Project

General

Profile

Actions
Copy link

Bug #5135

open

DCERPC: dcerpc.iface keyword alert results differ from 5 vs 6/master

Added by Peter Manev over 3 years ago. Updated 14 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
6.0.4, git main
Effort:
Difficulty:
Label:

Description

If sid 666 and 888 match there is no reason why 777 would not match.
Please see attached for comparison.

The pcap used - https://redmine.openinfosecfoundation.org/attachments/2434
6.x and master have the problem of not generating alert on sid:777
5.x is good

Files

dcerpc-perf-accuracy.txt (7.6 KB) dcerpc-perf-accuracy.txt Peter Manev, 02/19/2022 02:54 PM
Actions
Copy link
 #1

Updated by Philippe Antoine 14 days ago

  • Status changed from New to Feedback
alert dcerpc any any -> any any ( msg: "DCE Netlogon dcerpc.iface only"; flow: to_server, established; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 666; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp.iface with content added"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|"; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 777; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp content only"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|";  sid: 888; )

If sid 666 and 888 match there is no reason why 777 would not match.

Yes, there are.
The raw content may be inspected not at the same time.
unixia was this fixed by your work on @TriggerRawStreamReassembly ?

Actions
Copy link

Also available in: Atom PDF