enip: more precise probing parser

author Philippe Antoine <contact@catenacyber.fr>

Mon, 6 Apr 2020 15:22:33 +0000 (17:22 +0200)

committer Victor Julien <victor@inliniac.net>

Tue, 28 Apr 2020 12:07:54 +0000 (14:07 +0200)
author Philippe Antoine <contact@catenacyber.fr>
Mon, 6 Apr 2020 15:22:33 +0000 (17:22 +0200)
committer Victor Julien <victor@inliniac.net>
Tue, 28 Apr 2020 12:07:54 +0000 (14:07 +0200)
diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c

index 282294536f73c12414b422bb39a38f05e8e9e45f..af4a1fd0004ed7608f139f0338e9e47c12f111d9 100644 (file)
--- a/src/app-layer-enip.c
+++ b/src/app-layer-enip.c
@@ -393,8 +393,27 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction,
          SCLogDebug("length too small to be a ENIP header");
          return ALPROTO_UNKNOWN;
      }
-
-    return ALPROTO_ENIP;
+    uint16_t cmd;
+    int ret = ByteExtractUint16(&cmd, BYTE_LITTLE_ENDIAN, sizeof(uint16_t),
+                                (const uint8_t *) (input));
+    if(ret < 0) {
+        return ALPROTO_FAILED;
+    }
+    //ok for all the known commands
+    switch(cmd) {
+        case NOP:
+        case LIST_SERVICES:
+        case LIST_IDENTITY:
+        case LIST_INTERFACES:
+        case REGISTER_SESSION:
+        case UNREGISTER_SESSION:
+        case SEND_RR_DATA:
+        case SEND_UNIT_DATA:
+        case INDICATE_STATUS:
+        case CANCEL:
+            return ALPROTO_ENIP;
+    }
+    return ALPROTO_FAILED;
  }
  
  /**
author	Philippe Antoine <contact@catenacyber.fr>
	Mon, 6 Apr 2020 15:22:33 +0000 (17:22 +0200)
committer	Victor Julien <victor@inliniac.net>
	Tue, 28 Apr 2020 12:07:54 +0000 (14:07 +0200)