Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Next/20181218/v8 #3590

merged 8 commits into from Dec 20, 2018

proto/detect: workaround dns misdetected as dcerpc

The DCERPC UDP detection would misfire on DNS with transaction
ID 0x0400. This would happen as the protocol detection engine
gives preference to pattern based detection over probing parsers for
performance reasons.

This hack/workaround fixes this specific case by still running the
probing parser if DCERPC has been detected on UDP. The probing
parser result will take precedence.

Bug #2736.
  • Loading branch information...
victorjulien committed Dec 19, 2018
commit 8357ef3f8ffc7d99ef6571350724160de356158b
@@ -1361,6 +1361,7 @@ AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx,
(direction & STREAM_TOSERVER) ? "toserver" : "toclient");

AppProto alproto = ALPROTO_UNKNOWN;
AppProto pm_alproto = ALPROTO_UNKNOWN;

if (!FLOW_IS_PM_DONE(f, direction)) {
AppProto pm_results[ALPROTO_MAX];
@@ -1371,7 +1372,15 @@ AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx,
if (pm_matches > 0) {
alproto = pm_results[0];
goto end;

/* HACK: if detected protocol is dcerpc/udp, we run PP as well
* to avoid misdetecting DNS as DCERPC. */
if (!(ipproto == IPPROTO_UDP && alproto == ALPROTO_DCERPC))
goto end;

pm_alproto = alproto;

/* fall through */

@@ -1388,6 +1397,9 @@ AppProto AppLayerProtoDetectGetProto(AppLayerProtoDetectThreadCtx *tctx,

if (alproto == ALPROTO_UNKNOWN)
alproto = pm_alproto;


ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.