Project

General

Profile

Actions
Copy link

Optimization #5902

open

detect: "alert dcerpc" sig sets up smb inspect engines

Added by Victor Julien over 2 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

alert dcerpc any any -> any any (flow:to_server; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_stub_data; pcre:/one/R; sid:7;)

results in
{
  "raw": "alert dcerpc any any -> any any (flow:to_server; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_stub_data; pcre:/one/R; sid:7;)",
  "id": 7,
  "gid": 1,
  "rev": 0,
  "app_proto": "dcerpc",
  "requirements": [
    "flow",
    "dcerpc" 
  ],
  "flags": [
    "src_any",
    "dst_any",
    "sp_any",
    "dp_any",
    "applayer",
    "toserver" 
  ],
  "pkt_engines": [],
  "frame_engines": [],
  "engines": [
    {
      "name": "dce_generic",
      "direction": "toserver",
      "is_mpm": false,
      "app_proto": "dcerpc",
      "progress": 0,
      "matches": [
        {
          "name": "dcerpc.iface" 
        }
      ]
    },
    {
      "name": "dce_generic",
      "direction": "toserver",
      "is_mpm": false,
      "app_proto": "smb",
      "progress": 0,
      "matches": [
        {
          "name": "dcerpc.iface" 
        }
      ]
    },
    {
      "name": "dce_stub_data",
      "direction": "toserver",
      "is_mpm": false,
      "app_proto": "smb",
      "progress": 0,
      "matches": [
        {
          "name": "pcre",
          "pcre": {
            "relative": true,
            "relative_next": false,
            "nocase": false,
            "negated": false
          }
        }
      ]
    },
    {
      "name": "dce_stub_data",
      "direction": "toserver",
      "is_mpm": false,
      "app_proto": "dcerpc",
      "progress": 0,
      "matches": [
        {
          "name": "pcre",
          "pcre": {
            "relative": true,
            "relative_next": false,
            "nocase": false,
            "negated": false
          }
        }
      ]
    }
  ],
  "lists": {}
}
Actions
Copy link
 #1

Updated by Victor Julien over 2 years ago

This may actually be working as designed. I guess maybe we need a way to specify dcerpc "direct" (not on top of smb).

Actions
Copy link
 #2

Updated by Philippe Antoine almost 2 years ago

Wondering if dcerpc over smb should be put into a fake/sub flow so each flow has its own app-layer... (as for DNS over HTTP2)

Actions
Copy link
 #3

Updated by Philippe Antoine over 1 year ago

Maybe app-layer-protocol can be used to restrict to DCERPC in this case

Actions
Copy link

Also available in: Atom PDF