Group signatures by protocol.

src/detect-address.c

@@ -1124,6 +1124,9 @@ DetectAddressGroup *
 DetectAddressLookupGroup(DetectAddressGroupsHead *gh, Address *a) {
     DetectAddressGroup *g;
 
+    if (gh == NULL)
+        return NULL;
+
     /* XXX should we really do this check every time we run
      * this function? */
     if (a->family == AF_INET)

src/detect-parse.c

@@ -254,12 +254,21 @@ error:
     return -1;
 }
 
+/* http://www.iana.org/assignments/protocol-numbers
+ *
+ */
 int SigParseProto(Signature *s, const char *protostr) {
     if (strcasecmp(protostr,"tcp") == 0) {
+        s->ip_proto = 6;
     } else if (strcasecmp(protostr,"udp") == 0) {
+        s->ip_proto = 17;
+    } else if (strcasecmp(protostr,"icmp") == 0) {
+        s->ip_proto = 1;
     } else if (strcasecmp(protostr,"ip") == 0) {
+        s->ip_proto = 4; /* XXX VJ does this make sense? */
     } else {
-        printf("protostr \"%s\"\n", protostr);
+        printf("Error: protostr \"%s\" not supported\n", protostr);
+        return -1;
     }
 
     return 0;

src/detect-uricontent.c

@@ -240,7 +240,11 @@ int DetectUricontentMatch (ThreadVars *t, PatternMatcherThread *pmt, Packet *p,
         return 0;
 
     if (pmt->de_have_httpuri == 1 && pmt->de_scanned_httpuri == 0) {
-        /* Scan http uri now */
+        /* don't bother scanning if we don't have a pattern matcher ctx
+         * which means we don't have uricontent sigs */
+        if (pmt->mcu == NULL)
+            return 0;
+
         //printf("DetectUricontentMatch: going to scan uri buffer(s)\n");
 
         /* scan all buffers we have */

src/detect.h

@@ -48,7 +48,7 @@ typedef struct _Signature {
     u_int8_t action; 
     DetectAddressGroupsHead src, dst;
     SigPort sp, dp;
-
+    u_int8_t ip_proto;
     u_int32_t rulegroup_refcnt;
     struct _SigMatch *match;
     struct _Signature *next;