From 04561f13d375989b25b4c17e71415ca711d0ac8f Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Thu, 5 Feb 2015 15:04:13 +0100 Subject: [PATCH] signature: set flags and test the protocol This checks if the signature's protocol is http when setup the content keyword. Also sets the proper flags based by protocol since the flag SIG_FLAG_TOSERVER has to be set if the proto is smtp, otherwise SIG_FLAG_TOCLIENT is it's http. --- src/detect-content.c | 2 +- src/detect-parse.c | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/detect-content.c b/src/detect-content.c index 48eb2f64fa..cd0722eae8 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -390,7 +390,7 @@ int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, char *contentstr) int sm_list; if (s->list != DETECT_SM_LIST_NOTSET) { - if (s->list == DETECT_SM_LIST_FILEDATA) { + if (s->list == DETECT_SM_LIST_FILEDATA && s->alproto == ALPROTO_HTTP) { AppLayerHtpEnableResponseBodyCallback(); s->alproto = ALPROTO_HTTP; } diff --git a/src/detect-parse.c b/src/detect-parse.c index d2c09af987..4b084d0e25 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1143,7 +1143,8 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) } } - if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL || + if ((s->sm_lists[DETECT_SM_LIST_FILEDATA] != NULL && s->alproto == ALPROTO_SMTP) || + s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL || s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL || s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL || s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL || @@ -1152,7 +1153,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s) s->flags |= SIG_FLAG_TOSERVER; s->flags &= ~SIG_FLAG_TOCLIENT; } - if (s->sm_lists[DETECT_SM_LIST_FILEDATA] != NULL || + if ((s->sm_lists[DETECT_SM_LIST_FILEDATA] != NULL && s->alproto == ALPROTO_HTTP) || s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL || s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) { sig_flags |= SIG_FLAG_TOCLIENT; -- 2.47.3