fix FNs for flow- only_stream and no_stream options

13 years ago · 493c3db413
parent ad36d55771
commit 493c3db413
3 changed files with 12 additions and 0 deletions
--- a/src/detect-flow.c
+++ b/src/detect-flow.c
@ -135,6 +135,14 @@ int DetectFlowMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, S
        cnt++;
    }

+    if (det_ctx->flags & DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH) {
+        if (fd->flags & FLOW_PKT_ONLYSTREAM)
+            cnt++;
+    } else {
+        if (fd->flags & FLOW_PKT_NOSTREAM)
+            cnt++;
+    }
+
    int ret = (fd->match_cnt == cnt) ? 1 : 0;
    SCLogDebug("returning %" PRId32 " cnt %" PRIu8 " fd->match_cnt %" PRId32 " fd->flags 0x%02X p->flowflags 0x%02X",
        ret, cnt, fd->match_cnt, fd->flags, p->flowflags);
--- a/src/detect.c
+++ b/src/detect.c
@ -1566,6 +1566,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                        if (DetectEngineInspectStreamPayload(de_ctx, det_ctx, s, p->flow, smsg_inspect->data.data, smsg_inspect->data.data_len) == 1) {
                            SCLogDebug("match in smsg %p", smsg);
                            pmatch = 1;
+                            det_ctx->flags |= DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH;
                            /* Tell the engine that this reassembled stream can drop the
                             * rest of the pkts with no further inspection */
                            if (s->action & ACTION_DROP)
@ -1635,6 +1636,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                }
            }
        }
+        if (det_ctx->flags & DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH)
+            det_ctx->flags &= ~DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH;

        SCLogDebug("s->sm_lists[DETECT_SM_LIST_AMATCH] %p, "
                "s->sm_lists[DETECT_SM_LIST_UMATCH] %p, "
--- a/src/detect.h
+++ b/src/detect.h
@ -282,6 +282,7 @@ typedef struct DetectPort_ {

 #define DETECT_ENGINE_THREAD_CTX_INSPECTING_PACKET 0x0001
 #define DETECT_ENGINE_THREAD_CTX_INSPECTING_STREAM 0x0002
+#define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH 0x0004

 #define FILE_SIG_NEED_FILE          0x01
 #define FILE_SIG_NEED_FILENAME      0x02