From: Victor Julien Date: Wed, 19 Dec 2018 10:49:42 +0000 (+0100) Subject: proto/detect: workaround dns misdetected as dcerpc X-Git-Tag: suricata-4.0.7~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=75488b00a8ad41df9cbfa7e4da24a83595fcc226;p=thirdparty%2Fsuricata.git proto/detect: workaround dns misdetected as dcerpc The DCERPC UDP detection would misfire on DNS with transaction ID 0x0400. This would happen as the protocol detection engine gives preference to pattern based detection over probing parsers for performance reasons. This hack/workaround fixes this specific case by still running the probing parser if DCERPC has been detected on UDP. The probing parser result will take precedence. Bug #2736. --- diff --git a/src/app-layer-detect-proto.c b/src/app-layer-detect-proto.c index 25bc438214..f47465e22b 100644 --- a/src/app-layer-detect-proto.c +++ b/src/app-layer-detect-proto.c @@ -1314,6 +1314,7 @@ AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, SCEnter(); AppProto alproto = ALPROTO_UNKNOWN; + AppProto pm_alproto = ALPROTO_UNKNOWN; if (!FLOW_IS_PM_DONE(f, direction)) { AppProto pm_results[ALPROTO_MAX]; @@ -1324,7 +1325,15 @@ AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, pm_results); if (pm_matches > 0) { alproto = pm_results[0]; - goto end; + + /* HACK: if detected protocol is dcerpc/udp, we run PP as well + * to avoid misdetecting DNS as DCERPC. */ + if (!(ipproto == IPPROTO_UDP && alproto == ALPROTO_DCERPC)) + goto end; + + pm_alproto = alproto; + + /* fall through */ } } @@ -1332,6 +1341,9 @@ AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx, alproto = AppLayerProtoDetectPPGetProto(f, buf, buflen, ipproto, direction); end: + if (alproto == ALPROTO_UNKNOWN) + alproto = pm_alproto; + SCReturnUInt(alproto); }