From 8c774a1e2a5d2fed1dcfa96c160c7dcffbc6c8b8 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Wed, 28 Jul 2010 16:23:02 +0530 Subject: [PATCH] fix 206. Keep a count of uuids that don't belong to the first frag. Change dce_iface to match against uuids based on any_frag setting --- src/app-layer-dcerpc-common.h | 2 ++ src/app-layer-dcerpc.c | 6 ++++++ src/detect-dce-iface.c | 23 ++++++++++++++++------- 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/src/app-layer-dcerpc-common.h b/src/app-layer-dcerpc-common.h index 3511c9f396..9dbb8a9330 100644 --- a/src/app-layer-dcerpc-common.h +++ b/src/app-layer-dcerpc-common.h @@ -150,6 +150,8 @@ typedef struct DCERPCBindBindAck_ { uint16_t versionminor; DCERPCUuidEntry *uuid_entry; TAILQ_HEAD(, DCERPCUuidEntry_) uuid_list; + /* hold a count of uuids that don't belong to the first frag */ + uint16_t non_first_frag_uuids_count; uint16_t secondaryaddrlen; uint16_t secondaryaddrlenleft; uint16_t result; diff --git a/src/app-layer-dcerpc.c b/src/app-layer-dcerpc.c index 5f296c299a..e317e2424a 100644 --- a/src/app-layer-dcerpc.c +++ b/src/app-layer-dcerpc.c @@ -259,6 +259,9 @@ static uint32_t DCERPCParseBINDCTXItem(DCERPC *dcerpc, uint8_t *input, uint32_t dcerpc->dcerpcbindbindack.numctxitemsleft--; dcerpc->bytesprocessed += (44); dcerpc->dcerpcbindbindack.ctxbytesprocessed += (44); + if (!(dcerpc->dcerpchdr.pfc_flags & PFC_FIRST_FRAG)) { + dcerpc->dcerpcbindbindack.non_first_frag_uuids_count++; + } SCReturnUInt(44U); } } else { @@ -1135,6 +1138,9 @@ int32_t DCERPCParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len) { switch (dcerpc->dcerpchdr.type) { case BIND: case ALTER_CONTEXT: + if (!dcerpc->pdu_fragged) { + dcerpc->dcerpcbindbindack.non_first_frag_uuids_count = 0; + } while (dcerpc->bytesprocessed < DCERPC_HDR_LEN + 12 && dcerpc->bytesprocessed < dcerpc->dcerpchdr.frag_length && input_len) { diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c index f7902c2989..962630ec33 100644 --- a/src/detect-dce-iface.c +++ b/src/detect-dce-iface.c @@ -279,6 +279,7 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, int i = 0; DetectDceIfaceData *dce_data = (DetectDceIfaceData *)m->ctx; DCERPCState *dcerpc_state = (DCERPCState *)state; + int avoid_uuids = 0; if (dcerpc_state == NULL) { SCLogDebug("No DCERPCState for the flow"); return 0; @@ -286,16 +287,24 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, SCMutexLock(&f->m); - /* if any_frag is not enabled, we need to match only against the first - * fragment */ - if (!dce_data->any_frag && - !(dcerpc_state->dcerpc.dcerpchdr.pfc_flags & PFC_FIRST_FRAG)) { - /* any_frag has not been set, and apparently it's not the first fragment */ - ret = 0; - goto end; + ///* if any_frag is not enabled, we need to match only against the first + // * fragment */ + //if (!dce_data->any_frag && + // !(dcerpc_state->dcerpc.dcerpchdr.pfc_flags & PFC_FIRST_FRAG)) { + // /* any_frag has not been set, and apparently it's not the first fragment */ + // ret = 0; + // goto end; + //} + + if (!dce_data->any_frag) { + avoid_uuids = dcerpc_state->dcerpc.dcerpcbindbindack.non_first_frag_uuids_count; } + int count = 0; TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.uuid_list, next) { + if (count++ < avoid_uuids) + continue; + ret = 1; /* if the uuid has been rejected(item->result == 1), we skip to the