From c99e15934104bee6a68258770736fb6e481cf5a6 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Mon, 22 Sep 2025 15:41:39 +0200
Subject: [PATCH] detect/files: support protocols only over udp

Ticket: 7973

Files were supported on both TCP and UDP. But file detection keywords
such as file.data made signatures loading fail if the signature
was using an app-layer protocol that enabled on udp only, even
if the signatures could run smoothly.
---
 src/detect-file-data.c | 10 +++-------
 src/detect-parse.c     |  6 ++++--
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/src/detect-file-data.c b/src/detect-file-data.c
index a8cd7bc65f..cdc218f840 100644
--- a/src/detect-file-data.c
+++ b/src/detect-file-data.c
@@ -207,13 +207,9 @@ static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const cha
 {
     SCEnter();
 
-    if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP)) {
-        SCLogError("The 'file_data' keyword cannot be used with non-TCP protocols");
-        return -1;
-    }
-
-    if (s->alproto != ALPROTO_UNKNOWN && !AppLayerParserSupportsFiles(IPPROTO_TCP, s->alproto)) {
-        SCLogError("The 'file_data' keyword cannot be used with TCP protocol %s",
+    if (s->alproto != ALPROTO_UNKNOWN && !AppLayerParserSupportsFiles(IPPROTO_TCP, s->alproto) &&
+            !AppLayerParserSupportsFiles(IPPROTO_UDP, s->alproto)) {
+        SCLogError("The 'file_data' keyword cannot be used with protocol %s",
                 AppLayerGetProtoName(s->alproto));
         return -1;
     }
diff --git a/src/detect-parse.c b/src/detect-parse.c
index 47bd49d563..030fb88124 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -2764,7 +2764,8 @@ static int SigValidateFileHandling(const Signature *s)
         SCReturnInt(1);
     }
 
-    if (s->alproto != ALPROTO_UNKNOWN && !AppLayerParserSupportsFiles(IPPROTO_TCP, s->alproto)) {
+    if (s->alproto != ALPROTO_UNKNOWN && !AppLayerParserSupportsFiles(IPPROTO_TCP, s->alproto) &&
+            !AppLayerParserSupportsFiles(IPPROTO_UDP, s->alproto)) {
         SCLogError("protocol %s doesn't "
                    "support file matching",
                 AppProtoToString(s->alproto));
@@ -2776,7 +2777,8 @@ static int SigValidateFileHandling(const Signature *s)
             if (s->init_data->alprotos[i] == ALPROTO_UNKNOWN) {
                 break;
             }
-            if (AppLayerParserSupportsFiles(IPPROTO_TCP, s->init_data->alprotos[i])) {
+            if (AppLayerParserSupportsFiles(IPPROTO_TCP, s->init_data->alprotos[i]) ||
+                    AppLayerParserSupportsFiles(IPPROTO_UDP, s->init_data->alprotos[i])) {
                 found = true;
                 break;
             }