aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

dcerpc/tcp: improve detection

Browse Source 
Lately, some of the TLS data was misdetected as DCERPC/TCP because of
the pattern |05 00|. Add more checks in DCERPC probe function to ensure
that it is in fact DCERPC/TCP.
pull/6070/head
Shivani Bhardwaj 4 years ago committed by Victor Julien
parent a5f36eccf1
commit c663ac6ddd
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File

5
rust/src/dcerpc/dcerpc.rs
Unescape Escape View File

@ -1351,7 +1351,10 @@ fn probe(input: &[u8]) -> (bool, bool) {
match parser::parse_dcerpc_header(input) {
Ok((_, hdr)) => {
let is_request = hdr.hdrtype == 0x00;
let is_dcerpc = hdr.rpc_vers == 0x05 && hdr.rpc_vers_minor == 0x00;
let is_dcerpc = hdr.rpc_vers == 0x05 &&
hdr.rpc_vers_minor == 0x00 &&
hdr.packed_drep[0] & 0xee == 0 &&
hdr.packed_drep[1] <= 3;
return (is_dcerpc, is_request);
},
Err(_) => (false, false),

Write Preview
Loading…
Cancel
Save