fix 206. Keep a count of uuids that don't belong to the first frag. Change dce_iface to match against uuids based on any_frag setting

src/app-layer-dcerpc-common.h

@@ -150,6 +150,8 @@ typedef struct DCERPCBindBindAck_ {
     uint16_t versionminor;
     DCERPCUuidEntry *uuid_entry;
     TAILQ_HEAD(, DCERPCUuidEntry_) uuid_list;
+    /* hold a count of uuids that don't belong to the first frag */
+    uint16_t non_first_frag_uuids_count;
     uint16_t secondaryaddrlen;
     uint16_t secondaryaddrlenleft;
     uint16_t result;

src/app-layer-dcerpc.c

@@ -259,6 +259,9 @@ static uint32_t DCERPCParseBINDCTXItem(DCERPC *dcerpc, uint8_t *input, uint32_t
                             dcerpc->dcerpcbindbindack.numctxitemsleft--;
                             dcerpc->bytesprocessed += (44);
                             dcerpc->dcerpcbindbindack.ctxbytesprocessed += (44);
+                            if (!(dcerpc->dcerpchdr.pfc_flags & PFC_FIRST_FRAG)) {
+                                dcerpc->dcerpcbindbindack.non_first_frag_uuids_count++;
+                            }
                             SCReturnUInt(44U);
                         }
                     } else {
@@ -1135,6 +1138,9 @@ int32_t DCERPCParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) {
         switch (dcerpc->dcerpchdr.type) {
         case BIND:
         case ALTER_CONTEXT:
+            if (!dcerpc->pdu_fragged) {
+                dcerpc->dcerpcbindbindack.non_first_frag_uuids_count = 0;
+            }
             while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 12
                    && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length
                    && input_len) {

src/detect-dce-iface.c

@@ -279,6 +279,7 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
     int i = 0;
     DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m->ctx;
     DCERPCState *dcerpc_state = (DCERPCState *)state;
+    int avoid_uuids = 0;
     if (dcerpc_state == NULL) {
         SCLogDebug("No DCERPCState for the flow");
         return 0;
@@ -286,16 +287,24 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
 
     SCMutexLock(&f->m);
 
-    /* if any_frag is not enabled, we need to match only against the first
-     * fragment */
-    if (!dce_data->any_frag &&
-        !(dcerpc_state->dcerpc.dcerpchdr.pfc_flags & PFC_FIRST_FRAG)) {
-        /* any_frag has not been set, and apparently it's not the first fragment */
-        ret = 0;
-        goto end;
+    ///* if any_frag is not enabled, we need to match only against the first
+    // * fragment */
+    //if (!dce_data->any_frag &&
+    //    !(dcerpc_state->dcerpc.dcerpchdr.pfc_flags & PFC_FIRST_FRAG)) {
+    //    /* any_frag has not been set, and apparently it's not the first fragment */
+    //    ret = 0;
+    //    goto end;
+    //}
+
+    if (!dce_data->any_frag) {
+        avoid_uuids = dcerpc_state->dcerpc.dcerpcbindbindack.non_first_frag_uuids_count;
     }
 
+    int count = 0;
     TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.uuid_list, next) {
+        if (count++ < avoid_uuids)
+            continue;
+
         ret = 1;
 
         /* if the uuid has been rejected(item->result == 1), we skip to the