So 'alert dcerpc' also matches if the DCERPC is over SMB.
Explicitly refuse smb keywords for the 'dcerpc' app proto setting:
`alert dceprc ... smb.share; ...` is rejected.
Remove a now useless special case in the stateless rule processing
matching for dcerpc/smb.
Bug: #5208.
case ALPROTO_HTTP:
return (alproto == ALPROTO_HTTP1) || (alproto == ALPROTO_HTTP2) ||
(alproto == ALPROTO_HTTP);
+ case ALPROTO_DCERPC:
+ return (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB);
}
return (sigproto == alproto);
}
return -1;
}
+ /* since AppProtoEquals is quite permissive wrt dcerpc and smb, make sure
+ * we refuse `alert dcerpc ... smb.share; content...` explicitly. */
+ if (alproto == ALPROTO_SMB && s->alproto == ALPROTO_DCERPC) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
+ "can't set rule app proto to %s: already set to %s", AppProtoToString(alproto),
+ AppProtoToString(s->alproto));
+ return -1;
+ }
+
if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, alproto)) {
if (AppProtoEquals(alproto, s->alproto)) {
// happens if alproto = HTTP_ANY and s->alproto = HTTP1
/* if the sig has alproto and the session as well they should match */
if (likely(sflags & SIG_FLAG_APPLAYER)) {
if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, scratch->alproto)) {
- if (s->alproto == ALPROTO_DCERPC) {
- if (scratch->alproto != ALPROTO_SMB) {
- SCLogDebug("DCERPC sig, alproto not SMB");
- goto next;
- }
- } else {
- SCLogDebug("alproto mismatch");
- goto next;
- }
+ SCLogDebug("alproto mismatch");
+ goto next;
}
}
projects / thirdparty / suricata.git / commitdiff
