aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Store the first frag flag in the uuid as the pfc_flags field is overwritten. Part of fixing #206.

Browse Source
remotes/origin/master-1.1.x
Victor Julien 15 years ago
parent 14a12f5fb7
commit f1ea68e316
5 changed files with 92 additions and 63 deletions
Show Stats Download Patch File Download Diff File

4
src/app-layer-dcerpc-common.h
Unescape Escape View File

@ -131,6 +131,9 @@ typedef struct DCERPCHdrUdp_ {
#define DCERPC_UDP_HDR_LEN 80
#define DCERPC_UUID_ENTRY_FLAG_FF 0x0001 /**< FIRST flag set on the packet
that contained this uuid entry */
typedef struct DCERPCUuidEntry_ {
uint16_t ctxid;
uint16_t internal_id;
@ -138,6 +141,7 @@ typedef struct DCERPCUuidEntry_ {
uint8_t uuid[16];
uint16_t version;
uint16_t versionminor;
uint16_t flags; /**< DCERPC_UUID_ENTRY_FLAG_* flags */
TAILQ_ENTRY(DCERPCUuidEntry_) next;
} DCERPCUuidEntry;

101
src/app-layer-dcerpc.c
Unescape Escape View File

@ -239,33 +239,42 @@ static uint32_t DCERPCParseBINDCTXItem(DCERPC *dcerpc, uint8_t *input, uint32_t
dcerpc->dcerpcbindbindack.versionminor |= *(p + 23) << 8;
//if (dcerpc->dcerpcbindbindack.ctxid == dcerpc->dcerpcbindbindack.numctxitems
// - dcerpc->dcerpcbindbindack.numctxitemsleft) {
dcerpc->dcerpcbindbindack.uuid_entry = (DCERPCUuidEntry *)
SCCalloc(1, sizeof(DCERPCUuidEntry));
dcerpc->dcerpcbindbindack.uuid_entry = (DCERPCUuidEntry *)SCCalloc(1, sizeof(DCERPCUuidEntry));
if (dcerpc->dcerpcbindbindack.uuid_entry == NULL) {
SCLogDebug("UUID Entry is NULL");
SCReturnUInt(0);
} else {
dcerpc->dcerpcbindbindack.uuid_entry->internal_id =
dcerpc->dcerpcbindbindack.uuid_internal_id++;
memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid,
dcerpc->dcerpcbindbindack.uuid,
sizeof(dcerpc->dcerpcbindbindack.uuid));
dcerpc->dcerpcbindbindack.uuid_entry->ctxid = dcerpc->dcerpcbindbindack.ctxid;
dcerpc->dcerpcbindbindack.uuid_entry->version = dcerpc->dcerpcbindbindack.version;
dcerpc->dcerpcbindbindack.uuid_entry->versionminor = dcerpc->dcerpcbindbindack.versionminor;
TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.uuid_list,
dcerpc->dcerpcbindbindack.uuid_entry,
next);
}
dcerpc->dcerpcbindbindack.uuid_entry->internal_id = dcerpc->dcerpcbindbindack.uuid_internal_id++;
memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid,
dcerpc->dcerpcbindbindack.uuid,
sizeof(dcerpc->dcerpcbindbindack.uuid));
dcerpc->dcerpcbindbindack.uuid_entry->ctxid = dcerpc->dcerpcbindbindack.ctxid;
dcerpc->dcerpcbindbindack.uuid_entry->version = dcerpc->dcerpcbindbindack.version;
dcerpc->dcerpcbindbindack.uuid_entry->versionminor = dcerpc->dcerpcbindbindack.versionminor;
/* store the first frag flag in the uuid as pfc_flags will
* be overwritten by new packets. */
if (dcerpc->dcerpchdr.pfc_flags & PFC_FIRST_FRAG) {
dcerpc->dcerpcbindbindack.uuid_entry->flags |= DCERPC_UUID_ENTRY_FLAG_FF;
}
TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.uuid_list,
dcerpc->dcerpcbindbindack.uuid_entry,
next);
#ifdef UNITTESTS
if (RunmodeIsUnittests()) {
printUUID("BIND", dcerpc->dcerpcbindbindack.uuid_entry);
}
#endif
dcerpc->dcerpcbindbindack.numctxitemsleft--;
dcerpc->bytesprocessed += (44);
dcerpc->dcerpcbindbindack.ctxbytesprocessed += (44);
SCReturnUInt(44U);
if (RunmodeIsUnittests()) {
printUUID("BIND", dcerpc->dcerpcbindbindack.uuid_entry);
}
#endif
dcerpc->dcerpcbindbindack.numctxitemsleft--;
dcerpc->bytesprocessed += (44);
dcerpc->dcerpcbindbindack.ctxbytesprocessed += (44);
SCReturnUInt(44U);
//} else {
// SCLogDebug("ctxitem %u, expected %u\n", dcerpc->dcerpcbindbindack.ctxid,
// dcerpc->dcerpcbindbindack.numctxitems - dcerpc->dcerpcbindbindack.numctxitemsleft);
@ -455,28 +464,36 @@ static uint32_t DCERPCParseBINDCTXItem(DCERPC *dcerpc, uint8_t *input, uint32_t
if (dcerpc->dcerpcbindbindack.uuid_entry == NULL) {
SCLogDebug("UUID Entry is NULL\n");
SCReturnUInt(0);
} else {
dcerpc->dcerpcbindbindack.uuid_entry->internal_id =
dcerpc->dcerpcbindbindack.uuid_internal_id++;
memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid,
dcerpc->dcerpcbindbindack.uuid,
sizeof(dcerpc->dcerpcbindbindack.uuid));
dcerpc->dcerpcbindbindack.uuid_entry->ctxid = dcerpc->dcerpcbindbindack.ctxid;
dcerpc->dcerpcbindbindack.uuid_entry->version = dcerpc->dcerpcbindbindack.version;
dcerpc->dcerpcbindbindack.uuid_entry->versionminor = dcerpc->dcerpcbindbindack.versionminor;
TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.uuid_list,
dcerpc->dcerpcbindbindack.uuid_entry,
next);
}
dcerpc->dcerpcbindbindack.uuid_entry->internal_id =
dcerpc->dcerpcbindbindack.uuid_internal_id++;
memcpy(dcerpc->dcerpcbindbindack.uuid_entry->uuid,
dcerpc->dcerpcbindbindack.uuid,
sizeof(dcerpc->dcerpcbindbindack.uuid));
dcerpc->dcerpcbindbindack.uuid_entry->ctxid = dcerpc->dcerpcbindbindack.ctxid;
dcerpc->dcerpcbindbindack.uuid_entry->version = dcerpc->dcerpcbindbindack.version;
dcerpc->dcerpcbindbindack.uuid_entry->versionminor = dcerpc->dcerpcbindbindack.versionminor;
/* store the first frag flag in the uuid as pfc_flags will
* be overwritten by new packets. */
if (dcerpc->dcerpchdr.pfc_flags & PFC_FIRST_FRAG) {
dcerpc->dcerpcbindbindack.uuid_entry->flags |= DCERPC_UUID_ENTRY_FLAG_FF;
}
TAILQ_INSERT_HEAD(&dcerpc->dcerpcbindbindack.uuid_list,
dcerpc->dcerpcbindbindack.uuid_entry,
next);
#ifdef UNITTESTS
if (RunmodeIsUnittests()) {
printUUID("BINDACK", dcerpc->dcerpcbindbindack.uuid_entry);
}
#endif
dcerpc->dcerpcbindbindack.numctxitemsleft--;
dcerpc->bytesprocessed += (p - input);
dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input);
SCReturnUInt((uint32_t)(p - input));
if (RunmodeIsUnittests()) {
printUUID("BINDACK", dcerpc->dcerpcbindbindack.uuid_entry);
}
#endif
dcerpc->dcerpcbindbindack.numctxitemsleft--;
dcerpc->bytesprocessed += (p - input);
dcerpc->dcerpcbindbindack.ctxbytesprocessed += (p - input);
SCReturnUInt((uint32_t)(p - input));
//} else {
// SCLogDebug("ctxitem %u, expected %u\n", dcerpc->dcerpcbindbindack.ctxid,
// dcerpc->dcerpcbindbindack.numctxitems - dcerpc->dcerpcbindbindack.numctxitemsleft);

22
src/detect-dce-iface.c
Unescape Escape View File

@ -274,6 +274,8 @@ static inline int DetectDceIfaceMatchIfaceVersion(uint16_t version,
int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
uint8_t flags, void *state, Signature *s, SigMatch *m)
{
SCEnter();
int ret = 0;
DCERPCUuidEntry *item = NULL;
int i = 0;
@ -281,7 +283,7 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
DCERPCState *dcerpc_state = (DCERPCState *)state;
if (dcerpc_state == NULL) {
SCLogDebug("No DCERPCState for the flow");
return 0;
SCReturnInt(0);
}
SCMutexLock(&f->m);
@ -293,17 +295,15 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
if (!(dcerpc_state->dcerpc.dcerpchdr.type == REQUEST))
goto end;
/* if any_frag is not enabled, we need to match only against the first
* fragment */
if (!dce_data->any_frag &&
!(dcerpc_state->dcerpc.dcerpchdr.pfc_flags & PFC_FIRST_FRAG)) {
/* any_frag has not been set, and apparently it's not the first fragment */
goto end;
}
TAILQ_FOREACH(item, &dcerpc_state->dcerpc.dcerpcbindbindack.accepted_uuid_list, next) {
SCLogDebug("item %p", item);
ret = 1;
/* if any_frag is not enabled, we need to match only against the first
* fragment */
if (!dce_data->any_frag && !(item->flags & DCERPC_UUID_ENTRY_FLAG_FF))
continue;
/* if the uuid has been rejected(item->result == 1), we skip to the
* next uuid */
if (item->result != 0)
@ -331,9 +331,9 @@ int DetectDceIfaceMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
goto end;
}
end:
end:
SCMutexUnlock(&f->m);
return ret;
SCReturnInt(ret);
}
/**

17
src/detect-dce-opnum.c
Unescape Escape View File

@ -263,27 +263,32 @@ static inline DetectDceOpnumData *DetectDceOpnumArgParse(const char *arg)
int DetectDceOpnumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
uint8_t flags, void *state, Signature *s, SigMatch *m)
{
SCEnter();
DetectDceOpnumData *dce_data = (DetectDceOpnumData *)m->ctx;
DetectDceOpnumRange *dor = dce_data->range;
DCERPCState *dcerpc_state = (DCERPCState *)state;
if (dcerpc_state == NULL) {
SCLogDebug("No DCERPCState for the flow");
return 0;
SCReturnInt(0);
}
for ( ; dor != NULL; dor = dor->next) {
if (dor->range2 == DCE_OPNUM_RANGE_UNINITIALIZED) {
if (dor->range1 == dcerpc_state->dcerpc.dcerpcrequest.opnum)
return 1;
if (dor->range1 == dcerpc_state->dcerpc.dcerpcrequest.opnum) {
SCReturnInt(1);
}
} else {
if (dor->range1 <= dcerpc_state->dcerpc.dcerpcrequest.opnum &&
dor->range2 >= dcerpc_state->dcerpc.dcerpcrequest.opnum) {
return 1;
dor->range2 >= dcerpc_state->dcerpc.dcerpcrequest.opnum)
{
SCReturnInt(1);
}
}
}
return 0;
SCReturnInt(0);
}
/**

11
src/detect-dce-stub-data.c
Unescape Escape View File

@ -90,17 +90,20 @@ void DetectDceStubDataRegister(void)
int DetectDceStubDataMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
uint8_t flags, void *state, Signature *s, SigMatch *m)
{
SCEnter();
DCERPCState *dcerpc_state = (DCERPCState *)state;
if (dcerpc_state == NULL) {
SCLogDebug("No DCERPCState for the flow");
return 0;
SCReturnInt(0);
}
if (dcerpc_state->dcerpc.dcerpcrequest.stub_data_buffer != NULL ||
dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer != NULL) {
return 1;
dcerpc_state->dcerpc.dcerpcresponse.stub_data_buffer != NULL)
{
SCReturnInt(1);
} else {
return 0;
SCReturnInt(0);
}
}

Write Preview
Loading…
Cancel
Save