From 9e2fb158ab33bdb9d65c4450606133de98111d55 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Wed, 26 Jul 2023 15:11:59 +0530 Subject: [PATCH] dcerpc: accept ALTER_CONTEXT as a valid request So far, if only the starting request was a DCERPC request, it would be considered DCERPC traffic. Since ALTER_CONTEXT is a valid request type, it should be accepted too. Reported and patch proposed in the following Redmine ticket by InterNALXz. Bug 6191 (cherry picked from commit 8770431986598f195d57e570287c40ee3dec0cfa) --- rust/src/dcerpc/dcerpc.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/src/dcerpc/dcerpc.rs b/rust/src/dcerpc/dcerpc.rs index bf524a161061..f2a6a46eaf85 100644 --- a/rust/src/dcerpc/dcerpc.rs +++ b/rust/src/dcerpc/dcerpc.rs @@ -1338,7 +1338,7 @@ pub unsafe extern "C" fn rs_dcerpc_get_stub_data( fn probe(input: &[u8]) -> (bool, bool) { match parser::parse_dcerpc_header(input) { Ok((_, hdr)) => { - let is_request = hdr.hdrtype == 0x00; + let is_request = hdr.hdrtype == 0x00 || hdr.hdrtype == 0x0e; let is_dcerpc = hdr.rpc_vers == 0x05 && hdr.rpc_vers_minor == 0x00; return (is_dcerpc, is_request); },