dcerpc: accept ALTER_CONTEXT as a valid request

So far, if only the starting request was a DCERPC request, it would be
considered DCERPC traffic. Since ALTER_CONTEXT is a valid request type,
it should be accepted too.

Reported and patch proposed in the following Redmine ticket by
InterNALXz.

Bug 6191

(cherry picked from commit 8770431986598f195d57e570287c40ee3dec0cfa)

diff --git a/rust/src/dcerpc/dcerpc.rs b/rust/src/dcerpc/dcerpc.rs
index bf524a1610611877685d918d33f696ccf9dca1be..f2a6a46eaf85b1eade8e6050807a50dd2636a534 100644 (file)
--- a/rust/src/dcerpc/dcerpc.rs
+++ b/rust/src/dcerpc/dcerpc.rs
@@ -1338,7 +1338,7 @@ pub unsafe extern "C" fn rs_dcerpc_get_stub_data(
 fn probe(input: &[u8]) -> (bool, bool) {
     match parser::parse_dcerpc_header(input) {
         Ok((_, hdr)) => {
-            let is_request = hdr.hdrtype == 0x00;
+            let is_request = hdr.hdrtype == 0x00 || hdr.hdrtype == 0x0e;
             let is_dcerpc = hdr.rpc_vers == 0x05 && hdr.rpc_vers_minor == 0x00;
             return (is_dcerpc, is_request);
         },