From: Philippe Antoine Date: Thu, 27 Aug 2020 15:32:41 +0000 (+0200) Subject: dcerpc: validate signature with dcerpc keywords X-Git-Tag: suricata-6.0.0-rc1~94 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c06d8f246303d767d2b5e8c504f58de401e64c0a;p=thirdparty%2Fsuricata.git dcerpc: validate signature with dcerpc keywords so that they do not use another protocol's keywords --- diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c index 434ceb3ffe..de711e3df5 100644 --- a/src/detect-dce-iface.c +++ b/src/detect-dce-iface.c @@ -181,6 +181,7 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char sm->ctx = did; SigMatchAppendSMToList(s, sm, g_dce_generic_list_id); + s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC; return 0; } diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c index 509f1d3882..ccaa12b6f6 100644 --- a/src/detect-dce-opnum.c +++ b/src/detect-dce-opnum.c @@ -154,6 +154,7 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char sm->ctx = (void *)dod; SigMatchAppendSMToList(s, sm, g_dce_generic_list_id); + s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC; return 0; } diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index 0339cc66c9..416109fe0f 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -178,6 +178,8 @@ static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const c } if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0) return -1; + + s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC; return 0; } diff --git a/src/detect-parse.c b/src/detect-parse.c index 08a1e85196..b9962dbf40 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1857,7 +1857,14 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s) AppLayerHtpNeedFileInspection(); } } - + if (s->init_data->init_flags & SIG_FLAG_INIT_DCERPC) { + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC && + s->alproto != ALPROTO_SMB) { + SCLogError(SC_ERR_NO_FILES_FOR_PROTOCOL, "protocol %s doesn't support DCERPC keyword", + AppProtoToString(s->alproto)); + SCReturnInt(0); + } + } SCReturnInt(1); } diff --git a/src/detect.h b/src/detect.h index 8060a1a69c..00b6b80658 100644 --- a/src/detect.h +++ b/src/detect.h @@ -263,6 +263,7 @@ typedef struct DetectPort_ { #define SIG_FLAG_INIT_NEED_FLUSH BIT_U32(7) #define SIG_FLAG_INIT_PRIO_EXPLICT BIT_U32(8) /**< priority is explicitly set by the priority keyword */ #define SIG_FLAG_INIT_FILEDATA BIT_U32(9) /**< signature has filedata keyword */ +#define SIG_FLAG_INIT_DCERPC BIT_U32(10) /**< signature has DCERPC keyword */ /* signature mask flags */ /** \note: additions should be added to the rule analyzer as well */