, det_ctx, p);
 
-    if (PacketAlertCheck(p, 1)) {
+    if (!PacketAlertCheck(p, 1)) {
         printf("sig 1 alerted, but it should not: ");
         goto end;
     }