case PREFILTER_EXTRA_MATCH_UNUSED:
break;
case PREFILTER_EXTRA_MATCH_ALPROTO:
- if (p->flow == NULL || p->flow->alproto != ctx->value)
+ if (p->flow == NULL || p->flow->alproto != ctx->value ||
+ (ctx->value == ALPROTO_DCERPC && p->flow->alproto == ALPROTO_SMB))
return FALSE;
break;
case PREFILTER_EXTRA_MATCH_SRCPORT:
if (t->alproto == ALPROTO_UNKNOWN) {
/* special case, inspect engine applies to all protocols */
- } else if (s->alproto != ALPROTO_UNKNOWN && s->alproto != t->alproto)
+ } else if (s->alproto != ALPROTO_UNKNOWN && s->alproto != t->alproto &&
+ !(s->alproto == ALPROTO_DCERPC && t->alproto == ALPROTO_SMB))
goto next;
if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
* so build the non_mpm array only for match candidates */
const SignatureMask rule_mask = det_ctx->non_pf_store_ptr[x].mask;
const uint8_t rule_alproto = det_ctx->non_pf_store_ptr[x].alproto;
- if ((rule_mask & mask) == rule_mask && (rule_alproto == 0 || rule_alproto == alproto)) {
+ if ((rule_mask & mask) == rule_mask && (rule_alproto == 0 || rule_alproto == alproto ||
+ (rule_alproto == ALPROTO_DCERPC && alproto == ALPROTO_SMB)))
+ {
det_ctx->non_pf_id_array[det_ctx->non_pf_id_cnt++] = det_ctx->non_pf_store_ptr[x].id;
}
}
return false;
}
/* stream mpm and negated mpm sigs can end up here with wrong proto */
- if (!(f->alproto == s->alproto || s->alproto == ALPROTO_UNKNOWN)) {
+ if (!(f->alproto == s->alproto || s->alproto == ALPROTO_UNKNOWN ||
+ (s->alproto == ALPROTO_DCERPC && f->alproto == ALPROTO_SMB)))
+ {
TRACE_SID_TXS(s->id, tx, "alproto mismatch");
return false;
}
projects / thirdparty / suricata.git / commitdiff
