From e2c6e1be33deb4a61351d2532628fd21a47be39e Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 7 Dec 2016 11:14:20 +0100 Subject: [PATCH] detect-parse: set ipprotos earlier A high level proto like HTTP implies TCP. However this wasn't set until after all the parsing was complete which means that keywords couldn't test if the ipproto matched. This patch populates the ipprotos right when the higher level proto is parsed. --- src/detect-file-data.c | 6 +++--- src/detect-parse.c | 5 ++++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/detect-file-data.c b/src/detect-file-data.c index 1d9a5f4ee3..e598705241 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -93,9 +93,9 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, char *str { SCEnter(); - if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP) && - s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP && - s->alproto != ALPROTO_SMTP) { + if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP) || + (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP && + s->alproto != ALPROTO_SMTP)) { SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); return -1; } diff --git a/src/detect-parse.c b/src/detect-parse.c index 17042cb54d..b49ee57fcf 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -718,8 +718,11 @@ int SigParseProto(Signature *s, const char *protostr) if (r < 0) { s->alproto = AppLayerGetProtoByName((char *)protostr); /* indicate that the signature is app-layer */ - if (s->alproto != ALPROTO_UNKNOWN) + if (s->alproto != ALPROTO_UNKNOWN) { s->flags |= SIG_FLAG_APPLAYER; + + AppLayerProtoDetectSupportedIpprotos(s->alproto, s->proto.proto); + } else { SCLogError(SC_ERR_UNKNOWN_PROTOCOL, "protocol \"%s\" cannot be used " "in a signature. Either detection for this protocol "