Actions
Optimization #5902
opendetect: "alert dcerpc" sig sets up smb inspect engines
Description
alert dcerpc any any -> any any (flow:to_server; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_stub_data; pcre:/one/R; sid:7;)
results in
{
"raw": "alert dcerpc any any -> any any (flow:to_server; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_stub_data; pcre:/one/R; sid:7;)",
"id": 7,
"gid": 1,
"rev": 0,
"app_proto": "dcerpc",
"requirements": [
"flow",
"dcerpc"
],
"flags": [
"src_any",
"dst_any",
"sp_any",
"dp_any",
"applayer",
"toserver"
],
"pkt_engines": [],
"frame_engines": [],
"engines": [
{
"name": "dce_generic",
"direction": "toserver",
"is_mpm": false,
"app_proto": "dcerpc",
"progress": 0,
"matches": [
{
"name": "dcerpc.iface"
}
]
},
{
"name": "dce_generic",
"direction": "toserver",
"is_mpm": false,
"app_proto": "smb",
"progress": 0,
"matches": [
{
"name": "dcerpc.iface"
}
]
},
{
"name": "dce_stub_data",
"direction": "toserver",
"is_mpm": false,
"app_proto": "smb",
"progress": 0,
"matches": [
{
"name": "pcre",
"pcre": {
"relative": true,
"relative_next": false,
"nocase": false,
"negated": false
}
}
]
},
{
"name": "dce_stub_data",
"direction": "toserver",
"is_mpm": false,
"app_proto": "dcerpc",
"progress": 0,
"matches": [
{
"name": "pcre",
"pcre": {
"relative": true,
"relative_next": false,
"nocase": false,
"negated": false
}
}
]
}
],
"lists": {}
}
Updated by Victor Julien over 1 year ago
This may actually be working as designed. I guess maybe we need a way to specify dcerpc "direct" (not on top of smb).
Updated by Philippe Antoine about 1 year ago
Wondering if dcerpc over smb should be put into a fake/sub flow so each flow has its own app-layer... (as for DNS over HTTP2)
Updated by Philippe Antoine 5 months ago
Maybe app-layer-protocol
can be used to restrict to DCERPC in this case
Actions