Actions
Feature #8330
opendoc: explain dcerpc.opnum doesn't support operators >,<,!,=
Effort:
Difficulty:
Label:
Description
Recently our networking analysts found out that dcerpc.opnum and it's sibling dce_opnum don't support operators >,<,!,=
Suricata prints the error "Error parsing dce_opnum option in signature" while parsing rule:
alert tcp any any -> any any (msg:"CVE-2024-38073"; sid:200; rev:1; flow:to_server,established; dcerpc.opnum:>1;)
The rule might be easily replaced by:
alert tcp any any -> any any (msg:"CVE-2024-38073"; sid:200; rev:1; flow:to_server,established; dcerpc.opnum:2-65535;)
It seems the keyword is important and if it's a real problem then a Redmine ticket could be found but I didn't find anything related to it.
I think it's the documentation issue.
All operators might be easily replaced by precise numbers and/or ranges.
I checked also the implementation and I see the functionality was never present.
Updated by Victor Julien about 8 hours ago
- Copied from Feature #8179: dcerpc.opnum: doesn't support operators >,<,!,= added
Updated by OISF Ticketbot about 8 hours ago
- Label deleted (
Needs backport to 8.0)
Updated by OISF Ticketbot about 8 hours ago
- Label deleted (
Needs backport to 7.0)
Actions