Actions
Documentation #8330
closeddoc: explain dcerpc.opnum doesn't support operators >,<,!,=
Affected Versions:
Effort:
Difficulty:
Label:
Description
Recently our networking analysts found out that dcerpc.opnum and it's sibling dce_opnum don't support operators >,<,!,=
Suricata prints the error "Error parsing dce_opnum option in signature" while parsing rule:
alert tcp any any -> any any (msg:"CVE-2024-38073"; sid:200; rev:1; flow:to_server,established; dcerpc.opnum:>1;)
The rule might be easily replaced by:
alert tcp any any -> any any (msg:"CVE-2024-38073"; sid:200; rev:1; flow:to_server,established; dcerpc.opnum:2-65535;)
It seems the keyword is important and if it's a real problem then a Redmine ticket could be found but I didn't find anything related to it.
I think it's the documentation issue.
All operators might be easily replaced by precise numbers and/or ranges.
I checked also the implementation and I see the functionality was never present.
Updated by Victor Julien 25 days ago
- Copied from Feature #8179: dcerpc.opnum: doesn't support operators >,<,!,= added
Updated by Victor Julien 24 days ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien 20 days ago
- Status changed from In Review to Resolved
Updated by Shivani Bhardwaj 18 days ago
- Tracker changed from Feature to Documentation
Feature ticket is linked. The tracker came from #8179. This is just the documentation update, so, updated tracker accordingly.
Actions