From: Philippe Antoine Date: Sat, 2 May 2020 18:17:35 +0000 (+0200) Subject: enip: use status for probing parser X-Git-Tag: suricata-6.0.0-beta1~77 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F5242%2Fhead;p=thirdparty%2Fsuricata.git enip: use status for probing parser --- diff --git a/src/app-layer-enip-common.h b/src/app-layer-enip-common.h index 8522f65e1d..db58587d3d 100644 --- a/src/app-layer-enip-common.h +++ b/src/app-layer-enip-common.h @@ -56,6 +56,8 @@ #define INVALID_SESSION 0x0064 #define INVALID_LENGTH 0x0065 #define UNSUPPORTED_PROT_REV 0x0069 +//Found in wireshark +#define ENCAP_HEADER_ERROR 0x006A #define MAX_CIP_SERVICE 127 #define MAX_CIP_CLASS 65535 diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c index 52c6c5dab3..aace890a8e 100644 --- a/src/app-layer-enip.c +++ b/src/app-layer-enip.c @@ -380,6 +380,7 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction, return ALPROTO_UNKNOWN; } uint16_t cmd; + uint32_t status; int ret = ByteExtractUint16(&cmd, BYTE_LITTLE_ENDIAN, sizeof(uint16_t), (const uint8_t *) (input)); if(ret < 0) { @@ -397,7 +398,23 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction, case SEND_UNIT_DATA: case INDICATE_STATUS: case CANCEL: - return ALPROTO_ENIP; + ret = ByteExtractUint32(&status, BYTE_LITTLE_ENDIAN, + sizeof(uint32_t), + (const uint8_t *) (input + 8)); + if(ret < 0) { + return ALPROTO_FAILED; + } + switch(status) { + case SUCCESS: + case INVALID_CMD: + case NO_RESOURCES: + case INCORRECT_DATA: + case INVALID_SESSION: + case INVALID_LENGTH: + case UNSUPPORTED_PROT_REV: + case ENCAP_HEADER_ERROR: + return ALPROTO_ENIP; + } } return ALPROTO_FAILED; }