detect-parse: parse sid in pre-scan

During the pre-scan for "requires", also parse the SID if possible. If the rule fails high level parsing (syntax), the SID will not be parsed. But every keyword other than "sid" and "requires" should expect to be provided with a parsed sid.
jasonish · Nov 29, 2023 · 8620b1b · 8620b1b
1 parent 96cbacb
commit 8620b1b
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/src/detect-parse.c b/src/detect-parse.c
@@ -903,7 +903,7 @@ static int SigParseOptions(DetectEngineCtx *de_ctx, Signature *s, char *optstr,
     optname = optstr;
 
     if (requires) {
-        if (strcmp(optname, "requires")) {
+        if (strcmp(optname, "requires") && strcmp(optname, "sid")) {
             goto finish;
         }
     }
@@ -2139,10 +2139,7 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
             AppLayerHtpNeedFileInspection();
         }
     }
-    if (s->id == 0) {
-        SCLogError("Signature missing required value \"sid\".");
-        SCReturnInt(0);
-    }
+
     SCReturnInt(1);
 }
 
@@ -2183,6 +2180,12 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, const char *sigstr,
         goto error;
     }
 
+    /* Check for a SID before continuuing. */
+    if (sig->id == 0) {
+        SCLogError("Signature missing required value \"sid\".");
+        goto error;
+    }
+
     /* Now completely parse the rule. */
     ret = SigParse(de_ctx, sig, sigstr, dir, &parser, false);
     BUG_ON(ret == -4);