From: Giuseppe Longo Date: Thu, 5 Feb 2015 14:04:13 +0000 (+0100) Subject: signature: set flags and test the protocol X-Git-Tag: suricata-2.1beta4~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=04561f13d375989b25b4c17e71415ca711d0ac8f;p=thirdparty%2Fsuricata.git signature: set flags and test the protocol This checks if the signature's protocol is http when setup the content keyword. Also sets the proper flags based by protocol since the flag SIG_FLAG_TOSERVER has to be set if the proto is smtp, otherwise SIG_FLAG_TOCLIENT is it's http. --- diff --git a/src/detect-content.c b/src/detect-content.c index 48eb2f64fa..cd0722eae8 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -390,7 +390,7 @@ int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, char *contentstr) int sm_list; if (s->list != DETECT_SM_LIST_NOTSET) { - if (s->list == DETECT_SM_LIST_FILEDATA) { + if (s->list == DETECT_SM_LIST_FILEDATA && s->alproto == ALPROTO_HTTP) { AppLayerHtpEnableResponseBodyCallback(); s->alproto = ALPROTO_HTTP; } diff --git a/src/detect-parse.c b/src/detect-parse.c index d2c09af987..4b084d0e25 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1143,7 +1143,8 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) } } - if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL || + if ((s->sm_lists[DETECT_SM_LIST_FILEDATA] != NULL && s->alproto == ALPROTO_SMTP) || + s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL || s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL || s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL || s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL || @@ -1152,7 +1153,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) s->flags |= SIG_FLAG_TOSERVER; s->flags &= ~SIG_FLAG_TOCLIENT; } - if (s->sm_lists[DETECT_SM_LIST_FILEDATA] != NULL || + if ((s->sm_lists[DETECT_SM_LIST_FILEDATA] != NULL && s->alproto == ALPROTO_HTTP) || s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL || s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) { sig_flags |= SIG_FLAG_TOCLIENT;