From: Anoop Saldanha Date: Mon, 20 May 2013 15:46:41 +0000 (+0530) Subject: Allow protocols to have both app layer keywords, as well as transaction X-Git-Tag: suricata-2.0beta1~138 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9219079e1a02b8e3d6ea5969324800fe6efc65b1;p=thirdparty%2Fsuricata.git Allow protocols to have both app layer keywords, as well as transaction based ones. Our general logic and assumption is protocols either support one of the above and not have both. --- diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index e0df3ecdf9..21817055b8 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -250,6 +250,10 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, int match = 0; int store_de_state = 0; uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1; + /* this was introduced later to allow protocols that had both app + * keywords with transaction keywords. Without this we would + * assume that we have an alert if engine == NULL */ + int total_matches = 0; int alert_cnt = 0; @@ -268,6 +272,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, tx_id = AppLayerTransactionGetInspectId(f, flags); total_txs = AppLayerGetTxCnt(alproto, htp_state); for (; tx_id < total_txs; tx_id++) { + total_matches = 0; tx = AppLayerGetTx(alproto, alstate, tx_id); if (tx == NULL) continue; @@ -281,6 +286,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, if (match == 1) { inspect_flags |= engine->inspect_flags; engine = engine->next; + total_matches++; continue; } else if (match == 2) { inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; @@ -297,7 +303,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, /* all the engines seem to be exhausted at this point. If we * didn't have a match in one of the engines we would have * broken off and engine wouldn't be NULL. Hence the alert. */ - if (engine == NULL) + if (engine == NULL && total_matches > 0) alert_cnt++; if (tx_id == (total_txs - 1)) { @@ -421,6 +427,10 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, uint64_t total_txs = 0; uint8_t alproto_supports_txs = 0; uint8_t reset_de_state = 0; + /* this was introduced later to allow protocols that had both app + * keywords with transaction keywords. Without this we would + * assume that we have an alert if engine == NULL */ + uint8_t total_matches = 0; uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1; DeStateResetFileInspection(f, alproto, alstate, flags); @@ -448,6 +458,7 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, store_cnt < DE_STATE_CHUNK_SIZE && state_cnt < dir_state->cnt; store_cnt++, state_cnt++) { + total_matches = 0; DeStateStoreItem *item = &store->store[store_cnt]; Signature *s = de_ctx->sig_array[item->sid]; @@ -536,6 +547,7 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, if (match == 1) { inspect_flags |= engine->inspect_flags; engine = engine->next; + total_matches++; continue; } else if (match == 2) { inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH; @@ -549,7 +561,7 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, } engine = engine->next; } - if (engine == NULL || inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) { + if (total_matches > 0 && (engine == NULL || inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH)) { if (engine == NULL) alert = 1; inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;