Bug #6191: if protocol dcerpc first packet type is Alter_context, it will not parse dcerpc - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #6191

closed

IX SB

if protocol dcerpc first packet type is Alter_context, it will not parse dcerpc

Bug #6191: if protocol dcerpc first packet type is Alter_context, it will not parse dcerpc

Added by INTER xz almost 3 years ago. Updated over 2 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Shivani Bhardwaj

Target version:

7.0.1

Affected Versions:

6.0.6

Effort:

medium

Difficulty:

Label:

Description

When i use a dcerpc pcap, the first packet type is Alter_context, and next packet is Alter_context_resp. In this case, Suricata will not parse this pcap file.Because engine thought first packet is a response, and error is occurred.

file location is rust/src/dcerpc/dcerpc.rs:1337,
let is_request = hdr.hdrtype 0x00;

modify it as:
let is_request = hdr.hdrtype 0x00 || hdr.hdrtype == 0x0e;

it fix.

Files

opcda.pcap (12.9 KB) opcda.pcap

INTER xz, 06/30/2023 09:37 AM

Subtasks 1 (0 open — 1 closed)

History
Notes
Property changes

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries

Bug #6191

if protocol dcerpc first packet type is Alter_context, it will not parse dcerpc

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#1

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#2

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#3

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#4

OT Updated by OISF Ticketbot over 2 years ago Actions
Copy link
#5

OT Updated by OISF Ticketbot over 2 years ago Actions
Copy link
#6

IX Updated by INTER xz over 2 years ago Actions
Copy link
#7

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#8

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#9

IX Updated by INTER xz over 2 years ago Actions
Copy link
#10

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#11

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#12

Project

General

Profile

Suricata

Custom queries

Bug #6191

if protocol dcerpc first packet type is Alter_context, it will not parse dcerpc

VJ Updated by Victor Julien over 2 years ago ActionsCopy link #1

SB Updated by Shivani Bhardwaj over 2 years ago ActionsCopy link #2

SB Updated by Shivani Bhardwaj over 2 years ago ActionsCopy link #3

SB Updated by Shivani Bhardwaj over 2 years ago ActionsCopy link #4

OT Updated by OISF Ticketbot over 2 years ago ActionsCopy link #5

OT Updated by OISF Ticketbot over 2 years ago ActionsCopy link #6

IX Updated by INTER xz over 2 years ago ActionsCopy link #7

SB Updated by Shivani Bhardwaj over 2 years ago ActionsCopy link #8

SB Updated by Shivani Bhardwaj over 2 years ago ActionsCopy link #9

IX Updated by INTER xz over 2 years ago ActionsCopy link #10

SB Updated by Shivani Bhardwaj over 2 years ago ActionsCopy link #11

SB Updated by Shivani Bhardwaj over 2 years ago ActionsCopy link #12

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#1

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#2

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#3

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#4

OT Updated by OISF Ticketbot over 2 years ago Actions
Copy link
#5

OT Updated by OISF Ticketbot over 2 years ago Actions
Copy link
#6

IX Updated by INTER xz over 2 years ago Actions
Copy link
#7

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#8

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#9

IX Updated by INTER xz over 2 years ago Actions
Copy link
#10

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#11

SB Updated by Shivani Bhardwaj over 2 years ago Actions
Copy link
#12