detect: remove DCERPC mask logic

Added nothing over alproto check already in place.
1 year ago · 3b8ed937d7
parent 44a8bf463e
commit 3b8ed937d7
3 changed files with 1 additions and 37 deletions
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@ -949,9 +949,6 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
    if (s->mask & SIG_MASK_REQUIRE_FLAGS_UNUSUAL) {
        jb_append_string(ctx.js, "tcp_flags_unusual");
    }
-    if (s->mask & SIG_MASK_REQUIRE_DCERPC) {
-        jb_append_string(ctx.js, "dcerpc");
-    }
    if (s->mask & SIG_MASK_REQUIRE_ENGINE_EVENT) {
        jb_append_string(ctx.js, "engine_event");
    }
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@ -434,44 +434,12 @@ PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto,
        SCLogDebug("packet has flow");
        (*mask) |= SIG_MASK_REQUIRE_FLOW;
    }
-
-    if (alproto == ALPROTO_SMB || alproto == ALPROTO_DCERPC) {
-        SCLogDebug("packet will be inspected for DCERPC");
-        (*mask) |= SIG_MASK_REQUIRE_DCERPC;
-    }
-}
-
-static int g_dce_generic_list_id = -1;
-static int g_dce_stub_data_buffer_id = -1;
-
-static bool SignatureNeedsDCERPCMask(const Signature *s)
-{
-    if (g_dce_generic_list_id == -1) {
-        g_dce_generic_list_id = DetectBufferTypeGetByName("dce_generic");
-        SCLogDebug("g_dce_generic_list_id %d", g_dce_generic_list_id);
-    }
-    if (g_dce_stub_data_buffer_id == -1) {
-        g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
-        SCLogDebug("g_dce_stub_data_buffer_id %d", g_dce_stub_data_buffer_id);
-    }
-
-    if (DetectBufferIsPresent(s, g_dce_generic_list_id) ||
-            DetectBufferIsPresent(s, g_dce_stub_data_buffer_id)) {
-        return true;
-    }
-
-    return false;
 }

 static int SignatureCreateMask(Signature *s)
 {
    SCEnter();

-    if (SignatureNeedsDCERPCMask(s)) {
-        s->mask |= SIG_MASK_REQUIRE_DCERPC;
-        SCLogDebug("sig requires DCERPC");
-    }
-
    if (s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) {
        s->mask |= SIG_MASK_REQUIRE_PAYLOAD;
        SCLogDebug("sig requires payload");
--- a/src/detect.h
+++ b/src/detect.h
@ -298,8 +298,7 @@ typedef struct DetectPort_ {
 #define SIG_MASK_REQUIRE_FLAGS_INITDEINIT   BIT_U8(2)    /* SYN, FIN, RST */
 #define SIG_MASK_REQUIRE_FLAGS_UNUSUAL      BIT_U8(3)    /* URG, ECN, CWR */
 #define SIG_MASK_REQUIRE_NO_PAYLOAD         BIT_U8(4)
-#define SIG_MASK_REQUIRE_DCERPC             BIT_U8(5)    /* require either SMB+DCE or raw DCE */
-// vacancy
+// vacancy 2x
 #define SIG_MASK_REQUIRE_ENGINE_EVENT       BIT_U8(7)

 /* for now a uint8_t is enough */