Skip to content

Commit

Permalink
detect: don't eval SIG_TYPE_APPLAYER against ffr packets
Browse files Browse the repository at this point in the history 
SIG_TYPE_APPLAYER are mostly the same as SIG_TYPE_PKT, except that a
rule match will apply a drop/pass to the flow.

Example of a SIG_TYPE_APPLAYER rule.

```
alert http any any -> any any (sid: 1;)
```
  • Loading branch information
@victorjulien
victorjulien committed Nov 28, 2024
1 parent 9deeb03 commit e80a559
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/detect.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -782,7 +782,7 @@ static inline void DetectRulePacketRules(
}

/* skip pkt sigs for flow end packets */
if ((p->flags & PKT_PSEUDO_STREAM_END) != 0 && s->type == SIG_TYPE_PKT)
if ((p->flags & PKT_PSEUDO_STREAM_END) != 0 && (s->type == SIG_TYPE_PKT || s->type == SIG_TYPE_APPLAYER))
goto next;

/* don't run mask check for stateful rules.
Expand Down

0 comments on commit e80a559

Please sign in to comment.