detect/mark: use postmatch instead of tag list

Keep the tag list for just tags. Post match list is better so the keyword also works with pass and noalert rules.
6 years ago · 6bf35a42f1
parent 4dbf600d64
commit 6bf35a42f1
1 changed files with 3 additions and 2 deletions
--- a/src/detect-mark.c
+++ b/src/detect-mark.c
@ -200,8 +200,9 @@ static int DetectMarkSetup (DetectEngineCtx *de_ctx, Signature *s, const char *r
    sm->type = DETECT_MARK;
    sm->ctx = (SigMatchCtx *)data;

-    /* Append it to the list of tags */
-    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_TMATCH);
+    /* Append it to the list of post match, so the mark is set if the
+     * full signature matches. */
+    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
    return 0;
 #endif
 }