Fix a case where alerting in inline mode would lead dropping on alert sigs.

15 years ago · 8d0bc27fc4
parent 5a10eac5bd
commit 8d0bc27fc4
1 changed files with 5 additions and 1 deletions
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@ -253,12 +253,16 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx

            /* set verdict on packet */
            p->action |= p->alerts.alerts[i].action;
+
            if (p->alerts.alerts[i].action & ACTION_PASS) {
                /* Ok, reset the alert cnt to end in the previous of pass
                 * so we ignore the rest with less prio */
                p->alerts.cnt = i;
                break;
-            } else if ( ((p->alerts.alerts[i].flags & PACKET_ALERT_FLAG_DROP_FLOW) ||
+            /* if the signature wants to drop, check if the
+             * PACKET_ALERT_FLAG_DROP_FLOW flag is set. */
+            } else if (p->alerts.alerts[i].action & ACTION_DROP &&
+                    ((p->alerts.alerts[i].flags & PACKET_ALERT_FLAG_DROP_FLOW) ||
                         (s->flags & SIG_FLAG_APPLAYER))
                       && p->flow != NULL)
            {