Project

General

Profile

Actions

Bug #4926

closed

Bug #4767: Rule error in SMB dce_iface and dce_opnum keywords

Rule error in SMB dce_iface and dce_opnum keywords (5.0.x backport)

Added by Shivani Bhardwaj 11 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The SMB dce_iface and dce_opnum keywords don't match.

Following rule and the associated pcap can be used to test this behavior:

alert smb any any -> any any (\
      msg: "SMB-DCE EnumPrinterDrivers";\
      dce_iface: 12345678-1234-abcd-ef00-0123456789ab;\
      dce_opnum: 10;\
      sid: 1;\
      )


Files

test-smb-dcerpc.pcapng (13.4 KB) test-smb-dcerpc.pcapng Pcap with SMB DCERPC traffic to test Eloy Pérez, 10/20/2021 09:56 AM
Actions #1

Updated by Shivani Bhardwaj 11 months ago

  • Copied from Bug #4767: Rule error in SMB dce_iface and dce_opnum keywords added
Actions #2

Updated by Eloy Pérez 10 months ago

  • Assignee changed from Shivani Bhardwaj to Eloy Pérez
Actions #3

Updated by Victor Julien 8 months ago

  • Target version changed from 5.0.9 to 5.0.10
Actions #4

Updated by Victor Julien 5 months ago

  • Status changed from Assigned to Closed
  • Assignee changed from Eloy Pérez to Victor Julien
  • Priority changed from High to Normal
Actions #5

Updated by Victor Julien 5 months ago

  • Subject changed from Rule error in SMB dce_iface and dce_opnum keywords to Rule error in SMB dce_iface and dce_opnum keywords (5.0.x backport)
  • Parent task set to #4767
Actions

Also available in: Atom PDF