DCE/RPC improvement to avoid false positives

author: Luca Deri <deri@ntop.org> 2021-01-29 16:23:18 +0100
committer: Luca Deri <deri@ntop.org> 2021-01-29 16:23:18 +0100
commit: bb74b903d0c93c0719cfa12641a9836d61296657 (patch)
tree: e398b4b6d7d4ef66420686ce26ef19b202a1f52c /src/lib/protocols/dcerpc.c
parent: aeeccee106064d17159789a0db5f218573ff8d79 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/src/lib/protocols/dcerpc.c b/src/lib/protocols/dcerpc.c
index 004351e14..cef0d9306 100644
--- a/src/lib/protocols/dcerpc.c
+++ b/src/lib/protocols/dcerpc.c
@@ -49,6 +49,8 @@ bool is_connection_oriented_dcerpc(struct ndpi_packet_struct *packet, struct ndp
 
 bool is_connectionless_dcerpc(struct ndpi_packet_struct *packet, struct ndpi_flow_struct *flow)
 {
+  u_int16_t fragment_len;
+  
   if (packet->udp == NULL)
     return false;
   if (packet->payload_packet_len < 80)
@@ -64,6 +66,14 @@ bool is_connectionless_dcerpc(struct ndpi_packet_struct *packet, struct ndpi_flo
   if (packet->payload[5] > 3) /* invalid floating point type */
     return false;
 
+  if(packet->payload[4] == 0x10)
+    fragment_len = (packet->payload[75] << 8) + packet->payload[74]; /* Big endian */
+  else
+    fragment_len = (packet->payload[74] << 8) + packet->payload[75]; /* Little endian */
+
+  if(packet->payload_packet_len != (fragment_len+76 /* offset */ + 4 /* rest of the packet */))
+    return false; /* Too short or too long, bot RPC */
+  
   return true;
 }
author	Luca Deri <deri@ntop.org>	2021-01-29 16:23:18 +0100
committer	Luca Deri <deri@ntop.org>	2021-01-29 16:23:18 +0100
commit	bb74b903d0c93c0719cfa12641a9836d61296657 (patch)
tree	e398b4b6d7d4ef66420686ce26ef19b202a1f52c /src/lib/protocols/dcerpc.c
parent	aeeccee106064d17159789a0db5f218573ff8d79 (diff)