From 21d79b05ad71cbddc2b40beffdea0a70adc19ac7 Mon Sep 17 00:00:00 2001
From: Pablo Rincon <pablo.rincon.crespo@gmail.com>
Date: Wed, 28 Jul 2010 15:06:15 +0200
Subject: [PATCH] Fix for bug221 (avoid considering sig as "decoder event only"
 if ports are specified). Now the sig gets grouped to get a sgh at
 SigMatchSignatures

---
 src/detect.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/detect.c b/src/detect.c
index d7686157b9..4b510c9020 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1328,6 +1328,12 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, Signature *s) {
     if (s->amatch != NULL)
         return 0;
 
+    if ( !(s->flags & SIG_FLAG_DP_ANY) ||
+         !(s->flags & SIG_FLAG_SP_ANY))
+    {
+        return 0;
+    }
+
     SigMatch *sm = s->match;
     if (sm == NULL)
         goto deonly;
@@ -1361,6 +1367,7 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
     uint32_t cnt = 0, cnt_iponly = 0;
     uint32_t cnt_payload = 0;
     uint32_t cnt_applayer = 0;
+    uint32_t cnt_deonly = 0;
 
     //DetectAddressPrintMemory();
     //DetectSigGroupPrintMemory();
@@ -1403,6 +1410,7 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
         } else if (SignatureIsDEOnly(de_ctx, tmp_s) == 1) {
             tmp_s->flags |= SIG_FLAG_DEONLY;
             SCLogDebug("Signature %"PRIu32" is considered \"Decoder Event only\"", tmp_s->id);
+            cnt_deonly++;
         }
 
         if (tmp_s->flags & SIG_FLAG_APPLAYER) {
@@ -1466,8 +1474,8 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx) {
     //DetectPortPrintMemory();
 
     if (!(de_ctx->flags & DE_QUIET)) {
-        SCLogInfo("%" PRIu32 " signatures processed. %" PRIu32 " are IP-only rules, %" PRIu32 " are inspecting packet payload, %"PRIu32" inspect application layer",
-            de_ctx->sig_cnt, cnt_iponly, cnt_payload, cnt_applayer);
+        SCLogInfo("%" PRIu32 " signatures processed. %" PRIu32 " are IP-only rules, %" PRIu32 " are inspecting packet payload, %"PRIu32" inspect application layer, %"PRIu32" are decoding event only",
+            de_ctx->sig_cnt, cnt_iponly, cnt_payload, cnt_applayer, cnt_deonly);
         SCLogInfo("building signature grouping structure, stage 1: "
                "adding signatures to signature source addresses... done");
     }