detect/dcerpc: apply dcerpc to smb as well

So 'alert dcerpc' also matches if the DCERPC is over SMB. Explicitly refuse smb keywords for the 'dcerpc' app proto setting: `alert dceprc ... smb.share; ...` is rejected. Remove a now useless special case in the stateless rule processing matching for dcerpc/smb. Bug: #5208.
3 years ago · a83f02d4cd
parent e692530021
commit a83f02d4cd
3 changed files with 13 additions and 9 deletions
--- a/src/app-layer-protos.h
+++ b/src/app-layer-protos.h
@ -91,6 +91,8 @@ static inline bool AppProtoEquals(AppProto sigproto, AppProto alproto)
        case ALPROTO_HTTP:
            return (alproto == ALPROTO_HTTP1) || (alproto == ALPROTO_HTTP2) ||
                   (alproto == ALPROTO_HTTP);
+        case ALPROTO_DCERPC:
+            return (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB);
    }
    return (sigproto == alproto);
 }
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@ -1495,6 +1495,15 @@ int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
        return -1;
    }

+    /* since AppProtoEquals is quite permissive wrt dcerpc and smb, make sure
+     * we refuse `alert dcerpc ... smb.share; content...` explicitly. */
+    if (alproto == ALPROTO_SMB && s->alproto == ALPROTO_DCERPC) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS,
+                "can't set rule app proto to %s: already set to %s", AppProtoToString(alproto),
+                AppProtoToString(s->alproto));
+        return -1;
+    }
+
    if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, alproto)) {
        if (AppProtoEquals(alproto, s->alproto)) {
            // happens if alproto = HTTP_ANY and s->alproto = HTTP1
--- a/src/detect.c
+++ b/src/detect.c
@ -778,15 +778,8 @@ static inline void DetectRulePacketRules(
        /* if the sig has alproto and the session as well they should match */
        if (likely(sflags & SIG_FLAG_APPLAYER)) {
            if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, scratch->alproto)) {
-                if (s->alproto == ALPROTO_DCERPC) {
-                    if (scratch->alproto != ALPROTO_SMB) {
-                        SCLogDebug("DCERPC sig, alproto not SMB");
-                        goto next;
-                    }
-                } else {
-                    SCLogDebug("alproto mismatch");
-                    goto next;
-                }
+                SCLogDebug("alproto mismatch");
+                goto next;
            }
        }