From: Shivani Bhardwaj <shivani@oisf.net>
Date: Wed, 26 Jul 2023 09:41:59 +0000 (+0530)
Subject: dcerpc: accept ALTER_CONTEXT as a valid request
X-Git-Tag: suricata-6.0.14~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e2fb158ab33bdb9d65c4450606133de98111d55;p=thirdparty%2Fsuricata.git

dcerpc: accept ALTER_CONTEXT as a valid request

So far, if only the starting request was a DCERPC request, it would be
considered DCERPC traffic. Since ALTER_CONTEXT is a valid request type,
it should be accepted too.

Reported and patch proposed in the following Redmine ticket by
InterNALXz.

Bug 6191

(cherry picked from commit 8770431986598f195d57e570287c40ee3dec0cfa)
---

diff --git a/rust/src/dcerpc/dcerpc.rs b/rust/src/dcerpc/dcerpc.rs
index bf524a1610..f2a6a46eaf 100644
--- a/rust/src/dcerpc/dcerpc.rs
+++ b/rust/src/dcerpc/dcerpc.rs
@@ -1338,7 +1338,7 @@ pub unsafe extern "C" fn rs_dcerpc_get_stub_data(
 fn probe(input: &[u8]) -> (bool, bool) {
     match parser::parse_dcerpc_header(input) {
         Ok((_, hdr)) => {
-            let is_request = hdr.hdrtype == 0x00;
+            let is_request = hdr.hdrtype == 0x00 || hdr.hdrtype == 0x0e;
             let is_dcerpc = hdr.rpc_vers == 0x05 && hdr.rpc_vers_minor == 0x00;
             return (is_dcerpc, is_request);
         },