detect/dcerpc: simplify keyword validation

Now that the engine understands the relation between SMB and DCERPC better
we can get rid of some of the special case handling in keywords.

(cherry picked from commit 84e26d670e39e6ec40af9f3b0f2910d9accdf356)

diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c
index de711e3df579d6ef20f763a92467e2deff6ddaa6..b7033fc1f43bf8270f5e2daa875a4fc824ed39c6 100644 (file)
--- a/src/detect-dce-iface.c
+++ b/src/detect-dce-iface.c
@@ -160,11 +160,9 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char
 {
     SCEnter();
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
-        s->alproto != ALPROTO_SMB) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+    if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
         return -1;
-    }
+
     void *did = rs_dcerpc_iface_parse(arg);
     if (did == NULL) {
         SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_iface option in "
@@ -181,7 +179,6 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char
     sm->ctx = did;
 
     SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
-    s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
     return 0;
 }
 

diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c
index ccaa12b6f6217d4a440bc23fd621d133ae1447d8..6f19ecf47d63f8223f20b8a1e7248257e283ed5e 100644 (file)
--- a/src/detect-dce-opnum.c
+++ b/src/detect-dce-opnum.c
@@ -132,11 +132,9 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char
         return -1;
     }
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
-        s->alproto != ALPROTO_SMB) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+    if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
         return -1;
-    }
+
     void *dod = rs_dcerpc_opnum_parse(arg);
     if (dod == NULL) {
         SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
@@ -154,7 +152,6 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char
     sm->ctx = (void *)dod;
 
     SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
-    s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
     return 0;
 }
 

diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c
index 69a9f1a84974d298e8bfa7fa6edc69dcbf6f3d17..61e3206b4858977e40e07c22276f098a03152b03 100644 (file)
--- a/src/detect-dce-stub-data.c
+++ b/src/detect-dce-stub-data.c
@@ -158,8 +158,7 @@ void DetectDceStubDataRegister(void)
 }
 
 /**
- * \brief Creates a SigMatch for the \"dce_stub_data\" keyword being sent as argument,
- *        and appends it to the Signature(s).
+ * \brief setups the dce_stub_data list
  *
  * \param de_ctx Pointer to the detection engine context
  * \param s      Pointer to signature for the current Signature being parsed
@@ -171,15 +170,10 @@ void DetectDceStubDataRegister(void)
 
 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
 {
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
-        s->alproto != ALPROTO_SMB) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+    if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
         return -1;
-    }
     if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0)
         return -1;
-
-    s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
     return 0;
 }
 

diff --git a/src/detect-parse.c b/src/detect-parse.c
index cf495bf051d8942f28694b821604657c48d1d236..ad509fb6f971acf1d187be11fe11e3ab4d9d4b4d 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1887,14 +1887,6 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
             AppLayerHtpNeedFileInspection();
         }
     }
-    if (s->init_data->init_flags & SIG_FLAG_INIT_DCERPC) {
-        if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
-                s->alproto != ALPROTO_SMB) {
-            SCLogError(SC_ERR_NO_FILES_FOR_PROTOCOL, "protocol %s doesn't support DCERPC keyword",
-                    AppProtoToString(s->alproto));
-            SCReturnInt(0);
-        }
-    }
     SCReturnInt(1);
 }
 

diff --git a/src/detect.h b/src/detect.h
index 3ee4901cc61df400e9cca2567bb1d954ebff648d..df6f14493cc05da8f3e4dc42cbe9eb9dac8785d0 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -266,7 +266,6 @@ typedef struct DetectPort_ {
 #define SIG_FLAG_INIT_NEED_FLUSH            BIT_U32(7)
 #define SIG_FLAG_INIT_PRIO_EXPLICT          BIT_U32(8)  /**< priority is explicitly set by the priority keyword */
 #define SIG_FLAG_INIT_FILEDATA              BIT_U32(9)  /**< signature has filedata keyword */
-#define SIG_FLAG_INIT_DCERPC                BIT_U32(10) /**< signature has DCERPC keyword */
 
 /* signature mask flags */
 /** \note: additions should be added to the rule analyzer as well */