From: Shivani Bhardwaj <shivani@oisf.net>
Date: Wed, 26 Jul 2023 09:41:59 +0000 (+0530)
Subject: dcerpc: accept ALTER_CONTEXT as a valid request
X-Git-Tag: suricata-7.0.1~80
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F9291%2Fhead;p=thirdparty%2Fsuricata.git

dcerpc: accept ALTER_CONTEXT as a valid request

So far, if only the starting request was a DCERPC request, it would be
considered DCERPC traffic. Since ALTER_CONTEXT is a valid request type,
it should be accepted too.

Reported and patch proposed in the following Redmine ticket by
InterNALXz.

Bug 6191
---

diff --git a/rust/src/dcerpc/dcerpc.rs b/rust/src/dcerpc/dcerpc.rs
index 57f3d41f0f..759d5c2634 100644
--- a/rust/src/dcerpc/dcerpc.rs
+++ b/rust/src/dcerpc/dcerpc.rs
@@ -1278,7 +1278,7 @@ pub unsafe extern "C" fn rs_dcerpc_get_stub_data(
 fn probe(input: &[u8]) -> (bool, bool) {
     match parser::parse_dcerpc_header(input) {
         Ok((_, hdr)) => {
-            let is_request = hdr.hdrtype == 0x00;
+            let is_request = hdr.hdrtype == 0x00 || hdr.hdrtype == 0x0e;
             let is_dcerpc = hdr.rpc_vers == 0x05 &&
                 hdr.rpc_vers_minor == 0x00 &&
                 hdr.packed_drep[0] & 0xee == 0 &&