Bug #3615
closed
Patch could be to improve the ENIP probing parser
diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c
index 282294536..b9e3b32db 100644
--- a/src/app-layer-enip.c
+++ b/src/app-layer-enip.c
@@ -393,8 +393,24 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction,
SCLogDebug("length too small to be a ENIP header");
return ALPROTO_UNKNOWN;
}
-
- return ALPROTO_ENIP;
+ uint16_t cmd;
+ ByteExtractUint16(&cmd, BYTE_LITTLE_ENDIAN, sizeof(uint16_t),
+ (const uint8_t *) (input));
+ switch(cmd) {
+ //fallthrough
+ case NOP:
+ case LIST_SERVICES:
+ case LIST_IDENTITY:
+ case LIST_INTERFACES:
+ case REGISTER_SESSION:
+ case UNREGISTER_SESSION:
+ case SEND_RR_DATA:
+ case SEND_UNIT_DATA:
+ case INDICATE_STATUS:
+ case CANCEL:
+ return ALPROTO_ENIP;
+ }
+ return ALPROTO_FAILED;
}
/**
- Affected Versions 5.0.2 added
- Affected Versions deleted (
5.0.3)
- Status changed from New to In Review
- Assignee set to Philippe Antoine
- Target version changed from 6.0.0beta1 to 5.0.3
- Label Needs backport to 4.1 added
- Copied to Bug #3671: Protocol detection evasion by packet splitting added
- Target version changed from 5.0.3 to 6.0.0beta1
- Copied to Bug #3674: Protocol detection evasion by packet splitting added
- Status changed from In Review to Closed
- Label deleted (
Needs backport to 4.1)
- Copied to Bug #3689: Protocol detection evasion by packet splitting on enip/nfs added
- Private changed from Yes to No
Also available in: Atom
PDF