Bug #6191
closedif protocol dcerpc first packet type is Alter_context, it will not parse dcerpc
Description
When i use a dcerpc pcap, the first packet type is Alter_context, and next packet is Alter_context_resp. In this case, Suricata will not parse this pcap file.Because engine thought first packet is a response, and error is occurred.
file location is rust/src/dcerpc/dcerpc.rs:1337,
let is_request = hdr.hdrtype 0x00;
modify it as:
let is_request = hdr.hdrtype 0x00 || hdr.hdrtype == 0x0e;
it fix.
Files
Updated by Victor Julien 10 months ago
- Status changed from New to Assigned
- Target version changed from TBD to 7.0.1
Pcap should be used to create a SV test. Backport should be considered.
Updated by Shivani Bhardwaj 9 months ago
- Status changed from Assigned to In Progress
Updated by Shivani Bhardwaj 9 months ago
Hi @INTER xz ! Thank you for your report! Since you have already done the fix, would you like to make that code contribution yourself to Suricata? :)
I have created a test with the pcap you've uploaded here: https://github.com/OISF/suricata-verify/pull/1324
Please let me know if you cannot do that for some reason, then, I'll give the credit to you in the commit.
Updated by INTER xz 9 months ago
Shivani Bhardwaj wrote in #note-3:
Hi @INTER xz ! Thank you for your report! Since you have already done the fix, would you like to make that code contribution yourself to Suricata? :)
I have created a test with the pcap you've uploaded here: https://github.com/OISF/suricata-verify/pull/1324Please let me know if you cannot do that for some reason, then, I'll give the credit to you in the commit.
Thanks, there are some reasons why I can't commit the code, I'm happy to contribute to the open source community.
Updated by Shivani Bhardwaj 9 months ago
Thanks, there are some reasons why I can't commit the code, I'm happy to contribute to the open source community.
No problem. Thanks a lot for reporting and proposing the fix. Would you want your name be credited in the commit? If yes, please let me know your name.
I have created a PR with the fix you proposed here: https://github.com/OISF/suricata/pull/9291
Updated by Shivani Bhardwaj 9 months ago
- Status changed from In Progress to In Review
Updated by INTER xz 9 months ago
Shivani Bhardwaj wrote in #note-8:
Thanks, there are some reasons why I can't commit the code, I'm happy to contribute to the open source community.
No problem. Thanks a lot for reporting and proposing the fix. Would you want your name be credited in the commit? If yes, please let me know your name.
I have created a PR with the fix you proposed here: https://github.com/OISF/suricata/pull/9291
My name in github is InterNALXz, use it alright. thank u!
Updated by Shivani Bhardwaj 9 months ago
- Status changed from In Review to Resolved
Closed by: https://github.com/OISF/suricata/pull/9291
Thank you @INTER xz !
Updated by Shivani Bhardwaj 9 months ago
- Status changed from Resolved to Closed