detect: fix FP on ICMP unreachable errors

ICMP unreachable errors are linked to the flow they send an error for. This would lead to the detection engine calling the TX inspection engines on them. The stream inspect engine would default to a match for non-UDP and non-TCP as for ICMP we're not expected to use a TX inspect engine for stream data. This all would lead to a false positive match. This patch fixes this by making sure the TX engines are not called if the packet protocol and flow protocol are not the same. Bug #2841.
OISF · Aug 23, 2019 · 6f5b81c · 6f5b81c
1 parent 1cc733e
commit 6f5b81c
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/detect.c b/src/detect.c
@@ -135,8 +135,8 @@ static void DetectRun(ThreadVars *th_v,
     DetectRulePacketRules(th_v, de_ctx, det_ctx, p, pflow, &scratch);
     PACKET_PROFILING_DETECT_END(p, PROF_DETECT_RULES);
 
-    /* run tx/state inspection */
-    if (pflow && pflow->alstate) {
+    /* run tx/state inspection. Don't call for ICMP error msgs. */
+    if (pflow && pflow->alstate && likely(pflow->proto == p->proto)) {
         PACKET_PROFILING_DETECT_START(p, PROF_DETECT_TX);
         DetectRunTx(th_v, de_ctx, det_ctx, p, pflow, &scratch);
         PACKET_PROFILING_DETECT_END(p, PROF_DETECT_TX);