From a15e503b7d30c657d402a12795212d59c8490760 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Mon, 6 Apr 2020 17:22:33 +0200
Subject: [PATCH] enip: more precise probing parser

Bug: #3615
---
 src/app-layer-enip.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c
index 282294536f..af4a1fd000 100644
--- a/src/app-layer-enip.c
+++ b/src/app-layer-enip.c
@@ -393,8 +393,27 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction,
         SCLogDebug("length too small to be a ENIP header");
         return ALPROTO_UNKNOWN;
     }
-
-    return ALPROTO_ENIP;
+    uint16_t cmd;
+    int ret = ByteExtractUint16(&cmd, BYTE_LITTLE_ENDIAN, sizeof(uint16_t),
+                                (const uint8_t *) (input));
+    if(ret < 0) {
+        return ALPROTO_FAILED;
+    }
+    //ok for all the known commands
+    switch(cmd) {
+        case NOP:
+        case LIST_SERVICES:
+        case LIST_IDENTITY:
+        case LIST_INTERFACES:
+        case REGISTER_SESSION:
+        case UNREGISTER_SESSION:
+        case SEND_RR_DATA:
+        case SEND_UNIT_DATA:
+        case INDICATE_STATUS:
+        case CANCEL:
+            return ALPROTO_ENIP;
+    }
+    return ALPROTO_FAILED;
 }
 
 /**