Project

General

Profile

Actions
Copy link

Bug #4769

closed

dcerpc dce_iface just match a packet

Added by Eloy Pérez about 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
High
Assignee:
Eloy Pérez
Target version:
7.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0

Description

The dce_iface dcerpc keyword just match the packet following the bind.

alert dcerpc any any -> any any (\
      msg: "DCE Netlogon";\
      flow: to_server;\
      dce_iface: 12345678-1234-abcd-ef00-01234567cffb;\
      sid: 1;\
      )

Files

test-dce-iface.pcapng (3.34 KB) test-dce-iface.pcapng Pcap with many dcerpc requests Eloy Pérez, 10/20/2021 11:12 AM

Related issues 4 (0 open4 closed)

Related to Suricata - Bug #3109: dcerpc engine not generating alertsClosedShivani BhardwajActions
Related to Suricata - Bug #4767: Rule error in SMB dce_iface and dce_opnum keywordsClosedEloy PérezActions
Copied to Suricata - Bug #4927: dcerpc dce_iface just match a packetClosedEloy PérezActions
Copied to Suricata - Bug #4928: dcerpc dce_iface just match a packet (5.0.x backport)RejectedActions
Actions
Copy link
 #1

Updated by Victor Julien almost 4 years ago

  • Related to Bug #3109: dcerpc engine not generating alerts added
Actions
Copy link
 #2

Updated by Victor Julien almost 4 years ago

  • Related to Bug #4767: Rule error in SMB dce_iface and dce_opnum keywords added
Actions
Copy link
 #3

Updated by Shivani Bhardwaj almost 4 years ago

  • Status changed from New to Assigned
  • Target version set to 7.0.0-beta1
  • Label Needs backport to 5.0, Needs backport to 6.0 added
Actions
Copy link
 #4

Updated by Shivani Bhardwaj almost 4 years ago

  • Copied to Bug #4927: dcerpc dce_iface just match a packet added
Actions
Copy link
 #5

Updated by Shivani Bhardwaj almost 4 years ago

  • Copied to Bug #4928: dcerpc dce_iface just match a packet (5.0.x backport) added
Actions
Copy link
 #6

Updated by Shivani Bhardwaj almost 4 years ago

  • Status changed from Assigned to Closed
Actions
Copy link

Also available in: Atom PDF