Suricata

This is a pretty significant regression that got slipped away during any testing (if any) before the release.

As of bf5d9d542bc31f8d5eb856484a2336ab8a240825 below, the ACTION_REJECT set by all signatures are essentially no longer set to the packet. i.e. the RespondReject module that filters the action on rejections are no longer functional.

detect-parse.c

    } else if (strcasecmp(action, "reject") == 0 ||
               strcasecmp(action, "rejectsrc") == 0)
    {
        if (!(SigParseActionRejectValidate(action)))
            return -1;
        s->action = ACTION_REJECT|ACTION_DROP;

detect-engine-alert.c

@@ -178,9 +178,10 @@ static void PacketApplySignatureActions(Packet *p, const Signature *s, const uin
 {
     SCLogDebug("packet %" PRIu64 " sid %u action %02x alert_flags %02x", p->pcap_cnt, s->id,
             s->action, alert_flags);
-    PACKET_UPDATE_ACTION(p, s->action);

     if (s->action & ACTION_DROP) {
+        PacketDrop(p, PKT_DROP_REASON_RULES);
+
         if (p->alerts.drop.action == 0) {
             p->alerts.drop.num = s->num;
             p->alerts.drop.action = s->action;
@@ -189,8 +190,11 @@ static void PacketApplySignatureActions(Packet *p, const Signature *s, const uin
         if ((p->flow != NULL) && (alert_flags & PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)) {
             RuleActionToFlow(s->action, p->flow);
         }
-    } else if (s->action & ACTION_PASS) {
-        if ((p->flow != NULL) && (alert_flags & PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)) {
+    } else {
+        PACKET_UPDATE_ACTION(p, s->action);
+
+        if ((s->action & ACTION_PASS) && (p->flow != NULL) &&
+                (alert_flags & PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)) {
             RuleActionToFlow(s->action, p->flow);
         }
     }