Bug #4928: dcerpc dce_iface just match a packet (5.0.x backport) - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #4928

closed

dcerpc dce_iface just match a packet (5.0.x backport)

Added by Shivani Bhardwaj almost 4 years ago. Updated over 3 years ago.

Status:

Rejected

Priority:

Normal

Assignee:

Target version:

Affected Versions:

5.0.8

Effort:

Difficulty:

Label:

Description

The dce_iface dcerpc keyword just match the packet following the bind.

alert dcerpc any any -> any any (\
      msg: "DCE Netlogon";\
      flow: to_server;\
      dce_iface: 12345678-1234-abcd-ef00-01234567cffb;\
      sid: 1;\
      )

Files

test-dce-iface.pcapng (3.34 KB) test-dce-iface.pcapng

Pcap with many dcerpc requests

Eloy Pérez, 10/20/2021 11:12 AM

Related issues 1 (0 open — 1 closed)

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #4928

dcerpc dce_iface just match a packet (5.0.x backport)

Updated by Shivani Bhardwaj almost 4 years ago

Updated by Eloy Pérez almost 4 years ago

Updated by Victor Julien over 3 years ago

Updated by Victor Julien over 3 years ago