if a sig's set as stream sig only, don't updated it as both stream and pkt sig if offset/depth's present

bug #495 - update rule analyzer to not warn on offset_depth-tcp_pkt update if sig is stream only bug #497 - rule_warnings fixed
13 years ago · bf6cd48259
parent b2f589527a
commit bf6cd48259
2 changed files with 13 additions and 3 deletions
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@ -210,6 +210,8 @@ void EngineAnalysisRules(Signature *s, char *line)
    uint32_t warn_method_serverbody = 0;
    uint32_t warn_pcre_method = 0;
    uint32_t warn_encoding_norm_http_buf = 0;
+    uint32_t warn_offset_depth_pkt_stream = 0;
+    uint32_t warn_offset_depth_alproto = 0;

    if (s->init_flags & SIG_FLAG_INIT_BIDIREC) {
        rule_bidirectional = 1;
@ -437,6 +439,14 @@ void EngineAnalysisRules(Signature *s, char *line)
            warn_pcre_method = 1;
        }
    }
+    if (rule_content_offset_depth > 0 && stream_buf && packet_buf) {
+        rule_warning += 1;
+        warn_offset_depth_pkt_stream = 1;
+    }
+    if (rule_content_offset_depth > 0 && !stream_buf && packet_buf && s->alproto != ALPROTO_UNKNOWN) {
+        rule_warning += 1;
+        warn_offset_depth_alproto = 1;
+    }

    if (!rule_warnings_only || (rule_warnings_only && rule_warning > 0)) {
        fprintf(rule_engine_analysis_FD, "== Sid: %u ==\n", s->id);
@ -514,7 +524,7 @@ void EngineAnalysisRules(Signature *s, char *line)
                               && (rule_pcre > 0 || rule_pcre_http > 0)*/) {
            fprintf(rule_engine_analysis_FD, "    Warning: Rule uses pcre with only a http_method content; possible performance issue.\n");
        }
-        if (rule_content_offset_depth > 0 && s->flags & SIG_FLAG_REQUIRE_STREAM) {
+        if (warn_offset_depth_pkt_stream) {
            fprintf(rule_engine_analysis_FD, "    Warning: Rule has depth"
                    "/offset with raw content keywords.  Please note the "
                    "offset/depth will be checked against both packet "
@ -522,7 +532,7 @@ void EngineAnalysisRules(Signature *s, char *line)
                    "depth checked against just the payload, you can update "
                    "the signature as \"alert tcp-pkt...\"\n");
        }
-        if (rule_content_offset_depth > 0 && s->alproto != ALPROTO_UNKNOWN) {
+        if (warn_offset_depth_alproto) {
            fprintf(rule_engine_analysis_FD, "    Warning: Rule has "
                    "offset/depth set along with a match on a specific "
                    "app layer protocol - %d.  This can lead to FNs if we "
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@ -1121,7 +1121,7 @@ static int SigValidate(Signature *s) {
        }
    }

-    if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
+    if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) {
        s->flags |= SIG_FLAG_REQUIRE_STREAM;
        SigMatch *sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
        while (sm != NULL) {