From: Victor Julien <vjulien@oisf.net>
Date: Thu, 9 Jun 2022 11:53:20 +0000 (+0200)
Subject: detect/dcerpc: apply dcerpc to smb as well
X-Git-Tag: suricata-6.0.6~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e65ab0fc90be633374d6f494cc9dfe05ecb80999;p=thirdparty%2Fsuricata.git

detect/dcerpc: apply dcerpc to smb as well

So 'alert dcerpc' also matches if the DCERPC is over SMB.

Explicitly refuse smb keywords for the 'dcerpc' app proto setting:
`alert dceprc ... smb.share; ...` is rejected.

Remove a now useless special case in the stateless rule processing
matching for dcerpc/smb.

Bug: #5208.
(cherry picked from commit 7d38f5667d1fe7dccd355f85434d2fb709578f57)
---

diff --git a/src/app-layer-protos.h b/src/app-layer-protos.h
index 36b69ddcfa..6b677611e2 100644
--- a/src/app-layer-protos.h
+++ b/src/app-layer-protos.h
@@ -85,6 +85,8 @@ static inline bool AppProtoEquals(AppProto sigproto, AppProto alproto)
     if (alproto == ALPROTO_HTTP2 && g_config_http1keywords_http2traffic &&
             sigproto == ALPROTO_HTTP) {
         return true;
+    } else if (sigproto == ALPROTO_DCERPC) {
+        return (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB);
     }
     return (sigproto == alproto);
 }
diff --git a/src/detect-parse.c b/src/detect-parse.c
index 7f0174a973..cf495bf051 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1499,6 +1499,14 @@ int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
             AppProtoToString(alproto), AppProtoToString(s->alproto));
         return -1;
     }
+    /* since AppProtoEquals is quite permissive wrt dcerpc and smb, make sure
+     * we refuse `alert dcerpc ... smb.share; content...` explicitly. */
+    if (alproto == ALPROTO_SMB && s->alproto == ALPROTO_DCERPC) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
+                "can't set rule app proto to %s: already set to %s", AppProtoToString(alproto),
+                AppProtoToString(s->alproto));
+        return -1;
+    }
 
     // allow to keep HTTP2 as s->alproto with HTTP1 alproto keywords
     if (!AppProtoEquals(alproto, s->alproto)) {
diff --git a/src/detect.c b/src/detect.c
index 6084cb6bc5..1986c2671c 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -772,15 +772,8 @@ static inline void DetectRulePacketRules(
         /* if the sig has alproto and the session as well they should match */
         if (likely(sflags & SIG_FLAG_APPLAYER)) {
             if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, scratch->alproto)) {
-                if (s->alproto == ALPROTO_DCERPC) {
-                    if (scratch->alproto != ALPROTO_SMB) {
-                        SCLogDebug("DCERPC sig, alproto not SMB");
-                        goto next;
-                    }
-                } else {
-                    SCLogDebug("alproto mismatch");
-                    goto next;
-                }
+                SCLogDebug("alproto mismatch");
+                goto next;
             }
         }