dnp3: more precise probing for banners

author Philippe Antoine <contact@catenacyber.fr>

Wed, 30 Sep 2020 20:04:32 +0000 (22:04 +0200)

committer Jason Ish <jason.ish@oisf.net>

Wed, 7 Oct 2020 15:40:38 +0000 (09:40 -0600)
author Philippe Antoine <contact@catenacyber.fr>
Wed, 30 Sep 2020 20:04:32 +0000 (22:04 +0200)
committer Jason Ish <jason.ish@oisf.net>
Wed, 7 Oct 2020 15:40:38 +0000 (09:40 -0600)
diff --git a/src/app-layer-dnp3.c b/src/app-layer-dnp3.c

index 5c04ea19fc60bdc26c567ad7c77466d7e7e4ea90..025afd69fcd81ab9e01fe8f4ccda5abf8177ab12 100644 (file)
--- a/src/app-layer-dnp3.c
+++ b/src/app-layer-dnp3.c
@@ -277,10 +277,20 @@ static uint16_t DNP3ProbingParser(Flow *f, uint8_t direction,
      /* May be a banner. */
      if (DNP3ContainsBanner(input, len)) {
          SCLogDebug("Packet contains a DNP3 banner.");
-        if (toserver) {
-            *rdir = STREAM_TOCLIENT;
+        bool is_banner = true;
+        // magic 0x100 = 256 seems good enough
+        for (uint32_t i = 0; i < len && i < 0x100; i++) {
+            if (!isprint(input[i])) {
+                is_banner = false;
+                break;
+            }
+        }
+        if (is_banner) {
+            if (toserver) {
+                *rdir = STREAM_TOCLIENT;
+            }
+            return ALPROTO_DNP3;
          }
-        return ALPROTO_DNP3;
      }
  
      /* Check that we have the minimum amount of bytes. */
author	Philippe Antoine <contact@catenacyber.fr>
	Wed, 30 Sep 2020 20:04:32 +0000 (22:04 +0200)
committer	Jason Ish <jason.ish@oisf.net>
	Wed, 7 Oct 2020 15:40:38 +0000 (09:40 -0600)