From: Philippe Antoine Date: Thu, 27 Aug 2020 15:32:41 +0000 (+0200) Subject: dcerpc: validate signature with dcerpc keywords X-Git-Tag: suricata-5.0.4~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ad1b02860f7e5f5a6ca614ea4fcf2be44ac86e43;p=thirdparty%2Fsuricata.git dcerpc: validate signature with dcerpc keywords so that they do not use another protocol's keywords (cherry picked from commit c06d8f246303d767d2b5e8c504f58de401e64c0a) --- diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c index 242657f534..8ea7af2004 100644 --- a/src/detect-dce-iface.c +++ b/src/detect-dce-iface.c @@ -394,6 +394,7 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char sm->ctx = (void *)did; SigMatchAppendSMToList(s, sm, g_dce_generic_list_id); + s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC; return 0; } diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c index 93c83e98db..aa4c425efd 100644 --- a/src/detect-dce-opnum.c +++ b/src/detect-dce-opnum.c @@ -345,6 +345,7 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char sm->ctx = (void *)dod; SigMatchAppendSMToList(s, sm, g_dce_generic_list_id); + s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC; return 0; } diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index ccbaf341cc..f190f9cafe 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -176,6 +176,8 @@ static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const c { if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0) return -1; + + s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC; return 0; } diff --git a/src/detect-parse.c b/src/detect-parse.c index 00e0eca0da..e87e640df8 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1845,7 +1845,14 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s) AppLayerHtpNeedFileInspection(); } } - + if (s->init_data->init_flags & SIG_FLAG_INIT_DCERPC) { + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC && + s->alproto != ALPROTO_SMB) { + SCLogError(SC_ERR_NO_FILES_FOR_PROTOCOL, "protocol %s doesn't support DCERPC keyword", + AppProtoToString(s->alproto)); + SCReturnInt(0); + } + } SCReturnInt(1); } diff --git a/src/detect.h b/src/detect.h index 63359f1863..d25c08b464 100644 --- a/src/detect.h +++ b/src/detect.h @@ -263,6 +263,7 @@ typedef struct DetectPort_ { #define SIG_FLAG_INIT_NEED_FLUSH BIT_U32(7) #define SIG_FLAG_INIT_PRIO_EXPLICT BIT_U32(8) /**< priority is explicitly set by the priority keyword */ #define SIG_FLAG_INIT_FILEDATA BIT_U32(9) /**< signature has filedata keyword */ +#define SIG_FLAG_INIT_DCERPC BIT_U32(10) /**< signature has DCERPC keyword */ /* signature mask flags */ /** \note: additions should be added to the rule analyzer as well */