Project

General

Profile

Actions

Bug #5135

open

DCERPC: dcerpc.iface keyword alert results differ from 5 vs 6/master

Added by Peter Manev over 3 years ago. Updated 14 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If sid 666 and 888 match there is no reason why 777 would not match.
Please see attached for comparison.

The pcap used - https://redmine.openinfosecfoundation.org/attachments/2434
6.x and master have the problem of not generating alert on sid:777
5.x is good


Files

dcerpc-perf-accuracy.txt (7.6 KB) dcerpc-perf-accuracy.txt Peter Manev, 02/19/2022 02:54 PM
Actions #1

Updated by Philippe Antoine 14 days ago

  • Status changed from New to Feedback
alert dcerpc any any -> any any ( msg: "DCE Netlogon dcerpc.iface only"; flow: to_server, established; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 666; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp.iface with content added"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|"; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 777; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp content only"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|";  sid: 888; )

If sid 666 and 888 match there is no reason why 777 would not match.

Yes, there are.
The raw content may be inspected not at the same time.
unixia was this fixed by your work on @TriggerRawStreamReassembly ?

Actions

Also available in: Atom PDF