detect/flowbits: more permissive parsing by default

To get strict parsing, `--strict-rule-keywords=flowbits` command line option can be used. Bug: #5547.
3 years ago · 7183e766f9
parent 8174ba9e6f
commit 7183e766f9
1 changed files with 10 additions and 3 deletions
--- a/src/detect-flowbits.c
+++ b/src/detect-flowbits.c
@ -284,8 +284,15 @@ static int DetectFlowbitParse(
            strlcpy(name, token, sizeof(name));
            name_set = true;
        } else {
-            SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid flowbits keyword: %s", token);
-            return -1;
+            if (!SigMatchStrictEnabled(DETECT_FLOWBITS)) {
+                SCLogWarning(SC_ERR_INVALID_SIGNATURE,
+                        "Invalid flowbits keyword: %s. This will become an error in Suricata 7.0.",
+                        token);
+                return -4;
+            } else {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid flowbits keyword: %s", token);
+                return -1;
+            }
        }
        token = strtok_r(NULL, ",", &context);
    }
@ -327,7 +334,7 @@ int DetectFlowbitSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr

    int result = DetectFlowbitParse(de_ctx, rawstr, &cd);
    if (result < 0) {
-        return -1;
+        return result;
    } else if (result == 0 && cd == NULL) {
        s->flags |= SIG_FLAG_NOALERT;
        return 0;