Feature #8179
opendcerpc.opnum: doesn't support operators >,<,!,=
Description
Recently our networking analysts found out that dcerpc.opnum and it's sibling dce_opnum don't support operators >,<,!,=
Suricata prints the error "Error parsing dce_opnum option in signature" while parsing rule:
alert tcp any any -> any any (msg:"CVE-2024-38073"; sid:200; rev:1; flow:to_server,established; dcerpc.opnum:>1;)
The rule might be easily replaced by:
alert tcp any any -> any any (msg:"CVE-2024-38073"; sid:200; rev:1; flow:to_server,established; dcerpc.opnum:2-65535;)
It seems the keyword is important and if it's a real problem then a Redmine ticket could be found but I didn't find anything related to it.
I think it's the documentation issue.
All operators might be easily replaced by precise numbers and/or ranges.
I checked also the implementation and I see the functionality was never present.
Updated by Victor Julien 7 days ago
- Related to Task #6644: tracking: detect: integer as first-class support added
Updated by Victor Julien 7 days ago
- Status changed from New to Assigned
- Assignee set to Philippe Antoine
- Target version changed from TBD to 9.0.0-beta1
@Philippe Antoine a quick look at the current code suggests this could use the generic u32 support?
Updated by Victor Julien 7 days ago
- Tracker changed from Bug to Feature
- Subject changed from doc: dcerpc.opnum doesn't support operators >,<,!,= to dcerpc.opnum: doesn't support operators >,<,!,=
- Affected Versions deleted (
7.0.13)
@alexander.stadnikov thanks for reporting this. I think I'd rather see the support added than the docs updated :)
Updated by Philippe Antoine 7 days ago
Victor Julien wrote in #note-2:
a quick look at the current code suggests this could use the generic u32 support?
Not so easy, as the current implementation supports args like 12,26,62,61,6513-6666