dcerpc: validate signature with dcerpc keywords

so that they do not use another protocol's keywords

(cherry picked from commit c06d8f246303d767d2b5e8c504f58de401e64c0a)

diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c
index 242657f534874e329611c7391f3bd52cf1209a97..8ea7af20045ffac70714522ab4926ad6e5f2b9ba 100644 (file)
--- a/src/detect-dce-iface.c
+++ b/src/detect-dce-iface.c
@@ -394,6 +394,7 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char
     sm->ctx = (void *)did;
 
     SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
+    s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
     return 0;
 }
 

diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c
index 93c83e98db4cbc4019e028bc5dd397eddce4d238..aa4c425efdf95c7a75297220405f0fe6488325fc 100644 (file)
--- a/src/detect-dce-opnum.c
+++ b/src/detect-dce-opnum.c
@@ -345,6 +345,7 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char
     sm->ctx = (void *)dod;
 
     SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
+    s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
     return 0;
 }
 

diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c
index ccbaf341ccff722835f16f770a3186a8a7a984d6..f190f9cafec2aeb6061eedc6c19ee25eb15dd7bc 100644 (file)
--- a/src/detect-dce-stub-data.c
+++ b/src/detect-dce-stub-data.c
@@ -176,6 +176,8 @@ static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const c
 {
     if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0)
         return -1;
+
+    s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
     return 0;
 }
 

diff --git a/src/detect-parse.c b/src/detect-parse.c
index 00e0eca0daaf2bf60647e9b512e30d60014f03d6..e87e640df8301a6a554a190b19b015698abeb893 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1845,7 +1845,14 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
             AppLayerHtpNeedFileInspection();
         }
     }
-
+    if (s->init_data->init_flags & SIG_FLAG_INIT_DCERPC) {
+        if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
+                s->alproto != ALPROTO_SMB) {
+            SCLogError(SC_ERR_NO_FILES_FOR_PROTOCOL, "protocol %s doesn't support DCERPC keyword",
+                    AppProtoToString(s->alproto));
+            SCReturnInt(0);
+        }
+    }
     SCReturnInt(1);
 }
 

diff --git a/src/detect.h b/src/detect.h
index 63359f1863b6bab63af880cba30ce992b32f6eea..d25c08b464d9d9260b077d4a937f7efb3e04737f 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -263,6 +263,7 @@ typedef struct DetectPort_ {
 #define SIG_FLAG_INIT_NEED_FLUSH            BIT_U32(7)
 #define SIG_FLAG_INIT_PRIO_EXPLICT          BIT_U32(8)  /**< priority is explicitly set by the priority keyword */
 #define SIG_FLAG_INIT_FILEDATA              BIT_U32(9)  /**< signature has filedata keyword */
+#define SIG_FLAG_INIT_DCERPC                BIT_U32(10) /**< signature has DCERPC keyword */
 
 /* signature mask flags */
 /** \note: additions should be added to the rule analyzer as well */