Fix app-layer-protocol FP on multi TX flow

In case of multiple transactions, the stored AMATCH list would not have
been reset, but it would still be reconsidered. Even though none would
match, the engine would still conclude that the rule matched.

diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c
index 8d66764059dfb85b7b16076da2abe8cd10c7ae12..4a45df4a2473078417b6df7e0bbe47514d67df28 100644 (file)
--- a/src/detect-engine-state.c
+++ b/src/detect-engine-state.c
@@ -621,6 +621,9 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                 FLOWLOCK_UNLOCK(f);
             }
 
+            /* count AMATCH matches */
+            total_matches = 0;
+
             KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_AMATCH);
             for (sm = item->nm; sm != NULL; sm = sm->next) {
                 if (sigmatch_table[sm->type].AppLayerMatch != NULL &&
@@ -645,12 +648,14 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                             break;
                         else if (match == 2)
                             inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
+                        else if (match == 1)
+                            total_matches++;
                     }
             }
             RULE_PROFILING_END(det_ctx, s, match, p);
 
             if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
-                if (sm == NULL || inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
+                if (total_matches > 0 && (sm == NULL || inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH)) {
                     if (sm == NULL)
                         alert = 1;
                     inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;