From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 30 Sep 2020 20:04:32 +0000 (+0200)
Subject: dnp3: more precise probing for banners
X-Git-Tag: suricata-6.0.0~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bde0c88984f09804e153d95647c5892eadb9f656;p=thirdparty%2Fsuricata.git

dnp3: more precise probing for banners
---

diff --git a/src/app-layer-dnp3.c b/src/app-layer-dnp3.c
index 5c04ea19fc..025afd69fc 100644
--- a/src/app-layer-dnp3.c
+++ b/src/app-layer-dnp3.c
@@ -277,10 +277,20 @@ static uint16_t DNP3ProbingParser(Flow *f, uint8_t direction,
     /* May be a banner. */
     if (DNP3ContainsBanner(input, len)) {
         SCLogDebug("Packet contains a DNP3 banner.");
-        if (toserver) {
-            *rdir = STREAM_TOCLIENT;
+        bool is_banner = true;
+        // magic 0x100 = 256 seems good enough
+        for (uint32_t i = 0; i < len && i < 0x100; i++) {
+            if (!isprint(input[i])) {
+                is_banner = false;
+                break;
+            }
+        }
+        if (is_banner) {
+            if (toserver) {
+                *rdir = STREAM_TOCLIENT;
+            }
+            return ALPROTO_DNP3;
         }
-        return ALPROTO_DNP3;
     }
 
     /* Check that we have the minimum amount of bytes. */