Project

General

Profile

Actions
Copy link

Bug #5133

open

DCERPC: master - logs not created

Added by Peter Manev about 2 years ago. Updated 11 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Peter Manev
Target version:
TBD
Affected Versions:
git master
Effort:
Difficulty:
Label:

Description

Using midstream (due to the pcap nature) 

7.0.0-dev (b1c09369a 2022-02-17)

with the following pcap
https://github.com/sbousseaden/PCAP-ATTACK/blob/master/Lateral%20Movement/LM_smbexec_smb_dcerpc_svcctl_epm.pcapng
the DCERPC events are not created, even though the flow has app_proto set as dcerpc (example)

{
  "timestamp": "2020-07-19T20:26:24.971636+0200",
  "flow_id": 1011604658379232,
  "event_type": "flow",
  "src_ip": "172.16.66.36",
  "src_port": 49683,
  "dest_ip": "172.16.66.1",
  "dest_port": 50059,
  "proto": "TCP",
  "app_proto": "dcerpc",
  "flow": {
    "pkts_toserver": 14,
    "pkts_toclient": 16,
    "bytes_toserver": 2312,
    "bytes_toclient": 3824,
    "start": "2020-07-19T20:26:24.973280+0200",
    "end": "2020-07-19T20:26:36.004852+0200",
    "age": 12,
    "state": "established",
    "reason": "shutdown",
    "alerted": false
  },
  "tcp": {
    "tcp_flags": "19",
    "tcp_flags_ts": "19",
    "tcp_flags_tc": "18",
    "fin": true,
    "psh": true,
    "ack": true,
    "state": "established" 
  }
}
Actions
Copy link
 #1

Updated by Peter Manev about 2 years ago

to reproduce

suricata --set stream.midstream=true -S /dev/null -l logs/ -k none -r /home/pevma/Downloads/LM_smbexec_smb_dcerpc_svcctl_epm.pcapng  --runmode=single

Actions
Copy link
 #2

Updated by Victor Julien 11 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Peter Manev

Peter can you create a SV test for this?

Actions
Copy link

Also available in: Atom PDF