From 86222428dd51adf2b6ff562a49e0e1ed22e0da76 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 8 Feb 2017 13:55:34 +0100
Subject: [PATCH] detect: don't run IP inspection on non-IP packets

The code to get the rule group (sgh) would return the group for
IP proto 0 instead of nothing. This lead to certain types of rules
unintentionally matching (False Positive).

Since the packets weren't actually IP, the logged alert records
were missing the IP header.

Bug #2017.
---
 src/detect.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/detect.c b/src/detect.c
index 479d0db192..5660c28339 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -588,6 +588,11 @@ SigGroupHead *SigMatchSignaturesGetSgh(DetectEngineCtx *de_ctx, DetectEngineThre
      * the decoder events sgh we have. */
     if (p->proto == 0 && p->events.cnt > 0) {
         SCReturnPtr(de_ctx->decoder_event_sgh, "SigGroupHead");
+    } else if (p->proto == 0) {
+        if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) {
+            /* not IP, so nothing to do */
+            SCReturnPtr(NULL, "SigGroupHead");
+        }
     }
 
     /* select the flow_gh */