From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Fri, 12 Mar 2021 05:33:34 +0000 (+0530)
Subject: dcerpc/tcp: improve detection
X-Git-Tag: suricata-7.0.0-beta1~1665
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c663ac6ddd02579eec4816fb11b86c4f87e89c80;p=thirdparty%2Fsuricata.git

dcerpc/tcp: improve detection

Lately, some of the TLS data was misdetected as DCERPC/TCP because of
the pattern |05 00|. Add more checks in DCERPC probe function to ensure
that it is in fact DCERPC/TCP.
---

diff --git a/rust/src/dcerpc/dcerpc.rs b/rust/src/dcerpc/dcerpc.rs
index 356022ff97..70ebb17977 100644
--- a/rust/src/dcerpc/dcerpc.rs
+++ b/rust/src/dcerpc/dcerpc.rs
@@ -1351,7 +1351,10 @@ fn probe(input: &[u8]) -> (bool, bool) {
     match parser::parse_dcerpc_header(input) {
         Ok((_, hdr)) => {
             let is_request = hdr.hdrtype == 0x00;
-            let is_dcerpc = hdr.rpc_vers == 0x05 && hdr.rpc_vers_minor == 0x00;
+            let is_dcerpc = hdr.rpc_vers == 0x05 &&
+                hdr.rpc_vers_minor == 0x00 &&
+                hdr.packed_drep[0] & 0xee == 0 &&
+                hdr.packed_drep[1] <= 3;
             return (is_dcerpc, is_request);
         },
         Err(_) => (false, false),