From: Victor Julien <victor@inliniac.net>
Date: Wed, 12 Mar 2014 12:57:30 +0000 (+0100)
Subject: Fix app-layer-protocol FP on multi TX flow
X-Git-Tag: suricata-2.0.1rc1~93
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c9436a6aef1e79161dbaa13d8d3ead952158b4c6;p=thirdparty%2Fsuricata.git

Fix app-layer-protocol FP on multi TX flow

In case of multiple transactions, the stored AMATCH list would not have
been reset, but it would still be reconsidered. Even though none would
match, the engine would still conclude that the rule matched.
---

diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c
index 8d66764059..4a45df4a24 100644
--- a/src/detect-engine-state.c
+++ b/src/detect-engine-state.c
@@ -621,6 +621,9 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                 FLOWLOCK_UNLOCK(f);
             }
 
+            /* count AMATCH matches */
+            total_matches = 0;
+
             KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_AMATCH);
             for (sm = item->nm; sm != NULL; sm = sm->next) {
                 if (sigmatch_table[sm->type].AppLayerMatch != NULL &&
@@ -645,12 +648,14 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                             break;
                         else if (match == 2)
                             inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
+                        else if (match == 1)
+                            total_matches++;
                     }
             }
             RULE_PROFILING_END(det_ctx, s, match, p);
 
             if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
-                if (sm == NULL || inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
+                if (total_matches > 0 && (sm == NULL || inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH)) {
                     if (sm == NULL)
                         alert = 1;
                     inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;