dcerpc: add tx detect flags

diff --git a/src/app-layer-dcerpc.c b/src/app-layer-dcerpc.c
index 7bae7f470d00ed23878d742bd23500f81a2348f1..c78ad6c05e83d5164399ea9db54fdc3caadae3e5 100644 (file)
--- a/src/app-layer-dcerpc.c
+++ b/src/app-layer-dcerpc.c
@@ -2039,6 +2039,26 @@ static int DCERPCGetAlstateProgress(void *tx, uint8_t direction)
     return 0;
 }
 
+static void DCERPCSetTxDetectFlags(void *vtx, uint8_t dir, uint64_t flags)
+{
+    DCERPCState *dcerpc_state = (DCERPCState *)vtx;
+    if (dir & STREAM_TOSERVER) {
+        dcerpc_state->detect_flags_ts = flags;
+    } else {
+        dcerpc_state->detect_flags_tc = flags;
+    }
+}
+
+static uint64_t DCERPCGetTxDetectFlags(void *vtx, uint8_t dir)
+{
+    DCERPCState *dcerpc_state = (DCERPCState *)vtx;
+    if (dir & STREAM_TOSERVER) {
+        return dcerpc_state->detect_flags_ts;
+    } else {
+        return dcerpc_state->detect_flags_tc;
+    }
+}
+
 static int DCERPCRegisterPatternsForProtocolDetection(void)
 {
     if (AppLayerProtoDetectPMRegisterPatternCS(IPPROTO_TCP, ALPROTO_DCERPC,
@@ -2092,6 +2112,8 @@ void RegisterDCERPCParsers(void)
 
         AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_DCERPC,
                                                                DCERPCGetAlstateProgressCompletionStatus);
+        AppLayerParserRegisterDetectFlagsFuncs(IPPROTO_TCP, ALPROTO_DCERPC,
+                DCERPCGetTxDetectFlags, DCERPCSetTxDetectFlags);
     } else {
         SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
                   "still on.", proto_name);

diff --git a/src/app-layer-dcerpc.h b/src/app-layer-dcerpc.h
index 5a8410c761a8001ab75698533907e21b97df1c7a..b52bf4b72d9d0d616cd9f1213356ec706f741e81 100644 (file)
--- a/src/app-layer-dcerpc.h
+++ b/src/app-layer-dcerpc.h
@@ -35,6 +35,8 @@ typedef struct DCERPCState_ {
     DCERPC dcerpc;
     uint8_t data_needed_for_dir;
     DetectEngineState *de_state;
+    uint64_t detect_flags_ts;
+    uint64_t detect_flags_tc;
 } DCERPCState;
 
 void DCERPCInit(DCERPC *dcerpc);