Fix app-layer-protocol FP on multi TX flow

In case of multiple transactions, the stored AMATCH list would not have been reset, but it would still be reconsidered. Even though none would match, the engine would still conclude that the rule matched.
12 years ago · c9436a6aef
parent bc70fc0f79
commit c9436a6aef
1 changed files with 6 additions and 1 deletions
--- a/src/detect-engine-state.c
+++ b/src/detect-engine-state.c
@ -621,6 +621,9 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                FLOWLOCK_UNLOCK(f);
            }

+            /* count AMATCH matches */
+            total_matches = 0;
+
            KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_AMATCH);
            for (sm = item->nm; sm != NULL; sm = sm->next) {
                if (sigmatch_table[sm->type].AppLayerMatch != NULL &&
@ -645,12 +648,14 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                            break;
                        else if (match == 2)
                            inspect_flags |= DE_STATE_FLAG_SIG_CANT_MATCH;
+                        else if (match == 1)
+                            total_matches++;
                    }
            }
            RULE_PROFILING_END(det_ctx, s, match, p);

            if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
-                if (sm == NULL || inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
+                if (total_matches > 0 && (sm == NULL || inspect_flags & DE_STATE_FLAG_SIG_CANT_MATCH)) {
                    if (sm == NULL)
                        alert = 1;
                    inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;