From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Sat, 13 Feb 2021 12:27:42 +0000 (+0530)
Subject: dcerpc/udp: improve detection
X-Git-Tag: suricata-7.0.0-beta1~1778
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f967a491047a6d8eaa232944c690dadfb0cc3c86;p=thirdparty%2Fsuricata.git

dcerpc/udp: improve detection

Lately, Wireguard proto starting w pattern |04 00| is misdetected as
DCERPC/UDP which also starts with the same pattern, add more checks
to make sure that it is the best guess for packet to be dcerpc/udp.
---

diff --git a/rust/src/dcerpc/dcerpc_udp.rs b/rust/src/dcerpc/dcerpc_udp.rs
index 0f86404048..1ed151859b 100644
--- a/rust/src/dcerpc/dcerpc_udp.rs
+++ b/rust/src/dcerpc/dcerpc_udp.rs
@@ -294,7 +294,10 @@ fn probe(input: &[u8]) -> (bool, bool) {
     match parser::parse_dcerpc_udp_header(input) {
         Ok((_, hdr)) => {
             let is_request = hdr.pkt_type == 0x00;
-            let is_dcerpc = hdr.rpc_vers == 0x04;
+            let is_dcerpc = hdr.rpc_vers == 0x04 &&
+                (hdr.flags2 & 0xfc == 0) &&
+                (hdr.drep[0] & 0xee == 0) &&
+                (hdr.drep[1] <= 3);
             return (is_dcerpc, is_request);
         },
         Err(_) => (false, false),