From 0da4dc0deab8ae40f2f4476f68faa62a692a0350 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Sat, 2 May 2020 20:17:35 +0200 Subject: [PATCH] enip: use status for probing parser --- src/app-layer-enip-common.h | 2 ++ src/app-layer-enip.c | 19 ++++++++++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/src/app-layer-enip-common.h b/src/app-layer-enip-common.h index 8522f65e1d..db58587d3d 100644 --- a/src/app-layer-enip-common.h +++ b/src/app-layer-enip-common.h @@ -56,6 +56,8 @@ #define INVALID_SESSION 0x0064 #define INVALID_LENGTH 0x0065 #define UNSUPPORTED_PROT_REV 0x0069 +//Found in wireshark +#define ENCAP_HEADER_ERROR 0x006A #define MAX_CIP_SERVICE 127 #define MAX_CIP_CLASS 65535 diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c index 52c6c5dab3..aace890a8e 100644 --- a/src/app-layer-enip.c +++ b/src/app-layer-enip.c @@ -380,6 +380,7 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction, return ALPROTO_UNKNOWN; } uint16_t cmd; + uint32_t status; int ret = ByteExtractUint16(&cmd, BYTE_LITTLE_ENDIAN, sizeof(uint16_t), (const uint8_t *) (input)); if(ret < 0) { @@ -397,7 +398,23 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction, case SEND_UNIT_DATA: case INDICATE_STATUS: case CANCEL: - return ALPROTO_ENIP; + ret = ByteExtractUint32(&status, BYTE_LITTLE_ENDIAN, + sizeof(uint32_t), + (const uint8_t *) (input + 8)); + if(ret < 0) { + return ALPROTO_FAILED; + } + switch(status) { + case SUCCESS: + case INVALID_CMD: + case NO_RESOURCES: + case INCORRECT_DATA: + case INVALID_SESSION: + case INVALID_LENGTH: + case UNSUPPORTED_PROT_REV: + case ENCAP_HEADER_ERROR: + return ALPROTO_ENIP; + } } return ALPROTO_FAILED; }