dcerpc/udp: improve detection

Lately, Wireguard proto starting w pattern |04 00| is misdetected as
DCERPC/UDP which also starts with the same pattern, add more checks
to make sure that it is the best guess for packet to be dcerpc/udp.

(cherry picked from commit f967a491047a6d8eaa232944c690dadfb0cc3c86)

diff --git a/rust/src/dcerpc/dcerpc_udp.rs b/rust/src/dcerpc/dcerpc_udp.rs
index 0f86404048af1b7c37a7b1262f6279fe94302f2f..1ed151859b6241109a6994b7d9ff5104632f16bd 100644 (file)
--- a/rust/src/dcerpc/dcerpc_udp.rs
+++ b/rust/src/dcerpc/dcerpc_udp.rs
@@ -294,7 +294,10 @@ fn probe(input: &[u8]) -> (bool, bool) {
     match parser::parse_dcerpc_udp_header(input) {
         Ok((_, hdr)) => {
             let is_request = hdr.pkt_type == 0x00;
-            let is_dcerpc = hdr.rpc_vers == 0x04;
+            let is_dcerpc = hdr.rpc_vers == 0x04 &&
+                (hdr.flags2 & 0xfc == 0) &&
+                (hdr.drep[0] & 0xee == 0) &&
+                (hdr.drep[1] <= 3);
             return (is_dcerpc, is_request);
         },
         Err(_) => (false, false),