Project

General

Profile

Actions
Copy link

Bug #4925

closed

Bug #4767: Rule error in SMB dce_iface and dce_opnum keywords

Rule error in SMB dce_iface and dce_opnum keywords (6.0.x backport)

Added by Shivani Bhardwaj almost 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
High
Assignee:
Eloy Pérez
Target version:
6.0.5
Affected Versions:
6.0.1
Effort:
Difficulty:
Label:

Description

The SMB dce_iface and dce_opnum keywords don't match.

Following rule and the associated pcap can be used to test this behavior:

alert smb any any -> any any (\
      msg: "SMB-DCE EnumPrinterDrivers";\
      dce_iface: 12345678-1234-abcd-ef00-0123456789ab;\
      dce_opnum: 10;\
      sid: 1;\
      )

Files

test-smb-dcerpc.pcapng (13.4 KB) test-smb-dcerpc.pcapng Pcap with SMB DCERPC traffic to test Eloy Pérez, 10/20/2021 09:56 AM
Actions
Copy link
 #1

Updated by Shivani Bhardwaj almost 3 years ago

  • Copied from Bug #4767: Rule error in SMB dce_iface and dce_opnum keywords added
Actions
Copy link
 #2

Updated by Eloy Pérez almost 3 years ago

  • Assignee changed from Shivani Bhardwaj to Eloy Pérez
Actions
Copy link
 #3

Updated by Shivani Bhardwaj over 2 years ago

  • Status changed from Assigned to In Review
Actions
Copy link
 #4

Updated by Shivani Bhardwaj over 2 years ago

  • Status changed from In Review to Closed
Actions
Copy link
 #5

Updated by Victor Julien over 2 years ago

  • Subject changed from Rule error in SMB dce_iface and dce_opnum keywords to Rule error in SMB dce_iface and dce_opnum keywords (6.0.x backport)
  • Parent task set to #4767
Actions
Copy link

Also available in: Atom PDF