aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rule-analyzer: Ensure content counts are accurate

Browse Source 
Fix for issue 2605.  Make sure that content is counted,
even if none of the specific content types are matched.
pull/3772/head
Jeff Lucovsky 7 years ago committed by Victor Julien
parent 1c97423adf
commit 1b1fc9fee2
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File

4
src/detect-engine-analyzer.c
Unescape Escape View File

@ -1063,6 +1063,8 @@ void EngineAnalysisRules(const DetectEngineCtx *de_ctx,
(DETECT_CONTENT_OFFSET | DETECT_CONTENT_DEPTH)) { (DETECT_CONTENT_OFFSET | DETECT_CONTENT_DEPTH)) {
rule_content_offset_depth++; rule_content_offset_depth++;
} }
} else {
rule_content += 1;
} }
} }
else if (sm->type == DETECT_FLOW) { else if (sm->type == DETECT_FLOW) {
@ -1246,7 +1248,7 @@ void EngineAnalysisRules(const DetectEngineCtx *de_ctx,
if (warn_encoding_norm_http_buf) { if (warn_encoding_norm_http_buf) {
fprintf(rule_engine_analysis_FD, " Warning: Rule may contain percent encoded content for a normalized http buffer match.\n"); fprintf(rule_engine_analysis_FD, " Warning: Rule may contain percent encoded content for a normalized http buffer match.\n");
} }
if (warn_tcp_no_flow /*rule_flow == 0 && rule_flow == 0 if (warn_tcp_no_flow /*rule_flow == 0 && rule_flags == 0
&& !(s->proto.flags & DETECT_PROTO_ANY) && DetectProtoContainsProto(&s->proto, IPPROTO_TCP)*/) { && !(s->proto.flags & DETECT_PROTO_ANY) && DetectProtoContainsProto(&s->proto, IPPROTO_TCP)*/) {
fprintf(rule_engine_analysis_FD, " Warning: TCP rule without a flow or flags option.\n" fprintf(rule_engine_analysis_FD, " Warning: TCP rule without a flow or flags option.\n"
" -Consider adding flow or flags to improve performance of this rule.\n"); " -Consider adding flow or flags to improve performance of this rule.\n");

Write Preview
Loading…
Cancel
Save