dce rpc stub data held in separate buffers for request and response pdus

15 years ago · 98433f407c
parent 31261e7583
commit 98433f407c
5 changed files with 1439 additions and 12 deletions
--- a/src/app-layer-dcerpc-common.h
+++ b/src/app-layer-dcerpc-common.h
@ -133,16 +133,35 @@ typedef struct DCERPCBindBindAck_ {

 typedef struct DCERPCRequest_ {
    uint16_t opnum;
-    uint8_t *stub_data;
+    /* holds the stub data for the request */
+    uint8_t *stub_data_buffer;
+    /* length of the above buffer */
+    uint32_t stub_data_buffer_len;
+    /* used by the dce preproc to indicate fresh entry in the stub data buffer.
+     * The dce_stub_data keyword would reset it, once it has processed the
+     * above buffer */
+    uint8_t stub_data_processed;
 } DCERPCRequest;

+typedef struct DCERPCResponse_ {
+    /* holds the stub data for the response */
+    uint8_t *stub_data_buffer;
+    /* length of the above buffer */
+    uint32_t stub_data_buffer_len;
+    /* used by the dce preproc to indicate fresh entry in the stub data buffer.
+     * The dce_stub_data keyword would reset it, once it has processed the
+     * above buffer */
+    uint8_t stub_data_processed;
+} DCERPCResponse;
+
 typedef struct DCERPC_ {
    DCERPCHdr dcerpchdr;
    DCERPCBindBindAck dcerpcbindbindack;
    DCERPCRequest dcerpcrequest;
+    DCERPCResponse dcerpcresponse;
    uint16_t bytesprocessed;
    uint8_t pad;
-    uint8_t padleft;
+    uint16_t padleft;
    uint16_t transaction_id;
 } DCERPC;

--- a/src/app-layer-dcerpc.c
+++ b/src/app-layer-dcerpc.c
--- a/src/detect-dce-stub-data.c
+++ b/src/detect-dce-stub-data.c
@ -93,8 +93,20 @@ int DetectDceStubDataMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *
        return 0;
    }

-    if (dcerpc_state->dcerpc.dcerpcrequest.stub_data == NULL)
-        return 0;
+    if (flags & STREAM_TOSERVER) {
+        if (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer == NULL ||
+            dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed == 1) {
+            return 0;
+        }
+        dcerpc_state->dcerpc.dcerpcrequest.stub_data_processed = 1;
+    } else {
+        if (dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer == NULL ||
+            dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed == 1) {
+            return 0;
+        }
+        dcerpc_state->dcerpc.dcerpcresponse.stub_data_processed = 1;
+    }
+

    return 1;
 }
--- a/src/util-error.c
+++ b/src/util-error.c
@ -187,6 +187,7 @@ const char * SCErrorToString(SCError err)
        CASE_CODE (SC_ERR_ERF_DAG_STREAM_SET_FAILED);
        CASE_CODE (SC_ERR_ERF_DAG_STREAM_READ_FAILED);
        CASE_CODE (SC_WARN_ERF_DAG_REC_LEN_CHANGED);
+        CASE_CODE (SC_ERR_DCERPC);

        default:
            return "UNKNOWN_ERROR";
--- a/src/util-error.h
+++ b/src/util-error.h
@ -198,7 +198,7 @@ typedef enum {
    SC_ERR_DAG_REQUIRED,
    SC_ERR_DAG_NOSUPPORT,           /**< no ERF/DAG support compiled in */
    SC_ERR_FATAL,
-
+    SC_ERR_DCERPC,
 } SCError;

 const char *SCErrorToString(SCError);