Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Next/20181218/v8 #3590

Merged
merged 8 commits into from Dec 20, 2018
proto/detect: workaround dns misdetected as dcerpc
The DCERPC UDP detection would misfire on DNS with transaction
ID 0x0400. This would happen as the protocol detection engine
gives preference to pattern based detection over probing parsers for
performance reasons.

This hack/workaround fixes this specific case by still running the
probing parser if DCERPC has been detected on UDP. The probing
parser result will take precedence.

Bug #2736.
  • Loading branch information
victorjulien committed Dec 19, 2018
commit 8357ef3f8ffc7d99ef6571350724160de356158b
14 changes: 13 additions & 1 deletion src/app-layer-detect-proto.c
Expand Up @@ -1361,6 +1361,7 @@ AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx,
(direction & STREAM_TOSERVER) ? "toserver" : "toclient");

AppProto alproto = ALPROTO_UNKNOWN;
AppProto pm_alproto = ALPROTO_UNKNOWN;

if (!FLOW_IS_PM_DONE(f, direction)) {
AppProto pm_results[ALPROTO_MAX];
Expand All @@ -1371,7 +1372,15 @@ AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx,
pm_results);
if (pm_matches > 0) {
alproto = pm_results[0];
goto end;

/* HACK: if detected protocol is dcerpc/udp, we run PP as well
* to avoid misdetecting DNS as DCERPC. */
if (!(ipproto == IPPROTO_UDP && alproto == ALPROTO_DCERPC))
goto end;

pm_alproto = alproto;

/* fall through */
}
}

Expand All @@ -1388,6 +1397,9 @@ AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx,
}

end:
if (alproto == ALPROTO_UNKNOWN)
alproto = pm_alproto;

SCReturnUInt(alproto);
}

Expand Down