aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

dcerpc/udp: improve detection

Browse Source 
Lately, Wireguard proto starting w pattern |04 00| is misdetected as
DCERPC/UDP which also starts with the same pattern, add more checks
to make sure that it is the best guess for packet to be dcerpc/udp.
pull/5891/head
Shivani Bhardwaj 5 years ago committed by Victor Julien
parent 3641f1b522
commit f967a49104
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File

5
rust/src/dcerpc/dcerpc_udp.rs
Unescape Escape View File

@ -294,7 +294,10 @@ fn probe(input: &[u8]) -> (bool, bool) {
match parser::parse_dcerpc_udp_header(input) {
Ok((_, hdr)) => {
let is_request = hdr.pkt_type == 0x00;
let is_dcerpc = hdr.rpc_vers == 0x04;
let is_dcerpc = hdr.rpc_vers == 0x04 &&
(hdr.flags2 & 0xfc == 0) &&
(hdr.drep[0] & 0xee == 0) &&
(hdr.drep[1] <= 3);
return (is_dcerpc, is_request);
},
Err(_) => (false, false),

Write Preview
Loading…
Cancel
Save