signature: set flags and test the protocol

This checks if the signature's protocol is http when setup the content keyword. Also sets the proper flags based by protocol since the flag SIG_FLAG_TOSERVER has to be set if the proto is smtp, otherwise SIG_FLAG_TOCLIENT is it's http.
10 years ago · 04561f13d3
parent 41a1a9f4af
commit 04561f13d3
2 changed files with 4 additions and 3 deletions
--- a/src/detect-content.c
+++ b/src/detect-content.c
@ -390,7 +390,7 @@ int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, char *contentstr)

    int sm_list;
    if (s->list != DETECT_SM_LIST_NOTSET) {
-        if (s->list == DETECT_SM_LIST_FILEDATA) {
+        if (s->list == DETECT_SM_LIST_FILEDATA && s->alproto == ALPROTO_HTTP) {
            AppLayerHtpEnableResponseBodyCallback();
            s->alproto = ALPROTO_HTTP;
        }
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@ -1143,7 +1143,8 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
        }
    }

-    if (s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL ||
+    if ((s->sm_lists[DETECT_SM_LIST_FILEDATA] != NULL && s->alproto == ALPROTO_SMTP) ||
+        s->sm_lists[DETECT_SM_LIST_UMATCH] != NULL ||
        s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
        s->sm_lists[DETECT_SM_LIST_HCBDMATCH] != NULL ||
        s->sm_lists[DETECT_SM_LIST_HMDMATCH] != NULL ||
@ -1152,7 +1153,7 @@ int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
        s->flags |= SIG_FLAG_TOSERVER;
        s->flags &= ~SIG_FLAG_TOCLIENT;
    }
-    if (s->sm_lists[DETECT_SM_LIST_FILEDATA] != NULL ||
+    if ((s->sm_lists[DETECT_SM_LIST_FILEDATA] != NULL && s->alproto == ALPROTO_HTTP) ||
        s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
        s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) {
        sig_flags |= SIG_FLAG_TOCLIENT;