dcerpc: check app proto for signature keywords

5 years ago · b8069365f5
parent 6ab323d323
commit b8069365f5
3 changed files with 13 additions and 1 deletions
--- a/src/detect-dce-iface.c
+++ b/src/detect-dce-iface.c
@ -160,7 +160,9 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char
 {
    SCEnter();

-    if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0) {
+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
+        s->alproto != ALPROTO_SMB) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
        return -1;
    }
    void *did = rs_dcerpc_iface_parse(arg);
--- a/src/detect-dce-opnum.c
+++ b/src/detect-dce-opnum.c
@ -132,6 +132,11 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char
        return -1;
    }

+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
+        s->alproto != ALPROTO_SMB) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+        return -1;
+    }
    void *dod = rs_dcerpc_opnum_parse(arg);
    if (dod == NULL) {
        SCLogError(SC_ERR_INVALID_SIGNATURE, "Error parsing dce_opnum option in "
--- a/src/detect-dce-stub-data.c
+++ b/src/detect-dce-stub-data.c
@ -171,6 +171,11 @@ void DetectDceStubDataRegister(void)

 static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
 {
+    if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
+        s->alproto != ALPROTO_SMB) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+        return -1;
+    }
    if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0)
        return -1;
    return 0;