So 'alert dcerpc' also matches if the DCERPC is over SMB.
Explicitly refuse smb keywords for the 'dcerpc' app proto setting:
`alert dceprc ... smb.share; ...` is rejected.
Remove a now useless special case in the stateless rule processing
matching for dcerpc/smb.
Bug: #5208.
(cherry picked from commit
7d38f5667d1fe7dccd355f85434d2fb709578f57)
if (alproto == ALPROTO_HTTP2 && g_config_http1keywords_http2traffic &&
sigproto == ALPROTO_HTTP) {
return true;
+ } else if (sigproto == ALPROTO_DCERPC) {
+ return (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB);
}
return (sigproto == alproto);
}
AppProtoToString(alproto), AppProtoToString(s->alproto));
return -1;
}
+ /* since AppProtoEquals is quite permissive wrt dcerpc and smb, make sure
+ * we refuse `alert dcerpc ... smb.share; content...` explicitly. */
+ if (alproto == ALPROTO_SMB && s->alproto == ALPROTO_DCERPC) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
+ "can't set rule app proto to %s: already set to %s", AppProtoToString(alproto),
+ AppProtoToString(s->alproto));
+ return -1;
+ }
// allow to keep HTTP2 as s->alproto with HTTP1 alproto keywords
if (!AppProtoEquals(alproto, s->alproto)) {
/* if the sig has alproto and the session as well they should match */
if (likely(sflags & SIG_FLAG_APPLAYER)) {
if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, scratch->alproto)) {
- if (s->alproto == ALPROTO_DCERPC) {
- if (scratch->alproto != ALPROTO_SMB) {
- SCLogDebug("DCERPC sig, alproto not SMB");
- goto next;
- }
- } else {
- SCLogDebug("alproto mismatch");
- goto next;
- }
+ SCLogDebug("alproto mismatch");
+ goto next;
}
}
projects / thirdparty / suricata.git / commitdiff
