Bug #5135
open
- Status changed from New to Feedback
alert dcerpc any any -> any any ( msg: "DCE Netlogon dcerpc.iface only"; flow: to_server, established; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 666; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp.iface with content added"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|"; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 777; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp content only"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|"; sid: 888; )
If sid 666 and 888 match there is no reason why 777 would not match.
Yes, there are.
The raw content may be inspected not at the same time.
unixia was this fixed by your work on @TriggerRawStreamReassembly ?
Also available in: Atom
PDF