From c663ac6ddd02579eec4816fb11b86c4f87e89c80 Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Fri, 12 Mar 2021 11:03:34 +0530
Subject: [PATCH] dcerpc/tcp: improve detection

Lately, some of the TLS data was misdetected as DCERPC/TCP because of
the pattern |05 00|. Add more checks in DCERPC probe function to ensure
that it is in fact DCERPC/TCP.
---
 rust/src/dcerpc/dcerpc.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rust/src/dcerpc/dcerpc.rs b/rust/src/dcerpc/dcerpc.rs
index 356022ff97..70ebb17977 100644
--- a/rust/src/dcerpc/dcerpc.rs
+++ b/rust/src/dcerpc/dcerpc.rs
@@ -1351,7 +1351,10 @@ fn probe(input: &[u8]) -> (bool, bool) {
     match parser::parse_dcerpc_header(input) {
         Ok((_, hdr)) => {
             let is_request = hdr.hdrtype == 0x00;
-            let is_dcerpc = hdr.rpc_vers == 0x05 && hdr.rpc_vers_minor == 0x00;
+            let is_dcerpc = hdr.rpc_vers == 0x05 &&
+                hdr.rpc_vers_minor == 0x00 &&
+                hdr.packed_drep[0] & 0xee == 0 &&
+                hdr.packed_drep[1] <= 3;
             return (is_dcerpc, is_request);
         },
         Err(_) => (false, false),
-- 
2.47.2