protodetect: improve DCERPC UDP probing parser and simplify app-layer-detect-proto.c code

[ilya-bakhtin]

Make sure these boxes are signed before submitting your Pull Request -- thank you.

• I have read the contributing guide lines at
  https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
• I have signed the Open Information Security Foundation contribution agreement at
  https://suricata.io/about/contribution-agreement/ (note: this is only required once)
• I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)
• I have created a ticket at
  https://redmine.openinfosecfoundation.org/projects/suricata/issues
  Link to ticket: https://redmine.openinfosecfoundation.org/issues/7111

Describe changes:
This is a replacement of #11100
There are 2 commits.
The first one is intended to improve DCERPC UDP detection. False positives resulted in improper work of the detection framework.
The second commit simplifies the detection framework function AppLayerProtoDetectGetProto.
It previously contained a bug which combined with false positive in DCERPC resulted in incorrect reporting of DNS flow direction.

Provide values to any of the below to override the defaults.

• To use an LibHTP, Suricata-Verify or Suricata-Update pull request,
  link to the pull request in the respective _BRANCH variable.
• Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#1989
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.48%. Comparing base (7f6c963) to head (05bd7e9).
Report is 34 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11541      +/-   ##
==========================================
- Coverage   82.51%   82.48%   -0.03%     
==========================================
  Files         923      923              
  Lines      248732   248727       -5     
==========================================
- Hits       205232   205170      -62     
- Misses      43500    43557      +57     

Flag	Coverage Δ
fuzzcorpus	60.47% <87.50%> (+0.07%)	⬆️
livemode	18.63% <0.00%> (+<0.01%)	⬆️
pcap	43.98% <100.00%> (-0.11%)	⬇️
suricata-verify	61.66% <100.00%> (-0.10%)	⬇️
unittests	59.06% <50.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[catenacyber]

Why this condition leftover_bytes.len() >= hdr.fraglen as usize ?

[ilya-bakhtin]

Please see the conventional parser code at rust/src/dcerpc/dcerpc_udp.rs:207
The probe must do at least the same since the DCERPC PM is extremely short.

[catenacyber]

Ok indeed, we are on UDP here :-)

[catenacyber]

Not sure about this safety check... not sure it is needed...
Maybe we should rather have a DEBUG_VALIDATION like DEBUG_VALIDATE_BUG_ON(*reverse_flow); // should not be set to true, otherwise we returned a valid alproto already

[ilya-bakhtin]

i'll inspect if the reversed flag is never set by the previous kind of the proto detection in the case of an unknown/failed result

[ilya-bakhtin]

I've made an inspection of the corresponding code. Direction may be reported reversed only in a case of valid protocol returned. So the "to be safe" lines are not necessary. Now i believe even debug validation is not necessary.

At the same time i found a case when incorrect direction may be technically reported by the PM.
It's not in the scope of the current work. And most likely the case is not possible whith the currently registered set of protocol detection patterns. I can not provide a reproducer. The following is a result of code review only.

The PM technically detects a set of protos but only first one is used. Let's see at app-layer-detect-proto.c from line 1407
uint16_t pm_matches = AppLayerProtoDetectPMGetProto(
tctx, f, buf, buflen, flags, pm_results, reverse_flow);
if (pm_matches > 0) {
DEBUG_VALIDATE_BUG_ON(pm_matches > 1);
alproto = pm_results[0];

DEBUG_VALIDATE_BUG_ON exists but the whole part of code looks confusing. Why do we use an array of matches when only first is expected? And i believe without debug a combination of patterns is possible when more than one is returned and some of the following damaged the 'reverse_flow'.

It looks a bit confusing why PMGetProtoInspect tries to traverse all patterns (from line 294 of app-layer-detect-proto.c) while its client expects the one and only. And it has even DEBUG_VALIDATE_BUG_ON check.

[catenacyber]

Thanks for the investigation

Now i believe even debug validation is not necessary.

It may be useful in the future, if some new code tries to break this assertion

Why do we use an array of matches when only first is expected?

Because we use some generic code for multi-pattern matching. The debug validation is here so that fuzzing can find if there is one way to find mutliple protocols with patterns... which would lead likely to bad things...

[ilya-bakhtin]

I see.
I prepared a version with the debug validation - #11644

Regarding the array of matches - I still don't quite understand why we do not break from the loop started at app-layer-detect-proto.c:294 when the pattern is found.
Well, I did not inspect the behavior fully and it's not in the scope of current change. Moreover, I hope the condition with multiple patterns detected is impossible with the current set of registered protocol detection patterns.

[catenacyber]

Moreover, I hope the condition with multiple patterns detected is impossible with the current set of registered protocol detection patterns.

That is the important point indeed...

[catenacyber]

Also @ilya-bakhtin the SV PR needs some simple fix ;-)

[ilya-bakhtin]

SV update is at OISF/suricata-verify#2008

[catenacyber]

Continued in #11644