Bug #6191
closedif protocol dcerpc first packet type is Alter_context, it will not parse dcerpc
Description
When i use a dcerpc pcap, the first packet type is Alter_context, and next packet is Alter_context_resp. In this case, Suricata will not parse this pcap file.Because engine thought first packet is a response, and error is occurred.
file location is rust/src/dcerpc/dcerpc.rs:1337,
let is_request = hdr.hdrtype 0x00;
modify it as:
let is_request = hdr.hdrtype 0x00 || hdr.hdrtype == 0x0e;
it fix.
Files
Updated by Victor Julien 10 months ago
- Status changed from New to Assigned
- Target version changed from TBD to 7.0.1
Pcap should be used to create a SV test. Backport should be considered.
Updated by Shivani Bhardwaj 10 months ago
- Status changed from Assigned to In Progress
Updated by Shivani Bhardwaj 10 months ago
Hi @INTER xz ! Thank you for your report! Since you have already done the fix, would you like to make that code contribution yourself to Suricata? :)
I have created a test with the pcap you've uploaded here: https://github.com/OISF/suricata-verify/pull/1324
Please let me know if you cannot do that for some reason, then, I'll give the credit to you in the commit.
Updated by INTER xz 10 months ago
Shivani Bhardwaj wrote in #note-3:
Hi @INTER xz ! Thank you for your report! Since you have already done the fix, would you like to make that code contribution yourself to Suricata? :)
I have created a test with the pcap you've uploaded here: https://github.com/OISF/suricata-verify/pull/1324Please let me know if you cannot do that for some reason, then, I'll give the credit to you in the commit.
Thanks, there are some reasons why I can't commit the code, I'm happy to contribute to the open source community.
Updated by Shivani Bhardwaj 10 months ago
Thanks, there are some reasons why I can't commit the code, I'm happy to contribute to the open source community.
No problem. Thanks a lot for reporting and proposing the fix. Would you want your name be credited in the commit? If yes, please let me know your name.
I have created a PR with the fix you proposed here: https://github.com/OISF/suricata/pull/9291
Updated by Shivani Bhardwaj 10 months ago
- Status changed from In Progress to In Review
Updated by INTER xz 10 months ago
Shivani Bhardwaj wrote in #note-8:
Thanks, there are some reasons why I can't commit the code, I'm happy to contribute to the open source community.
No problem. Thanks a lot for reporting and proposing the fix. Would you want your name be credited in the commit? If yes, please let me know your name.
I have created a PR with the fix you proposed here: https://github.com/OISF/suricata/pull/9291
My name in github is InterNALXz, use it alright. thank u!
Updated by Shivani Bhardwaj 10 months ago
- Status changed from In Review to Resolved
Closed by: https://github.com/OISF/suricata/pull/9291
Thank you @INTER xz !
Updated by Shivani Bhardwaj 10 months ago
- Status changed from Resolved to Closed