Bug #2559
closedDCE based rule false positives
Description
We are doing some testing with 4.1rc1 and are seeing what appear to be
false positives on the following rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:]
(msg:"OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrpPathCanonicalize path
canonicalization stack overflow attempt"; flow:to_server,established;
dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:31,32;
dce_stub_data;
pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s";
byte_jump:4,-4,multiplier 2,relative,align,dce;
pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy balanced-ips
drop, policy connectivity-ips drop, policy max-detect-ips drop, policy
security-ips drop, service netbios-ssn;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-067;
classtype:trojan-activity; sid:14782; rev:21;)
The traffic we are seeing the false positive against is http traffic
but is firing this rule (pcap in tarball).
We ran the sample pcap against 4.0.5 and do not see the false positive
alert.
We see the false positive alert against 4.1rc1 and the latest master
branch.
Files
Updated by Victor Julien over 6 years ago
- Status changed from New to Closed
- Assignee set to Victor Julien
- Target version set to 4.1rc2