Project

General

Profile

Actions

Bug #3109

closed

dcerpc engine not generating alerts

Added by Travis Green over 5 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
High
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Rules using dce* keywords do not generate an alert despite matching packet contents. For example, given these two rules:

alert tcp any any -> $HOME_NET any (msg:"TGI LATERAL DCERPC ATSVC v1.0 Bind UUID 1ff70682-0a51-30e8-076d-740be8cee98b"; flow:established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b,any_frag; reference:url,401trg.com/an-introduction-to-smb-for-network-security-analysts/; classtype:attempted-admin; sid:2610115; rev:1; metadata:notworking;)

alert tcp any any -> $HOME_NET any (msg:"TGI LATERAL DCERPC ATSVC v1.0 Bind UUID"; flow:established; content:"|82 06 f7 1f 51 0a e8 30 07 6d 74 0b e8 ce e9 8b|"; reference:url,401trg.com/an-introduction-to-smb-for-network-security-analysts/; classtype:attempted-admin; sid:2610113; rev:1;)

and this packet: https://imgur.com/a/necQQvy

An alert is only generated for the rule that does not use dce_iface. Pcap attached for repro.


Files

20171220_smb_at_schedule.pcap (3.53 KB) 20171220_smb_at_schedule.pcap Travis Green, 08/09/2019 11:01 PM

Related issues 2 (0 open2 closed)

Related to Suricata - Bug #4769: dcerpc dce_iface just match a packetClosedEloy PérezActions
Related to Suricata - Bug #4767: Rule error in SMB dce_iface and dce_opnum keywordsClosedEloy PérezActions
Actions

Also available in: Atom PDF