Project

General

Profile

Actions
Copy link

Bug #5133

closed
PM PA

dcerpc: logs not created after unhandled packet such as auth3

Bug #5133: dcerpc: logs not created after unhandled packet such as auth3

Added by Peter Manev about 4 years ago. Updated 8 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
9.0.0-beta1
Affected Versions:
git main
Effort:
Difficulty:
Label:

Description

Using midstream (due to the pcap nature) 

7.0.0-dev (b1c09369a 2022-02-17)

with the following pcap
https://github.com/sbousseaden/PCAP-ATTACK/blob/master/Lateral%20Movement/LM_smbexec_smb_dcerpc_svcctl_epm.pcapng
the DCERPC events are not created, even though the flow has app_proto set as dcerpc (example)

{
  "timestamp": "2020-07-19T20:26:24.971636+0200",
  "flow_id": 1011604658379232,
  "event_type": "flow",
  "src_ip": "172.16.66.36",
  "src_port": 49683,
  "dest_ip": "172.16.66.1",
  "dest_port": 50059,
  "proto": "TCP",
  "app_proto": "dcerpc",
  "flow": {
    "pkts_toserver": 14,
    "pkts_toclient": 16,
    "bytes_toserver": 2312,
    "bytes_toclient": 3824,
    "start": "2020-07-19T20:26:24.973280+0200",
    "end": "2020-07-19T20:26:36.004852+0200",
    "age": 12,
    "state": "established",
    "reason": "shutdown",
    "alerted": false
  },
  "tcp": {
    "tcp_flags": "19",
    "tcp_flags_ts": "19",
    "tcp_flags_tc": "18",
    "fin": true,
    "psh": true,
    "ack": true,
    "state": "established" 
  }
}

Subtasks 1 (0 open1 closed)

Bug #8373: dcerpc: logs not created after unhandled packet such as auth3 (8.0.x backport)ClosedPhilippe AntoineActions

Related issues 2 (1 open1 closed)

Related to Suricata - Feature #7566: dcerpc: applayer events for anomalous parsing resultsAssignedShivani BhardwajActions
Blocks Suricata - Bug #7254: dcerpc: parser does not support multiple PDUsClosedPhilippe AntoineActions

PM Updated by Peter Manev about 4 years ago Actions
Copy link
 #1

to reproduce

suricata --set stream.midstream=true -S /dev/null -l logs/ -k none -r /home/pevma/Downloads/LM_smbexec_smb_dcerpc_svcctl_epm.pcapng  --runmode=single

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #2

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Peter Manev

Peter can you create a SV test for this?

PA Updated by Philippe Antoine 21 days ago Actions
Copy link
 #3

  • Assignee changed from Peter Manev to Philippe Antoine
  • Target version changed from TBD to 9.0.0-beta1
  • Label Needs backport to 8.0 added

OT Updated by OISF Ticketbot 21 days ago Actions
Copy link
 #4

  • Subtask #8373 added

OT Updated by OISF Ticketbot 21 days ago Actions
Copy link
 #5

  • Label deleted (Needs backport to 8.0)

PA Updated by Philippe Antoine 21 days ago Actions
Copy link
 #6

  • Status changed from Assigned to In Review

PA Updated by Philippe Antoine 21 days ago Actions
Copy link
 #7

  • Subject changed from DCERPC: master - logs not created to dcerpc: logs not created after unhandled packet such as auth3

PA Updated by Philippe Antoine 21 days ago Actions
Copy link
 #8

  • Blocks Bug #7254: dcerpc: parser does not support multiple PDUs added

PA Updated by Philippe Antoine 21 days ago Actions
Copy link
 #9

  • Related to Feature #7566: dcerpc: applayer events for anomalous parsing results added

PA Updated by Philippe Antoine 16 days ago Actions
Copy link
 #10

  • Status changed from In Review to Resolved

PA Updated by Philippe Antoine 8 days ago Actions
Copy link
 #11

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: PDF Atom