Project

General

Profile

Actions
Copy link

Bug #7187

open

detect: dcerpc logging and matching issues

Added by Victor Julien about 2 months ago. Updated about 22 hours ago.

Status:
Resolved
Priority:
Normal
Assignee:
Victor Julien
Target version:
8.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

originally reported here https://forum.suricata.io/t/suricata-protocol-dcerpc-cannot-trigger-alert-when-adding-new-rule/4788

In the DCERPC over TCP pcap, logging and rule matching is disrupted by adding a simple rule:

alert tcp any any -> any any (flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; dce_stub_data; content:"|42 77 4E 6F 64 65 49 50 2E 65 78 65 20|"; content:!"|00|"; within:100; distance:97; sid:1; rev:1; )

Works: alert + 3 dcerpc records.

But when adding a trivial rule:

alert tcp any any -> any any (flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; dce_stub_data; content:"|42 77 4E 6F 64 65 49 50 2E 65 78 65 20|"; content:!"|00|"; within:100; distance:97; sid:1; rev:1; )
alert tcp any any -> any any (dsize:3; sid:2; rev:1; )

The alert for sid:1 disappears and also there is one dcerpc event less.

Files

test.pcap (5.88 KB) test.pcap Victor Julien, 07/31/2024 11:44 AM

Subtasks 1 (1 open0 closed)

Bug #7188: detect: dcerpc logging and matching issues (7.0.x backport)AssignedVictor JulienActions
Actions
Copy link

Also available in: Atom PDF