From 6fbd7483d6a31fbbe97ee60a13191a2d823975cb Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Thu, 5 Mar 2026 14:26:26 +0100
Subject: [PATCH] detect/parse: limit pkthdr proto to decoder event rules

`alert pkthdr` was initially just an alias for `alert ip`, as that was
really just a way of stating that "any" should be matched. However with
the Ethernet matching in place, it no long makes sense to treat `alert
ip` as "any". Since `pkthdr` is used to match on decoder events, also
for packets that completely failed to parse, it should no longer be
treated as `alert ip` but rather as it's own distinct logic.
---
 src/detect-parse.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/detect-parse.c b/src/detect-parse.c
index 20e1b2ab9c..8e810d0cbc 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -2813,6 +2813,16 @@ static bool SigValidateEthernet(const Signature *s)
     return true;
 }
 
+/* `pkthdr` is meant to allow matching on "any" packet with a decoder event. */
+static bool SigValidateProtoPkthdr(const Signature *s)
+{
+    if ((s->init_data->proto.flags & DETECT_PROTO_L2_ANY) && s->type != SIG_TYPE_DEONLY) {
+        SCLogError("protocol 'pkthdr' is for decoder-events only");
+        return false;
+    }
+    return true;
+}
+
 /**
  *  \internal
  *  \brief validate and consolidate parsed signature
@@ -2856,6 +2866,10 @@ static int SigValidateConsolidate(
     SignatureSetType(de_ctx, s);
     DetectRuleSetTable(s);
 
+    if (!SigValidateProtoPkthdr(s)) {
+        SCReturnInt(0);
+    }
+
     if (DetectProtoFinalizeSignature(s) != 0)
         SCReturnInt(0);