diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c index ce91c9d4f7..733775525a 100644 --- a/src/detect-engine-iponly.c +++ b/src/detect-engine-iponly.c @@ -404,6 +404,12 @@ void IPOnlyMatchPacket(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx, PacketAlertHandle(de_ctx,s,p); /* set verdict on packet */ p->action |= s->action; + if (p->flow != NULL) { + if (s->action & ACTION_DROP) p->flow->flags |= FLOW_ACTION_DROP; + if (s->action & ACTION_REJECT) p->flow->flags |= FLOW_ACTION_DROP; + if (s->action & ACTION_REJECT_DST) p->flow->flags |= FLOW_ACTION_DROP; + if (s->action & ACTION_REJECT_BOTH) p->flow->flags |= FLOW_ACTION_DROP; + } } } } diff --git a/src/detect.c b/src/detect.c index faba6f32a2..c40e246a7a 100644 --- a/src/detect.c +++ b/src/detect.c @@ -554,8 +554,14 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh IPOnlyMatchPacket(de_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p); /* save in the flow that we scanned this direction... locking is * done in the FlowSetIPOnlyFlag function. */ - if (p->flow != NULL) + if (p->flow != NULL) { FlowSetIPOnlyFlag(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0); + } + } else if (((p->flowflags & FLOW_PKT_TOSERVER && (p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) || + (p->flowflags & FLOW_PKT_TOCLIENT && (p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET))) && + p->flow != NULL) { + /* Get the result of the first IPOnlyMatch() */ + if (p->flow->flags & FLOW_ACTION_DROP) p->flow->flags |= ACTION_DROP; } /* we assume we have an uri when we start inspection */ diff --git a/src/flow.h b/src/flow.h index a420fbbcb2..842e8d71e9 100644 --- a/src/flow.h +++ b/src/flow.h @@ -19,6 +19,8 @@ #define FLOW_PKT_NOSTREAM 0x40 #define FLOW_PKT_STREAMONLY 0x80 +#define FLOW_ACTION_DROP 0x100 + /* global flow config */ typedef struct FlowCnf_ {