dcerpc: validate signature with dcerpc keywords

so that they do not use another protocol's keywords

diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c
index 434ceb3ffe4279edbf1e5fab48ee12653cd0cccc..de711e3df579d6ef20f763a92467e2deff6ddaa6 100644 (file)
--- a/src/detect-dce-iface.c
+++ b/src/detect-dce-iface.c
@@ -181,6 +181,7 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char
     sm->ctx = did;
 
     SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
+    s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
     return 0;
 }
 

diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c
index 509f1d3882cb04c95b924b1f235a01913d8f5fe9..ccaa12b6f6217d4a440bc23fd621d133ae1447d8 100644 (file)
--- a/src/detect-dce-opnum.c
+++ b/src/detect-dce-opnum.c
@@ -154,6 +154,7 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char
     sm->ctx = (void *)dod;
 
     SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
+    s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
     return 0;
 }
 

diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c
index 0339cc66c9259889b71134dfa4f3e8fd2c136eb7..416109fe0f57a4038be3a47e7cffa5d1a157d0d3 100644 (file)
--- a/src/detect-dce-stub-data.c
+++ b/src/detect-dce-stub-data.c
@@ -178,6 +178,8 @@ static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const c
     }
     if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0)
         return -1;
+
+    s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
     return 0;
 }
 

diff --git a/src/detect-parse.c b/src/detect-parse.c
index 08a1e851962615d5716e1e97b082ad541e12c47d..b9962dbf409c032b9091d6fa0f854c14e23ff7f1 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1857,7 +1857,14 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
             AppLayerHtpNeedFileInspection();
         }
     }
-
+    if (s->init_data->init_flags & SIG_FLAG_INIT_DCERPC) {
+        if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
+                s->alproto != ALPROTO_SMB) {
+            SCLogError(SC_ERR_NO_FILES_FOR_PROTOCOL, "protocol %s doesn't support DCERPC keyword",
+                    AppProtoToString(s->alproto));
+            SCReturnInt(0);
+        }
+    }
     SCReturnInt(1);
 }
 

diff --git a/src/detect.h b/src/detect.h
index 8060a1a69c3432e1366feccb452a936885526fa7..00b6b806585acbe0a8fa0dfd91752476b924d0b1 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -263,6 +263,7 @@ typedef struct DetectPort_ {
 #define SIG_FLAG_INIT_NEED_FLUSH            BIT_U32(7)
 #define SIG_FLAG_INIT_PRIO_EXPLICT          BIT_U32(8)  /**< priority is explicitly set by the priority keyword */
 #define SIG_FLAG_INIT_FILEDATA              BIT_U32(9)  /**< signature has filedata keyword */
+#define SIG_FLAG_INIT_DCERPC                BIT_U32(10) /**< signature has DCERPC keyword */
 
 /* signature mask flags */
 /** \note: additions should be added to the rule analyzer as well */