Skip to content

Commit

Permalink
protodetect/dcerpc: improve DCERPC UDP probing parser
Browse files Browse the repository at this point in the history 
Several additional checks are added to the probing parser to avoid false
detection of DNS as DCERPC

Ticket - 7111
  • Loading branch information
@ilya-bakhtin @catenacyber
ilya-bakhtin authored and catenacyber committed Jan 29, 2025
1 parent cfbf8fd commit fffefcf
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion rust/src/dcerpc/dcerpc_udp.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,9 +300,11 @@ pub unsafe extern "C" fn rs_dcerpc_udp_get_tx_cnt(vtx: *mut std::os::raw::c_void
/// Probe input to see if it looks like DCERPC.
fn probe(input: &[u8]) -> (bool, bool) {
match parser::parse_dcerpc_udp_header(input) {
Ok((_, hdr)) => {
Ok((leftover_bytes, hdr)) => {
let is_request = hdr.pkt_type == 0x00;
let is_dcerpc = hdr.rpc_vers == 0x04 &&
hdr.fragnum == 0 &&
leftover_bytes.len() >= hdr.fraglen as usize &&
(hdr.flags2 & 0xfc == 0) &&
(hdr.drep[0] & 0xee == 0) &&
(hdr.drep[1] <= 3);
Expand Down

0 comments on commit fffefcf

Please sign in to comment.