From a8a1082f93417b15e513a242d7a92c7273754f4b Mon Sep 17 00:00:00 2001
From: Anoop Saldanha <poonaatsoc@gmail.com>
Date: Sat, 7 Jul 2012 11:52:20 +0530
Subject: [PATCH 2/2] if a sig's set as stream sig only, don't updated it as both stream and pkt sig if offset/depth's present

bug #495 - update rule analyzer to not warn on offset_depth-tcp_pkt update if sig is stream only

bug #497 - rule_warnings fixed
---
 src/detect-engine-analyzer.c |   14 ++++++++++++--
 src/detect-parse.c           |    2 +-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index d802cbc..3f4776e 100644
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -210,6 +210,8 @@ void EngineAnalysisRules(Signature *s, char *line)
     uint32_t warn_method_serverbody = 0;
     uint32_t warn_pcre_method = 0;
     uint32_t warn_encoding_norm_http_buf = 0;
+    uint32_t warn_offset_depth_pkt_stream = 0;
+    uint32_t warn_offset_depth_alproto = 0;
 
     if (s->init_flags & SIG_FLAG_INIT_BIDIREC) {
         rule_bidirectional = 1;
@@ -437,6 +439,14 @@ void EngineAnalysisRules(Signature *s, char *line)
             warn_pcre_method = 1;
         }
     }
+    if (rule_content_offset_depth > 0 && stream_buf && packet_buf) {
+        rule_warning += 1;
+        warn_offset_depth_pkt_stream = 1;
+    }
+    if (rule_content_offset_depth > 0 && !stream_buf && packet_buf && s->alproto != ALPROTO_UNKNOWN) {
+        rule_warning += 1;
+        warn_offset_depth_alproto = 1;
+    }
 
     if (!rule_warnings_only || (rule_warnings_only && rule_warning > 0)) {
         fprintf(rule_engine_analysis_FD, "== Sid: %u ==\n", s->id);
@@ -514,7 +524,7 @@ void EngineAnalysisRules(Signature *s, char *line)
                                && (rule_pcre > 0 || rule_pcre_http > 0)*/) {
             fprintf(rule_engine_analysis_FD, "    Warning: Rule uses pcre with only a http_method content; possible performance issue.\n");
         }
-        if (rule_content_offset_depth > 0 && s->flags & SIG_FLAG_REQUIRE_STREAM) {
+        if (warn_offset_depth_pkt_stream) {
             fprintf(rule_engine_analysis_FD, "    Warning: Rule has depth"
                     "/offset with raw content keywords.  Please note the "
                     "offset/depth will be checked against both packet "
@@ -522,7 +532,7 @@ void EngineAnalysisRules(Signature *s, char *line)
                     "depth checked against just the payload, you can update "
                     "the signature as \"alert tcp-pkt...\"\n");
         }
-        if (rule_content_offset_depth > 0 && s->alproto != ALPROTO_UNKNOWN) {
+        if (warn_offset_depth_alproto) {
             fprintf(rule_engine_analysis_FD, "    Warning: Rule has "
                     "offset/depth set along with a match on a specific "
                     "app layer protocol - %d.  This can lead to FNs if we "
diff --git a/src/detect-parse.c b/src/detect-parse.c
index 62eada8..bd766b8 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1121,7 +1121,7 @@ static int SigValidate(Signature *s) {
         }
     }
 
-    if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
+    if (!(s->flags & (SIG_FLAG_REQUIRE_PACKET | SIG_FLAG_REQUIRE_STREAM))) {
         s->flags |= SIG_FLAG_REQUIRE_STREAM;
         SigMatch *sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
         while (sm != NULL) {
-- 
1.7.1