From: Victor Julien <vjulien@oisf.net>
Date: Tue, 14 Jun 2022 09:41:58 +0000 (+0200)
Subject: detect/dcerpc: apply dcerpc to smb as well
X-Git-Tag: suricata-5.0.10~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1492fcc6ad4bbb315052e89c070cbc86076793a4;p=thirdparty%2Fsuricata.git

detect/dcerpc: apply dcerpc to smb as well

So 'alert dcerpc' also matches if the DCERPC is over SMB.

Bug: #5208.
---

diff --git a/src/detect-engine-prefilter-common.h b/src/detect-engine-prefilter-common.h
index 6137f8b19b..458a1bfd5d 100644
--- a/src/detect-engine-prefilter-common.h
+++ b/src/detect-engine-prefilter-common.h
@@ -79,7 +79,8 @@ PrefilterPacketHeaderExtraMatch(const PrefilterPacketHeaderCtx *ctx,
         case PREFILTER_EXTRA_MATCH_UNUSED:
             break;
         case PREFILTER_EXTRA_MATCH_ALPROTO:
-            if (p->flow == NULL || p->flow->alproto != ctx->value)
+            if (p->flow == NULL || p->flow->alproto != ctx->value ||
+                    (ctx->value == ALPROTO_DCERPC && p->flow->alproto == ALPROTO_SMB))
                 return FALSE;
             break;
         case PREFILTER_EXTRA_MATCH_SRCPORT:
diff --git a/src/detect-engine.c b/src/detect-engine.c
index 18668d07a9..43de43d202 100644
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -555,7 +555,8 @@ int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature
 
         if (t->alproto == ALPROTO_UNKNOWN) {
             /* special case, inspect engine applies to all protocols */
-        } else if (s->alproto != ALPROTO_UNKNOWN && s->alproto != t->alproto)
+        } else if (s->alproto != ALPROTO_UNKNOWN && s->alproto != t->alproto &&
+                !(s->alproto == ALPROTO_DCERPC && t->alproto == ALPROTO_SMB))
             goto next;
 
         if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
diff --git a/src/detect.c b/src/detect.c
index 164b6608ce..dc5fe50bf9 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -358,7 +358,9 @@ DetectPrefilterBuildNonPrefilterList(DetectEngineThreadCtx *det_ctx, SignatureMa
          * so build the non_mpm array only for match candidates */
         const SignatureMask rule_mask = det_ctx->non_pf_store_ptr[x].mask;
         const uint8_t rule_alproto = det_ctx->non_pf_store_ptr[x].alproto;
-        if ((rule_mask & mask) == rule_mask && (rule_alproto == 0 || rule_alproto == alproto)) {
+        if ((rule_mask & mask) == rule_mask && (rule_alproto == 0 || rule_alproto == alproto ||
+                    (rule_alproto == ALPROTO_DCERPC && alproto == ALPROTO_SMB)))
+        {
             det_ctx->non_pf_id_array[det_ctx->non_pf_id_cnt++] = det_ctx->non_pf_store_ptr[x].id;
         }
     }
@@ -1089,7 +1091,9 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
             return false;
         }
         /* stream mpm and negated mpm sigs can end up here with wrong proto */
-        if (!(f->alproto == s->alproto || s->alproto == ALPROTO_UNKNOWN)) {
+        if (!(f->alproto == s->alproto || s->alproto == ALPROTO_UNKNOWN ||
+                    (s->alproto == ALPROTO_DCERPC && f->alproto == ALPROTO_SMB)))
+        {
             TRACE_SID_TXS(s->id, tx, "alproto mismatch");
             return false;
         }