DCERPC traffic parsing issue
This is a parsing issue in the DCERPC parser that can happen when Suricata runs out of memory. The exact scope of the problem isn't clear, but it could certainly lead to crashes. RCE might theoretically be possible but looks like it's very hard.
It was brought to our attention by the Yahoo Pentest Team.
Updated by Victor Julien over 5 years ago
Workaround: disable the parser as follows:
In your suricata.yaml go down to the 'app-layer' section and change 'enabled' to 'no' under 'dcerpc', like so:
app-layer: protocols: tls: enabled: yes detection-ports: dp: 443 #no-reassemble: yes dcerpc: enabled: no
After this, restart Suricata.