From d03660a646071a69ab6c377c3be202f9b2d292d8 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Wed, 1 May 2024 07:15:53 +0200
Subject: [PATCH] detect: skip pseudo packets if sig needs real pkt

If a signature uses a condition that requires a real packet, filter
out pseudo packets as early as possible. To do this, the SignatureMask
logic is used.

This allows for the removal of checks for pseudo packets in individual
keywords `Match` functions, which will be done in a follow up commit.

Update analyzer to output the new flag.

Ticket: #7002.
---
 src/detect-engine-analyzer.c | 3 +++
 src/detect-engine-build.c    | 7 +++++++
 src/detect.h                 | 3 ++-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index 8e90f7796a..3ae77526db 100644
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -973,6 +973,9 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
     if (s->mask & SIG_MASK_REQUIRE_ENGINE_EVENT) {
         jb_append_string(ctx.js, "engine_event");
     }
+    if (s->mask & SIG_MASK_REQUIRE_REAL_PKT) {
+        jb_append_string(ctx.js, "real_pkt");
+    }
     jb_close(ctx.js);
 
     switch (s->type) {
diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
index f28b0219cc..f4bc4b653b 100644
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@@ -406,6 +406,9 @@ void
 PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto,
         bool app_decoder_events)
 {
+    if (!(PKT_IS_PSEUDOPKT(p))) {
+        (*mask) |= SIG_MASK_REQUIRE_REAL_PKT;
+    }
     if (!(p->flags & PKT_NOPAYLOAD_INSPECTION) && p->payload_len > 0) {
         SCLogDebug("packet has payload");
         (*mask) |= SIG_MASK_REQUIRE_PAYLOAD;
@@ -442,6 +445,10 @@ static int SignatureCreateMask(Signature *s)
 {
     SCEnter();
 
+    if ((s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM)) ==
+            SIG_FLAG_REQUIRE_PACKET) {
+        s->mask |= SIG_MASK_REQUIRE_REAL_PKT;
+    }
     if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) {
         s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
         SCLogDebug("sig requires payload");
diff --git a/src/detect.h b/src/detect.h
index 87a4219de9..eb90872c80 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -303,7 +303,8 @@ typedef struct DetectPort_ {
 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT   BIT_U8(2)    /* SYN, FIN, RST */
 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL      BIT_U8(3)    /* URG, ECN, CWR */
 #define SIG_MASK_REQUIRE_NO_PAYLOAD         BIT_U8(4)
-// vacancy 2x
+#define SIG_MASK_REQUIRE_REAL_PKT           BIT_U8(5)
+// vacancy 1x
 #define SIG_MASK_REQUIRE_ENGINE_EVENT       BIT_U8(7)
 
 /* for now a uint8_t is enough */