diff --git a/src/app-layer-protos.h b/src/app-layer-protos.h index 170a735b99..3bc023c599 100644 --- a/src/app-layer-protos.h +++ b/src/app-layer-protos.h @@ -91,6 +91,8 @@ static inline bool AppProtoEquals(AppProto sigproto, AppProto alproto) case ALPROTO_HTTP: return (alproto == ALPROTO_HTTP1) || (alproto == ALPROTO_HTTP2) || (alproto == ALPROTO_HTTP); + case ALPROTO_DCERPC: + return (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB); } return (sigproto == alproto); } diff --git a/src/detect-parse.c b/src/detect-parse.c index b1b1e7cb8f..f43736ce3e 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1495,6 +1495,15 @@ int DetectSignatureSetAppProto(Signature *s, AppProto alproto) return -1; } + /* since AppProtoEquals is quite permissive wrt dcerpc and smb, make sure + * we refuse `alert dcerpc ... smb.share; content...` explicitly. */ + if (alproto == ALPROTO_SMB && s->alproto == ALPROTO_DCERPC) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, + "can't set rule app proto to %s: already set to %s", AppProtoToString(alproto), + AppProtoToString(s->alproto)); + return -1; + } + if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, alproto)) { if (AppProtoEquals(alproto, s->alproto)) { // happens if alproto = HTTP_ANY and s->alproto = HTTP1 diff --git a/src/detect.c b/src/detect.c index 9916134864..2888fb3636 100644 --- a/src/detect.c +++ b/src/detect.c @@ -778,15 +778,8 @@ static inline void DetectRulePacketRules( /* if the sig has alproto and the session as well they should match */ if (likely(sflags & SIG_FLAG_APPLAYER)) { if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, scratch->alproto)) { - if (s->alproto == ALPROTO_DCERPC) { - if (scratch->alproto != ALPROTO_SMB) { - SCLogDebug("DCERPC sig, alproto not SMB"); - goto next; - } - } else { - SCLogDebug("alproto mismatch"); - goto next; - } + SCLogDebug("alproto mismatch"); + goto next; } }