enip: use status for probing parser

(cherry picked from commit 0da4dc0deab8ae40f2f4476f68faa62a692a0350)

diff --git a/src/app-layer-enip-common.h b/src/app-layer-enip-common.h
index a9b138d7e695fed4ff35bb904cb3aaf43e1e74ba..b4f40adc0d0c009f1de0d42bfae8d9b1dccfcdf4 100644 (file)
--- a/src/app-layer-enip-common.h
+++ b/src/app-layer-enip-common.h
@@ -58,6 +58,8 @@
 #define INVALID_SESSION       0x0064
 #define INVALID_LENGTH        0x0065
 #define UNSUPPORTED_PROT_REV  0x0069
+//Found in wireshark
+#define ENCAP_HEADER_ERROR    0x006A
 
 #define MAX_CIP_SERVICE     127
 #define MAX_CIP_CLASS       65535

diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c
index aaf0897ad2f2c9fce3da753660d8851a2cb6722c..1ad4529128f26c0a1977f4041cc66b001be6fd7b 100644 (file)
--- a/src/app-layer-enip.c
+++ b/src/app-layer-enip.c
@@ -394,6 +394,7 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction,
         return ALPROTO_UNKNOWN;
     }
     uint16_t cmd;
+    uint32_t status;
     int ret = ByteExtractUint16(&cmd, BYTE_LITTLE_ENDIAN, sizeof(uint16_t),
                                 (const uint8_t *) (input));
     if(ret < 0) {
@@ -411,7 +412,23 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction,
         case SEND_UNIT_DATA:
         case INDICATE_STATUS:
         case CANCEL:
-            return ALPROTO_ENIP;
+            ret = ByteExtractUint32(&status, BYTE_LITTLE_ENDIAN,
+                                    sizeof(uint32_t),
+                                    (const uint8_t *) (input + 8));
+            if(ret < 0) {
+                return ALPROTO_FAILED;
+            }
+            switch(status) {
+                case SUCCESS:
+                case INVALID_CMD:
+                case NO_RESOURCES:
+                case INCORRECT_DATA:
+                case INVALID_SESSION:
+                case INVALID_LENGTH:
+                case UNSUPPORTED_PROT_REV:
+                case ENCAP_HEADER_ERROR:
+                    return ALPROTO_ENIP;
+            }
     }
     return ALPROTO_FAILED;
 }