Project

General

Profile

Actions
Copy link

Bug #5135

open
PM OD

DCERPC: dcerpc.iface keyword alert results differ from 5 vs 6/master

Bug #5135: DCERPC: dcerpc.iface keyword alert results differ from 5 vs 6/master

Added by Peter Manev about 4 years ago. Updated 8 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
6.0.4, git main
Effort:
Difficulty:
Label:

Description

If sid 666 and 888 match there is no reason why 777 would not match.
Please see attached for comparison.

The pcap used - https://redmine.openinfosecfoundation.org/attachments/2434
6.x and master have the problem of not generating alert on sid:777
5.x is good

Files

dcerpc-perf-accuracy.txt (7.6 KB) dcerpc-perf-accuracy.txt Peter Manev, 02/19/2022 02:54 PM

PA Updated by Philippe Antoine 8 months ago Actions
Copy link
 #1

  • Status changed from New to Feedback
alert dcerpc any any -> any any ( msg: "DCE Netlogon dcerpc.iface only"; flow: to_server, established; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 666; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp.iface with content added"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|"; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 777; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp content only"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|";  sid: 888; )

If sid 666 and 888 match there is no reason why 777 would not match.

Yes, there are.
The raw content may be inspected not at the same time.
unixia was this fixed by your work on @TriggerRawStreamReassembly ?

Actions
Copy link

Also available in: PDF Atom