From: Victor Julien <vjulien@oisf.net>
Date: Fri, 10 Jun 2022 09:05:40 +0000 (+0200)
Subject: detect/dcerpc: simplify keyword validation
X-Git-Tag: suricata-7.0.0-beta1~453
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8109b0017e6e76c41d2ab54129f18188888eb7f5;p=thirdparty%2Fsuricata.git

detect/dcerpc: simplify keyword validation

Now that the engine understands the relation between SMB and DCERPC better
we can get rid of some of the special case handling in keywords.
---

diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c
index 6631e685f9..6f28f3309f 100644
--- a/src/detect-dce-iface.c
+++ b/src/detect-dce-iface.c
@@ -155,11 +155,9 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char
 {
     SCEnter();
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
-        s->alproto != ALPROTO_SMB) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+    if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
         return -1;
-    }
+
     void *did = rs_dcerpc_iface_parse(arg);
     if (did == NULL) {
         SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_iface option in "
@@ -176,7 +174,6 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char
     sm->ctx = did;
 
     SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
-    s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
     return 0;
 }
 
diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c
index 7f09fda979..09ea401bda 100644
--- a/src/detect-dce-opnum.c
+++ b/src/detect-dce-opnum.c
@@ -131,11 +131,9 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char
         return -1;
     }
 
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
-        s->alproto != ALPROTO_SMB) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+    if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
         return -1;
-    }
+
     void *dod = rs_dcerpc_opnum_parse(arg);
     if (dod == NULL) {
         SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
@@ -153,7 +151,6 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char
     sm->ctx = (void *)dod;
 
     SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
-    s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
     return 0;
 }
 
diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c
index a89ac47b33..c87ca9d078 100644
--- a/src/detect-dce-stub-data.c
+++ b/src/detect-dce-stub-data.c
@@ -157,8 +157,7 @@ void DetectDceStubDataRegister(void)
 }
 
 /**
- * \brief Creates a SigMatch for the \"dce_stub_data\" keyword being sent as argument,
- *        and appends it to the Signature(s).
+ * \brief setups the dce_stub_data list
  *
  * \param de_ctx Pointer to the detection engine context
  * \param s      Pointer to signature for the current Signature being parsed
@@ -170,15 +169,10 @@ void DetectDceStubDataRegister(void)
 
 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
 {
-    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
-        s->alproto != ALPROTO_SMB) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+    if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
         return -1;
-    }
     if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0)
         return -1;
-
-    s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
     return 0;
 }
 
diff --git a/src/detect-parse.c b/src/detect-parse.c
index f43736ce3e..32d7a5ee52 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1931,14 +1931,6 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
             AppLayerHtpNeedFileInspection();
         }
     }
-    if (s->init_data->init_flags & SIG_FLAG_INIT_DCERPC) {
-        if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
-                s->alproto != ALPROTO_SMB) {
-            SCLogError(SC_ERR_NO_FILES_FOR_PROTOCOL, "protocol %s doesn't support DCERPC keyword",
-                    AppProtoToString(s->alproto));
-            SCReturnInt(0);
-        }
-    }
     if (s->id == 0) {
         SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature missing required value \"sid\".");
         SCReturnInt(0);
diff --git a/src/detect.h b/src/detect.h
index 586da2bd67..6f3744529a 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -266,7 +266,6 @@ typedef struct DetectPort_ {
 #define SIG_FLAG_INIT_NEED_FLUSH            BIT_U32(7)
 #define SIG_FLAG_INIT_PRIO_EXPLICT          BIT_U32(8)  /**< priority is explicitly set by the priority keyword */
 #define SIG_FLAG_INIT_FILEDATA              BIT_U32(9)  /**< signature has filedata keyword */
-#define SIG_FLAG_INIT_DCERPC                BIT_U32(10) /**< signature has DCERPC keyword */
 
 /* signature mask flags */
 /** \note: additions should be added to the rule analyzer as well */