detect-engine: use only the exact match fn

DetectFlagsSignatureNeedsSynPackets checks if TCP SYN flag is set among other flags. DetectFlagsSignatureNeedsSynOnlyPackets checks if only TCP SYN flag is set and no other flag. Since DetectFlagsSignatureNeedsSynOnlyPackets also already checks for TCP SYN flag, it does not need to be used in combination with DetectFlagsSignatureNeedsSynPackets as this fn seems to be the superset of the former.
1 year ago · 1f78a4fcd8
parent d3ccff5822
commit 1f78a4fcd8
1 changed files with 5 additions and 8 deletions
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@ -1141,8 +1141,7 @@ static int RuleSetWhitelist(Signature *s)
            SCLogDebug("Rule %u No MPM. Payload inspecting. Whitelisting SGH's.", s->id);
            wl = 55;
-        } else if (DetectFlagsSignatureNeedsSynPackets(s) &&
+        } else if (DetectFlagsSignatureNeedsSynOnlyPackets(s)) {
                   DetectFlagsSignatureNeedsSynOnlyPackets(s)) {
            SCLogDebug("Rule %u Needs SYN, so inspected often. Whitelisting SGH's.", s->id);
            wl = 33;
        }
@ -1189,12 +1188,10 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, uint8_t ipproto, u
        /* see if we want to exclude directionless sigs that really care only for
         * to_server syn scans/floods */
-        if ((direction == SIG_FLAG_TOCLIENT) &&
+        if ((direction == SIG_FLAG_TOCLIENT) && DetectFlagsSignatureNeedsSynOnlyPackets(s) &&
-             DetectFlagsSignatureNeedsSynPackets(s) &&
+                ((s->flags & (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) ==
-             DetectFlagsSignatureNeedsSynOnlyPackets(s) &&
+                        (SIG_FLAG_TOSERVER | SIG_FLAG_TOCLIENT)) &&
-            ((s->flags & (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) == (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) &&
+                (!(s->dp->port == 0 && s->dp->port2 == 65535))) {
            (!(s->dp->port == 0 && s->dp->port2 == 65535)))
        {
            SCLogWarning("rule %u: SYN-only to port(s) %u:%u "
                         "w/o direction specified, disabling for toclient direction",
                    s->id, s->dp->port, s->dp->port2);