enip: use status for probing parser

diff --git a/src/app-layer-enip-common.h b/src/app-layer-enip-common.h
index 8522f65e1d290cc51e1042ff851786798a7ded60..db58587d3da620eea755fa6c6d6460005cda1716 100644 (file)
--- a/src/app-layer-enip-common.h
+++ b/src/app-layer-enip-common.h
@@ -56,6 +56,8 @@
 #define INVALID_SESSION       0x0064
 #define INVALID_LENGTH        0x0065
 #define UNSUPPORTED_PROT_REV  0x0069
+//Found in wireshark
+#define ENCAP_HEADER_ERROR    0x006A
 
 #define MAX_CIP_SERVICE     127
 #define MAX_CIP_CLASS       65535

diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c
index 52c6c5dab39865927782c6e3162251b80fac30f6..aace890a8e57de8fb1b17a4795845df12f2820e3 100644 (file)
--- a/src/app-layer-enip.c
+++ b/src/app-layer-enip.c
@@ -380,6 +380,7 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction,
         return ALPROTO_UNKNOWN;
     }
     uint16_t cmd;
+    uint32_t status;
     int ret = ByteExtractUint16(&cmd, BYTE_LITTLE_ENDIAN, sizeof(uint16_t),
                                 (const uint8_t *) (input));
     if(ret < 0) {
@@ -397,7 +398,23 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction,
         case SEND_UNIT_DATA:
         case INDICATE_STATUS:
         case CANCEL:
-            return ALPROTO_ENIP;
+            ret = ByteExtractUint32(&status, BYTE_LITTLE_ENDIAN,
+                                    sizeof(uint32_t),
+                                    (const uint8_t *) (input + 8));
+            if(ret < 0) {
+                return ALPROTO_FAILED;
+            }
+            switch(status) {
+                case SUCCESS:
+                case INVALID_CMD:
+                case NO_RESOURCES:
+                case INCORRECT_DATA:
+                case INVALID_SESSION:
+                case INVALID_LENGTH:
+                case UNSUPPORTED_PROT_REV:
+                case ENCAP_HEADER_ERROR:
+                    return ALPROTO_ENIP;
+            }
     }
     return ALPROTO_FAILED;
 }