detect/parse: limit pkthdr proto to decoder event rules

victorjulien · victorjulien · commit 9a0881bc8790 · 2026-03-06T07:34:12.000+01:00
`alert pkthdr` was initially just an alias for `alert ip`, as that was
really just a way of stating that "any" should be matched. However with
the Ethernet matching in place, it no long makes sense to treat `alert
ip` as "any". Since `pkthdr` is used to match on decoder events, also
for packets that completely failed to parse, it should no longer be
treated as `alert ip` but rather as it's own distinct logic.
diff --git a/src/detect-parse.c b/src/detect-parse.c
@@ -2822,6 +2822,16 @@ static bool SigValidateEthernet(const Signature *s)
     return true;
 }
 
+/* `pkthdr` is meant to allow matching on "any" packet with a decoder event. */
+static bool SigValidateProtoPkthdr(const Signature *s)
+{
+    if ((s->init_data->proto.flags & DETECT_PROTO_L2_ANY) && s->type != SIG_TYPE_DEONLY) {
+        SCLogError("protocol 'pkthdr' is for decoder-events only");
+        return false;
+    }
+    return true;
+}
+
 /**
  *  \internal
  *  \brief validate and consolidate parsed signature
@@ -2865,6 +2875,10 @@ static int SigValidateConsolidate(
     SignatureSetType(de_ctx, s);
     DetectRuleSetTable(s);
 
+    if (!SigValidateProtoPkthdr(s)) {
+        SCReturnInt(0);
+    }
+
     if (DetectProtoFinalizeSignature(s) != 0)
         SCReturnInt(0);
 
