Feature #8179: dcerpc.opnum: doesn't support operators >,<,!,= - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #8179

closed

AS PA

dcerpc.opnum: doesn't support operators >,<,!,=

Feature #8179: dcerpc.opnum: doesn't support operators >,<,!,=

Added by Alexander Stadnikov 4 months ago. Updated about 4 hours ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

9.0.0-beta1

Effort:

Difficulty:

Label:

Description

Recently our networking analysts found out that dcerpc.opnum and it's sibling dce_opnum don't support operators >,<,!,=

Suricata prints the error "Error parsing dce_opnum option in signature" while parsing rule:

alert tcp any any -> any any (msg:"CVE-2024-38073"; sid:200; rev:1; flow:to_server,established; dcerpc.opnum:>1;)

The rule might be easily replaced by:

alert tcp any any -> any any (msg:"CVE-2024-38073"; sid:200; rev:1; flow:to_server,established; dcerpc.opnum:2-65535;)

It seems the keyword is important and if it's a real problem then a Redmine ticket could be found but I didn't find anything related to it.
I think it's the documentation issue.

All operators might be easily replaced by precise numbers and/or ranges.

I checked also the implementation and I see the functionality was never present.

Related issues 3 (2 open — 1 closed)

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries

Feature #8179

dcerpc.opnum: doesn't support operators >,<,!,=

VJ Updated by Victor Julien 4 months ago Actions
Copy link
#1

VJ Updated by Victor Julien 4 months ago Actions
Copy link
#2

VJ Updated by Victor Julien 4 months ago Actions
Copy link
#3

PA Updated by Philippe Antoine 4 months ago Actions
Copy link
#4

VJ Updated by Victor Julien about 2 months ago Actions
Copy link
#5

VJ Updated by Victor Julien about 2 months ago Actions
Copy link
#6

PA Updated by Philippe Antoine about 1 month ago Actions
Copy link
#7

PA Updated by Philippe Antoine 29 days ago Actions
Copy link
#8

PA Updated by Philippe Antoine about 4 hours ago Actions
Copy link
#9

Related to Suricata - Task #6644: tracking: detect: integer as first-class support	In Progress	Philippe Antoine	Actions
Related to Suricata - Optimization #8391: detect/dcerpc: move code to rust	In Progress	Philippe Antoine	Actions
Copied to Suricata - Documentation #8330: doc: explain dcerpc.opnum doesn't support operators >,<,!,=	Closed	Victor Julien	Actions

Project

General

Profile

Suricata

Custom queries

Feature #8179

dcerpc.opnum: doesn't support operators >,<,!,=

VJ Updated by Victor Julien 4 months ago ActionsCopy link #1

VJ Updated by Victor Julien 4 months ago ActionsCopy link #2

VJ Updated by Victor Julien 4 months ago ActionsCopy link #3

PA Updated by Philippe Antoine 4 months ago ActionsCopy link #4

VJ Updated by Victor Julien about 2 months ago ActionsCopy link #5

VJ Updated by Victor Julien about 2 months ago ActionsCopy link #6

PA Updated by Philippe Antoine about 1 month ago ActionsCopy link #7

PA Updated by Philippe Antoine 29 days ago ActionsCopy link #8

PA Updated by Philippe Antoine about 4 hours ago ActionsCopy link #9

VJ Updated by Victor Julien 4 months ago Actions
Copy link
#1

VJ Updated by Victor Julien 4 months ago Actions
Copy link
#2

VJ Updated by Victor Julien 4 months ago Actions
Copy link
#3

PA Updated by Philippe Antoine 4 months ago Actions
Copy link
#4

VJ Updated by Victor Julien about 2 months ago Actions
Copy link
#5

VJ Updated by Victor Julien about 2 months ago Actions
Copy link
#6

PA Updated by Philippe Antoine about 1 month ago Actions
Copy link
#7

PA Updated by Philippe Antoine 29 days ago Actions
Copy link
#8

PA Updated by Philippe Antoine about 4 hours ago Actions
Copy link
#9