BIT-844: fix UDP payload signatures to match packet-wise

src/RuleMatcher.cc

@@ -1113,12 +1113,7 @@ void RuleMatcher::ClearEndpointState(RuleEndpointState* state)
 	if ( rule_bench == 3 )
 		return;
 
-	ExecPureRules(state, 1);
 	state->payload_size = -1;
-	state->matched_by_patterns.clear();
-	loop_over_list(state->matched_text, i)
-		delete state->matched_text[i];
-	state->matched_text.clear();
 
 	loop_over_list(state->matchers, j)
 		state->matchers[j]->state->Clear();
@@ -1496,8 +1491,11 @@ void RuleMatcherState::ClearMatchState(bool orig)
 	if ( ! rule_matcher )
 		return;
 
-	if ( orig_match_state )
+	if ( orig )
-		rule_matcher->ClearEndpointState(orig_match_state);
+		{
-	if ( resp_match_state )
+		if ( orig_match_state )
+			rule_matcher->ClearEndpointState(orig_match_state);
+		}
+	else if ( resp_match_state )
 		rule_matcher->ClearEndpointState(resp_match_state);
 	}

src/analyzer/protocol/pia/PIA.cc

@@ -81,7 +81,7 @@ void PIA::PIA_Done()
 	}
 
 void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq,
-				const IP_Hdr* ip, int caplen)
+				const IP_Hdr* ip, int caplen, bool clear_state)
 	{
 	if ( pkt_buffer.state == SKIPPING )
 		return;
@@ -108,6 +108,9 @@ void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64 se
 	// FIXME: I'm not sure why it does not work with eol=true...
 	DoMatch(data, len, is_orig, true, false, false, ip);
 
+	if ( clear_state )
+		RuleMatcherState::ClearMatchState(is_orig);
+
 	pkt_buffer.state = new_state;
 
 	current_packet.data = 0;

src/analyzer/protocol/pia/PIA.h

@@ -42,7 +42,7 @@ public:
 protected:
 	void PIA_Done();
 	void PIA_DeliverPacket(int len, const u_char* data, bool is_orig,
-				uint64 seq, const IP_Hdr* ip, int caplen);
+				uint64 seq, const IP_Hdr* ip, int caplen, bool clear_state);
 
 	enum State { INIT, BUFFERING, MATCHING_ONLY, SKIPPING } state;
 
@@ -109,7 +109,7 @@ protected:
 					uint64 seq, const IP_Hdr* ip, int caplen)
 		{
 		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
-		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen);
+		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true);
 		}
 
 	virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule);
@@ -154,7 +154,7 @@ protected:
 					uint64 seq, const IP_Hdr* ip, int caplen)
 		{
 		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
-		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen);
+		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, false);
 		}
 
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);

testing/btest/Baseline/signatures.udp-packetwise-match/out

@@ -0,0 +1,6 @@
+signature match, Found XXXX, XXXX
+signature match, Found ^XXXX, XXXX
+signature match, Found .*XXXX, XXXX
+signature match, Found YYYY, YYYY
+signature match, Found ^YYYY, YYYY
+signature match, Found .*YYYY, YYYY

testing/btest/signatures/udp-packetwise-match.bro

@@ -0,0 +1,53 @@
+# @TEST-EXEC: bro -r $TRACES/udp-signature-test.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load-sigs test.sig
+
+@TEST-START-FILE test.sig
+signature xxxx {
+ ip-proto = udp
+ payload /XXXX/
+ event "Found XXXX"
+}
+
+signature axxxx {
+ ip-proto = udp
+ payload /^XXXX/
+ event "Found ^XXXX"
+}
+
+signature sxxxx {
+ ip-proto = udp
+ payload /.*XXXX/
+ event "Found .*XXXX"
+}
+
+signature yyyy {
+ ip-proto = udp
+ payload /YYYY/
+ event "Found YYYY"
+}
+
+signature ayyyy {
+ ip-proto = udp
+ payload /^YYYY/
+ event "Found ^YYYY"
+}
+
+signature syyyy {
+ ip-proto = udp
+ payload /.*YYYY/
+ event "Found .*YYYY"
+}
+
+signature nope {
+ ip-proto = udp
+ payload /.*nope/
+ event "Found .*nope"
+}
+@TEST-END-FILE
+
+event signature_match(state: signature_state, msg: string, data: string)
+	{
+	print "signature match", msg, data;
+	}