From: Philippe Antoine <contact@catenacyber.fr>
Date: Mon, 13 Jul 2020 14:42:56 +0000 (+0200)
Subject: dcerpc: check app proto for signature keywords
X-Git-Tag: suricata-6.0.0-beta1~110
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8069365f5de43b8972d5e388b98fe704034a8b2;p=thirdparty%2Fsuricata.git

dcerpc: check app proto for signature keywords
---

diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c
index e3236dfada..434ceb3ffe 100644
--- a/src/detect-dce-iface.c
+++ b/src/detect-dce-iface.c
@@ -160,7 +160,9 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char
 {
     SCEnter();
 
-    if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0) {
+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
+        s->alproto != ALPROTO_SMB) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
         return -1;
     }
     void *did = rs_dcerpc_iface_parse(arg);
diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c
index 6344e3aea5..509f1d3882 100644
--- a/src/detect-dce-opnum.c
+++ b/src/detect-dce-opnum.c
@@ -132,6 +132,11 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char
         return -1;
     }
 
+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
+        s->alproto != ALPROTO_SMB) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+        return -1;
+    }
     void *dod = rs_dcerpc_opnum_parse(arg);
     if (dod == NULL) {
         SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c
index ace1346d84..a4145452f9 100644
--- a/src/detect-dce-stub-data.c
+++ b/src/detect-dce-stub-data.c
@@ -171,6 +171,11 @@ void DetectDceStubDataRegister(void)
 
 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
 {
+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
+        s->alproto != ALPROTO_SMB) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+        return -1;
+    }
     if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0)
         return -1;
     return 0;