diff --git a/src/app-layer-dcerpc-common.h b/src/app-layer-dcerpc-common.h index fb239bbc38..cdda563009 100644 --- a/src/app-layer-dcerpc-common.h +++ b/src/app-layer-dcerpc-common.h @@ -131,6 +131,9 @@ typedef struct DCERPCHdrUdp_ { #define DCERPC_UDP_HDR_LEN 80 +#define DCERPC_UUID_ENTRY_FLAG_FF 0x0001 /**< FIRST flag set on the packet + that contained this uuid entry */ + typedef struct DCERPCUuidEntry_ { uint16_t ctxid; uint16_t internal_id; @@ -138,6 +141,7 @@ typedef struct DCERPCUuidEntry_ { uint8_t uuid[16]; uint16_t version; uint16_t versionminor; + uint16_t flags; /**< DCERPC_UUID_ENTRY_FLAG_* flags */ TAILQ_ENTRY(DCERPCUuidEntry_) next; } DCERPCUuidEntry; diff --git a/src/app-layer-dcerpc.c b/src/app-layer-dcerpc.c index 843578fa7f..1f059733e6 100644 --- a/src/app-layer-dcerpc.c +++ b/src/app-layer-dcerpc.c @@ -239,33 +239,42 @@ static uint32_t DCERPCParseBINDCTXItem(DCERPC *dcerpc, uint8_t *input, uint32_t dcerpc->dcerpcbindbindack.versionminor |= *(p + 23) << 8; //if (dcerpc->dcerpcbindbindack.ctxid == dcerpc->dcerpcbindbindack.numctxitems // - dcerpc->dcerpcbindbindack.numctxitemsleft) { - dcerpc->dcerpcbindbindack.uuid_entry = (DCERPCUuidEntry *) - SCCalloc(1, sizeof(DCERPCUuidEntry)); + + dcerpc->dcerpcbindbindack.uuid_entry = (DCERPCUuidEntry *)SCCalloc(1, sizeof(DCERPCUuidEntry)); if (dcerpc->dcerpcbindbindack.uuid_entry == NULL) { SCLogDebug("UUID Entry is NULL"); SCReturnUInt(0); - } else { - dcerpc->dcerpcbindbindack.uuid_entry->internal_id = - dcerpc->dcerpcbindbindack.uuid_internal_id++; - memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid, - dcerpc->dcerpcbindbindack.uuid, - sizeof(dcerpc->dcerpcbindbindack.uuid)); - dcerpc->dcerpcbindbindack.uuid_entry->ctxid = dcerpc->dcerpcbindbindack.ctxid; - dcerpc->dcerpcbindbindack.uuid_entry->version = dcerpc->dcerpcbindbindack.version; - dcerpc->dcerpcbindbindack.uuid_entry->versionminor = dcerpc->dcerpcbindbindack.versionminor; - TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.uuid_list, - dcerpc->dcerpcbindbindack.uuid_entry, - next); + } + + dcerpc->dcerpcbindbindack.uuid_entry->internal_id = dcerpc->dcerpcbindbindack.uuid_internal_id++; + + memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid, + dcerpc->dcerpcbindbindack.uuid, + sizeof(dcerpc->dcerpcbindbindack.uuid)); + + dcerpc->dcerpcbindbindack.uuid_entry->ctxid = dcerpc->dcerpcbindbindack.ctxid; + dcerpc->dcerpcbindbindack.uuid_entry->version = dcerpc->dcerpcbindbindack.version; + dcerpc->dcerpcbindbindack.uuid_entry->versionminor = dcerpc->dcerpcbindbindack.versionminor; + + /* store the first frag flag in the uuid as pfc_flags will + * be overwritten by new packets. */ + if (dcerpc->dcerpchdr.pfc_flags & PFC_FIRST_FRAG) { + dcerpc->dcerpcbindbindack.uuid_entry->flags |= DCERPC_UUID_ENTRY_FLAG_FF; + } + + TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.uuid_list, + dcerpc->dcerpcbindbindack.uuid_entry, + next); #ifdef UNITTESTS - if (RunmodeIsUnittests()) { - printUUID("BIND", dcerpc->dcerpcbindbindack.uuid_entry); - } -#endif - dcerpc->dcerpcbindbindack.numctxitemsleft--; - dcerpc->bytesprocessed += (44); - dcerpc->dcerpcbindbindack.ctxbytesprocessed += (44); - SCReturnUInt(44U); + if (RunmodeIsUnittests()) { + printUUID("BIND", dcerpc->dcerpcbindbindack.uuid_entry); } +#endif + dcerpc->dcerpcbindbindack.numctxitemsleft--; + dcerpc->bytesprocessed += (44); + dcerpc->dcerpcbindbindack.ctxbytesprocessed += (44); + SCReturnUInt(44U); + //} else { // SCLogDebug("ctxitem %u, expected %u\n", dcerpc->dcerpcbindbindack.ctxid, // dcerpc->dcerpcbindbindack.numctxitems - dcerpc->dcerpcbindbindack.numctxitemsleft); @@ -455,28 +464,36 @@ static uint32_t DCERPCParseBINDCTXItem(DCERPC *dcerpc, uint8_t *input, uint32_t if (dcerpc->dcerpcbindbindack.uuid_entry == NULL) { SCLogDebug("UUID Entry is NULL\n"); SCReturnUInt(0); - } else { - dcerpc->dcerpcbindbindack.uuid_entry->internal_id = - dcerpc->dcerpcbindbindack.uuid_internal_id++; - memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid, - dcerpc->dcerpcbindbindack.uuid, - sizeof(dcerpc->dcerpcbindbindack.uuid)); - dcerpc->dcerpcbindbindack.uuid_entry->ctxid = dcerpc->dcerpcbindbindack.ctxid; - dcerpc->dcerpcbindbindack.uuid_entry->version = dcerpc->dcerpcbindbindack.version; - dcerpc->dcerpcbindbindack.uuid_entry->versionminor = dcerpc->dcerpcbindbindack.versionminor; - TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.uuid_list, - dcerpc->dcerpcbindbindack.uuid_entry, - next); + } + + dcerpc->dcerpcbindbindack.uuid_entry->internal_id = + dcerpc->dcerpcbindbindack.uuid_internal_id++; + memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid, + dcerpc->dcerpcbindbindack.uuid, + sizeof(dcerpc->dcerpcbindbindack.uuid)); + dcerpc->dcerpcbindbindack.uuid_entry->ctxid = dcerpc->dcerpcbindbindack.ctxid; + dcerpc->dcerpcbindbindack.uuid_entry->version = dcerpc->dcerpcbindbindack.version; + dcerpc->dcerpcbindbindack.uuid_entry->versionminor = dcerpc->dcerpcbindbindack.versionminor; + + /* store the first frag flag in the uuid as pfc_flags will + * be overwritten by new packets. */ + if (dcerpc->dcerpchdr.pfc_flags & PFC_FIRST_FRAG) { + dcerpc->dcerpcbindbindack.uuid_entry->flags |= DCERPC_UUID_ENTRY_FLAG_FF; + } + + TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.uuid_list, + dcerpc->dcerpcbindbindack.uuid_entry, + next); #ifdef UNITTESTS - if (RunmodeIsUnittests()) { - printUUID("BINDACK", dcerpc->dcerpcbindbindack.uuid_entry); - } -#endif - dcerpc->dcerpcbindbindack.numctxitemsleft--; - dcerpc->bytesprocessed += (p - input); - dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input); - SCReturnUInt((uint32_t)(p - input)); + if (RunmodeIsUnittests()) { + printUUID("BINDACK", dcerpc->dcerpcbindbindack.uuid_entry); } +#endif + dcerpc->dcerpcbindbindack.numctxitemsleft--; + dcerpc->bytesprocessed += (p - input); + dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input); + SCReturnUInt((uint32_t)(p - input)); + //} else { // SCLogDebug("ctxitem %u, expected %u\n", dcerpc->dcerpcbindbindack.ctxid, // dcerpc->dcerpcbindbindack.numctxitems - dcerpc->dcerpcbindbindack.numctxitemsleft); diff --git a/src/detect-dce-iface.c b/src/detect-dce-iface.c index b3d1bb7c57..73c73a8250 100644 --- a/src/detect-dce-iface.c +++ b/src/detect-dce-iface.c @@ -274,6 +274,8 @@ static inline int DetectDceIfaceMatchIfaceVersion(uint16_t version, int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) { + SCEnter(); + int ret = 0; DCERPCUuidEntry *item = NULL; int i = 0; @@ -281,7 +283,7 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, DCERPCState *dcerpc_state = (DCERPCState *)state; if (dcerpc_state == NULL) { SCLogDebug("No DCERPCState for the flow"); - return 0; + SCReturnInt(0); } SCMutexLock(&f->m); @@ -293,17 +295,15 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, if (!(dcerpc_state->dcerpc.dcerpchdr.type == REQUEST)) goto end; - /* if any_frag is not enabled, we need to match only against the first - * fragment */ - if (!dce_data->any_frag && - !(dcerpc_state->dcerpc.dcerpchdr.pfc_flags & PFC_FIRST_FRAG)) { - /* any_frag has not been set, and apparently it's not the first fragment */ - goto end; - } - TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.accepted_uuid_list, next) { + SCLogDebug("item %p", item); ret = 1; + /* if any_frag is not enabled, we need to match only against the first + * fragment */ + if (!dce_data->any_frag && !(item->flags & DCERPC_UUID_ENTRY_FLAG_FF)) + continue; + /* if the uuid has been rejected(item->result == 1), we skip to the * next uuid */ if (item->result != 0) @@ -331,9 +331,9 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, goto end; } - end: +end: SCMutexUnlock(&f->m); - return ret; + SCReturnInt(ret); } /** diff --git a/src/detect-dce-opnum.c b/src/detect-dce-opnum.c index 12fed22619..5aa5ed2b85 100644 --- a/src/detect-dce-opnum.c +++ b/src/detect-dce-opnum.c @@ -263,27 +263,32 @@ static inline DetectDceOpnumData *DetectDceOpnumArgParse(const char *arg) int DetectDceOpnumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) { + SCEnter(); + DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m->ctx; DetectDceOpnumRange *dor = dce_data->range; + DCERPCState *dcerpc_state = (DCERPCState *)state; if (dcerpc_state == NULL) { SCLogDebug("No DCERPCState for the flow"); - return 0; + SCReturnInt(0); } for ( ; dor != NULL; dor = dor->next) { if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) { - if (dor->range1 == dcerpc_state->dcerpc.dcerpcrequest.opnum) - return 1; + if (dor->range1 == dcerpc_state->dcerpc.dcerpcrequest.opnum) { + SCReturnInt(1); + } } else { if (dor->range1 <= dcerpc_state->dcerpc.dcerpcrequest.opnum && - dor->range2 >= dcerpc_state->dcerpc.dcerpcrequest.opnum) { - return 1; + dor->range2 >= dcerpc_state->dcerpc.dcerpcrequest.opnum) + { + SCReturnInt(1); } } } - return 0; + SCReturnInt(0); } /** diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index 77cb0165ad..f39f90b1e4 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -90,17 +90,20 @@ void DetectDceStubDataRegister(void) int DetectDceStubDataMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m) { + SCEnter(); + DCERPCState *dcerpc_state = (DCERPCState *)state; if (dcerpc_state == NULL) { SCLogDebug("No DCERPCState for the flow"); - return 0; + SCReturnInt(0); } if (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL || - dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer != NULL) { - return 1; + dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer != NULL) + { + SCReturnInt(1); } else { - return 0; + SCReturnInt(0); } }