uint32_t buffer_len = 0;
uint8_t *buffer = NULL;
DCERPCState *dcerpc_state = NULL;
+ uint8_t ci_flags = DETECT_CI_FLAGS_SINGLE;
if (f->alproto == ALPROTO_SMB) {
uint8_t dir = flags & (STREAM_TOSERVER|STREAM_TOCLIENT);
buffer_len = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer_len;
buffer = dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer;
}
+ if (dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) {
+ ci_flags |= DETECT_CI_FLAGS_DCE_LE;
+ } else {
+ ci_flags |= DETECT_CI_FLAGS_DCE_BE;
+ }
}
if (buffer == NULL ||buffer_len == 0)
goto end;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
f,
buffer, buffer_len,
- 0, DETECT_CI_FLAGS_SINGLE,
+ 0, ci_flags,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE,
dcerpc_state);
if (r == 1)
/* if we have dce enabled we will have to use the endianness
* specified by the dce header */
- if (btflags & DETECT_BYTETEST_DCE && data != NULL) {
- DCERPCState *dcerpc_state = (DCERPCState *)data;
+ if (btflags & DETECT_BYTETEST_DCE) {
/* enable the endianness flag temporarily. once we are done
* processing we reset the flags to the original value*/
- btflags |= ((dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) ?
+ btflags |= ((flags & DETECT_CI_FLAGS_DCE_LE) ?
DETECT_BYTETEST_LITTLE: 0);
}
/* if we have dce enabled we will have to use the endianness
* specified by the dce header */
- if (bjflags & DETECT_BYTEJUMP_DCE && data != NULL) {
- DCERPCState *dcerpc_state = (DCERPCState *)data;
+ if (bjflags & DETECT_BYTEJUMP_DCE) {
/* enable the endianness flag temporarily. once we are done
* processing we reset the flags to the original value*/
- bjflags |= ((dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) ?
+ bjflags |= ((flags & DETECT_CI_FLAGS_DCE_LE) ?
DETECT_BYTEJUMP_LITTLE: 0);
}
/* if we have dce enabled we will have to use the endianness
* specified by the dce header */
if ((bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) &&
- endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE && data != NULL) {
+ endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE &&
+ flags & (DETECT_CI_FLAGS_DCE_LE|DETECT_CI_FLAGS_DCE_BE)) {
- DCERPCState *dcerpc_state = (DCERPCState *)data;
/* enable the endianness flag temporarily. once we are done
* processing we reset the flags to the original value*/
- endian |= ((dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] == 0x10) ?
+ endian |= ((flags & DETECT_CI_FLAGS_DCE_LE) ?
DETECT_BYTE_EXTRACT_ENDIAN_LITTLE : DETECT_BYTE_EXTRACT_ENDIAN_BIG);
}
#define DETECT_CI_FLAGS_START BIT_U8(0) /**< unused, reserved for future use */
#define DETECT_CI_FLAGS_END BIT_U8(1) /**< indication that current buffer
* is the end of the data */
+#define DETECT_CI_FLAGS_DCE_LE BIT_U8(2) /**< DCERPC record in little endian */
+#define DETECT_CI_FLAGS_DCE_BE BIT_U8(3) /**< DCERPC record in big endian */
/** buffer is a single, non-streaming, buffer. Data sent to the content
* inspection function contains both start and end of the data. */
projects / thirdparty / suricata.git / commitdiff
