dcerpc udp support

src/Makefile.am

@@ -199,6 +199,7 @@ app-layer-tls.c app-layer-tls.h \
 app-layer-smb.c app-layer-smb.h \
 app-layer-smb2.c app-layer-smb2.h \
 app-layer-dcerpc.c app-layer-dcerpc.h \
+app-layer-dcerpc-udp.c app-layer-dcerpc-udp.h \
 app-layer-ftp.c app-layer-ftp.h \
 app-layer-ssl.c app-layer-ssl.h \
 defrag.c defrag.h \

src/app-layer-dcerpc-common.h

@@ -107,6 +107,30 @@ typedef struct DCERPCHdr_ {
 
 #define DCERPC_HDR_LEN 16
 
+typedef struct DCERPCHdrUdp_ {
+    uint8_t rpc_vers; /* 4 RPC protocol major version (4 LSB only)*/
+    uint8_t type;       /* Packet type (5 LSB only) */
+    uint8_t flags1;     /* Packet flags */
+    uint8_t flags2;     /* Packet flags */
+    uint8_t drep[3];    /* Data representation format label */
+    uint8_t serial_hi;  /* High byte of serial number */
+    uint8_t objectuuid[16];
+    uint8_t interfaceuuid[16];
+    uint8_t activityuuid[16];
+    uint32_t server_boot;/* Server boot time */
+    uint32_t if_vers;    /* Interface version */
+    uint32_t seqnum;     /* Sequence number */
+    uint16_t opnum;      /* Operation number */
+    uint16_t ihint;      /* Interface hint */
+    uint16_t ahint;      /* Activity hint */
+    uint16_t fraglen;        /* Length of packet body */
+    uint16_t fragnum;    /* Fragment number */
+    uint8_t auth_proto; /* Authentication protocol identifier*/
+    uint8_t serial_lo;  /* Low byte of serial number */
+}DCERPCHdrUdp;
+
+#define DCERPC_UDP_HDR_LEN 80
+
 typedef struct DCERPCUuidEntry_ {
     uint16_t ctxid;
     uint16_t result;
@@ -161,6 +185,17 @@ typedef struct DCERPC_ {
     uint16_t transaction_id;
 } DCERPC;
 
+typedef struct DCERPCUDP_ {
+     DCERPCHdrUdp dcerpchdrudp;
+     DCERPCBindBindAck dcerpcbindbindack;
+     DCERPCRequest dcerpcrequest;
+     DCERPCResponse dcerpcresponse;
+     uint16_t bytesprocessed;
+     uint16_t fraglenleft;
+     uint8_t *frag_data;
+     DCERPCUuidEntry *uuid_entry;
+     TAILQ_HEAD(, uuid_entry) uuid_list;
+}DCERPCUDP;
 
 /** First fragment */
 #define PFC_FIRST_FRAG           0x01

src/app-layer-detect-proto.c

@@ -411,9 +411,9 @@ void AppLayerDetectProtoThreadInit(void) {
     AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOCLIENT);
     AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 8, 4, STREAM_TOSERVER);
 
-    /** SMB2 */
-    AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 4, 4, STREAM_TOCLIENT);
-    AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_SMB2, "|fe|SMB", 4, 4, STREAM_TOSERVER);
+    /** DCERPC */
+    AlpProtoAdd(&alp_proto_ctx, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOCLIENT);
+    AlpProtoAdd(&alp_proto_ctx, IPPROTO_UDP, ALPROTO_DCERPC_UDP, "|04 00|", 2, 0, STREAM_TOSERVER);
 
     /** DCERPC */
     AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_DCERPC, "|05 00|", 2, 0, STREAM_TOCLIENT);

src/app-layer-protos.h

@@ -38,6 +38,7 @@ enum {
     ALPROTO_SMB,
     ALPROTO_SMB2,
     ALPROTO_DCERPC,
+    ALPROTO_DCERPC_UDP,
 #ifdef UNITTESTS
     ALPROTO_TEST,
 #endif /* UNITESTS */

src/suricata.c

@@ -100,6 +100,7 @@
 #include "app-layer-tls.h"
 #include "app-layer-smb.h"
 #include "app-layer-dcerpc.h"
+#include "app-layer-dcerpc-udp.h"
 #include "app-layer-htp.h"
 #include "app-layer-ftp.h"
 #include "app-layer-ssl.h"
@@ -800,6 +801,7 @@ int main(int argc, char **argv)
     RegisterTLSParsers();
     RegisterSMBParsers();
     RegisterDCERPCParsers();
+    RegisterDCERPCUDPParsers();
     RegisterFTPParsers();
     RegisterSSLParsers();
     AppLayerParsersInitPostProcess();
@@ -840,6 +842,7 @@ int main(int argc, char **argv)
         TLSParserRegisterTests();
         SMBParserRegisterTests();
         DCERPCParserRegisterTests();
+        DCERPCUDPParserRegisterTests();
         FTPParserRegisterTests();
         DecodeRawRegisterTests();
         DecodePPPOERegisterTests();