aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

dcerpc: validate signature with dcerpc keywords

Browse Source 
so that they do not use another protocol's keywords
pull/5346/head
Philippe Antoine 5 years ago committed by Victor Julien
parent d509a78074
commit c06d8f2463
5 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File

1
src/detect-dce-iface.c
Unescape Escape View File

@ -181,6 +181,7 @@ static int DetectDceIfaceSetup(DetectEngineCtx *de_ctx, Signature *s, const char
sm->ctx = did;
SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
return 0;
}

1
src/detect-dce-opnum.c
Unescape Escape View File

@ -154,6 +154,7 @@ static int DetectDceOpnumSetup(DetectEngineCtx *de_ctx, Signature *s, const char
sm->ctx = (void *)dod;
SigMatchAppendSMToList(s, sm, g_dce_generic_list_id);
s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
return 0;
}

2
src/detect-dce-stub-data.c
Unescape Escape View File

@ -178,6 +178,8 @@ static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, const c
}
if (DetectBufferSetActiveList(s, g_dce_stub_data_buffer_id) < 0)
return -1;
s->init_data->init_flags |= SIG_FLAG_INIT_DCERPC;
return 0;
}

9
src/detect-parse.c
Unescape Escape View File

@ -1857,7 +1857,14 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
AppLayerHtpNeedFileInspection();
}
}
if (s->init_data->init_flags & SIG_FLAG_INIT_DCERPC) {
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC &&
s->alproto != ALPROTO_SMB) {
SCLogError(SC_ERR_NO_FILES_FOR_PROTOCOL, "protocol %s doesn't support DCERPC keyword",
AppProtoToString(s->alproto));
SCReturnInt(0);
}
}
SCReturnInt(1);
}

1
src/detect.h
Unescape Escape View File

@ -263,6 +263,7 @@ typedef struct DetectPort_ {
#define SIG_FLAG_INIT_NEED_FLUSH BIT_U32(7)
#define SIG_FLAG_INIT_PRIO_EXPLICT BIT_U32(8) /**< priority is explicitly set by the priority keyword */
#define SIG_FLAG_INIT_FILEDATA BIT_U32(9) /**< signature has filedata keyword */
#define SIG_FLAG_INIT_DCERPC BIT_U32(10) /**< signature has DCERPC keyword */
/* signature mask flags */
/** \note: additions should be added to the rule analyzer as well */

Write Preview
Loading…
Cancel
Save