detect/dcerpc: apply dcerpc to smb as well

So 'alert dcerpc' also matches if the DCERPC is over SMB. Bug: #5208.
4 years ago · 1492fcc6ad
parent ac0612319c
commit 1492fcc6ad
3 changed files with 10 additions and 4 deletions
--- a/src/detect-engine-prefilter-common.h
+++ b/src/detect-engine-prefilter-common.h
@ -79,7 +79,8 @@ PrefilterPacketHeaderExtraMatch(const PrefilterPacketHeaderCtx *ctx,
        case PREFILTER_EXTRA_MATCH_UNUSED:
            break;
        case PREFILTER_EXTRA_MATCH_ALPROTO:
-            if (p->flow == NULL || p->flow->alproto != ctx->value)
+            if (p->flow == NULL || p->flow->alproto != ctx->value ||
+                    (ctx->value == ALPROTO_DCERPC && p->flow->alproto == ALPROTO_SMB))
                return FALSE;
            break;
        case PREFILTER_EXTRA_MATCH_SRCPORT:
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@ -555,7 +555,8 @@ int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature

        if (t->alproto == ALPROTO_UNKNOWN) {
            /* special case, inspect engine applies to all protocols */
-        } else if (s->alproto != ALPROTO_UNKNOWN && s->alproto != t->alproto)
+        } else if (s->alproto != ALPROTO_UNKNOWN && s->alproto != t->alproto &&
+                !(s->alproto == ALPROTO_DCERPC && t->alproto == ALPROTO_SMB))
            goto next;

        if (s->flags & SIG_FLAG_TOSERVER && !(s->flags & SIG_FLAG_TOCLIENT)) {
--- a/src/detect.c
+++ b/src/detect.c
@ -358,7 +358,9 @@ DetectPrefilterBuildNonPrefilterList(DetectEngineThreadCtx *det_ctx, SignatureMa
         * so build the non_mpm array only for match candidates */
        const SignatureMask rule_mask = det_ctx->non_pf_store_ptr[x].mask;
        const uint8_t rule_alproto = det_ctx->non_pf_store_ptr[x].alproto;
-        if ((rule_mask & mask) == rule_mask && (rule_alproto == 0 || rule_alproto == alproto)) {
+        if ((rule_mask & mask) == rule_mask && (rule_alproto == 0 || rule_alproto == alproto ||
+                    (rule_alproto == ALPROTO_DCERPC && alproto == ALPROTO_SMB)))
+        {
            det_ctx->non_pf_id_array[det_ctx->non_pf_id_cnt++] = det_ctx->non_pf_store_ptr[x].id;
        }
    }
@ -1089,7 +1091,9 @@ static bool DetectRunTxInspectRule(ThreadVars *tv,
            return false;
        }
        /* stream mpm and negated mpm sigs can end up here with wrong proto */
-        if (!(f->alproto == s->alproto || s->alproto == ALPROTO_UNKNOWN)) {
+        if (!(f->alproto == s->alproto || s->alproto == ALPROTO_UNKNOWN ||
+                    (s->alproto == ALPROTO_DCERPC && f->alproto == ALPROTO_SMB)))
+        {
            TRACE_SID_TXS(s->id, tx, "alproto mismatch");
            return false;
        }