From 6bf35a42f194789ee4dd2a9aea624e9a9fd61656 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sat, 16 Mar 2019 08:07:14 +0100 Subject: [PATCH] detect/mark: use postmatch instead of tag list Keep the tag list for just tags. Post match list is better so the keyword also works with pass and noalert rules. --- src/detect-mark.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/detect-mark.c b/src/detect-mark.c index bdb8fe0e21..093f1b126f 100644 --- a/src/detect-mark.c +++ b/src/detect-mark.c @@ -200,8 +200,9 @@ static int DetectMarkSetup (DetectEngineCtx *de_ctx, Signature *s, const char *r sm->type = DETECT_MARK; sm->ctx = (SigMatchCtx *)data; - /* Append it to the list of tags */ - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_TMATCH); + /* Append it to the list of post match, so the mark is set if the + * full signature matches. */ + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH); return 0; #endif }