Bug #4767: Rule error in SMB dce_iface and dce_opnum keywords - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #4767

closed

Rule error in SMB dce_iface and dce_opnum keywords

Added by Eloy Pérez about 3 years ago. Updated over 2 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Eloy Pérez

Target version:

7.0.0-beta1

Affected Versions:

6.0.1

Effort:

Difficulty:

Label:

Description

The SMB dce_iface and dce_opnum keywords don't match.

Following rule and the associated pcap can be used to test this behavior:

alert smb any any -> any any (\
      msg: "SMB-DCE EnumPrinterDrivers";\
      dce_iface: 12345678-1234-abcd-ef00-0123456789ab;\
      dce_opnum: 10;\
      sid: 1;\
      )

Files

test-smb-dcerpc.pcapng (13.4 KB) test-smb-dcerpc.pcapng

Pcap with SMB DCERPC traffic to test

Eloy Pérez, 10/20/2021 09:56 AM

Subtasks 2 (0 open — 2 closed)

Related issues 2 (0 open — 2 closed)

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #4767

Rule error in SMB dce_iface and dce_opnum keywords

Updated by Victor Julien about 3 years ago

Updated by Victor Julien about 3 years ago

Updated by Shivani Bhardwaj almost 3 years ago

Updated by Shivani Bhardwaj almost 3 years ago

Updated by Shivani Bhardwaj almost 3 years ago

Updated by Shivani Bhardwaj almost 3 years ago

Updated by Victor Julien over 2 years ago

	Related to Suricata - Bug #4769: dcerpc dce_iface just match a packet	Closed	Eloy Pérez				Actions
	Related to Suricata - Bug #3109: dcerpc engine not generating alerts	Closed	Shivani Bhardwaj				Actions