Actions
Documentation #8330
closed
VJ
VJ
doc: explain dcerpc.opnum doesn't support operators >,<,!,=
Documentation #8330:
doc: explain dcerpc.opnum doesn't support operators >,<,!,=
Affected Versions:
Effort:
Difficulty:
Label:
Description
Recently our networking analysts found out that dcerpc.opnum and it's sibling dce_opnum don't support operators >,<,!,=
Suricata prints the error "Error parsing dce_opnum option in signature" while parsing rule:
alert tcp any any -> any any (msg:"CVE-2024-38073"; sid:200; rev:1; flow:to_server,established; dcerpc.opnum:>1;)
The rule might be easily replaced by:
alert tcp any any -> any any (msg:"CVE-2024-38073"; sid:200; rev:1; flow:to_server,established; dcerpc.opnum:2-65535;)
It seems the keyword is important and if it's a real problem then a Redmine ticket could be found but I didn't find anything related to it.
I think it's the documentation issue.
All operators might be easily replaced by precise numbers and/or ranges.
I checked also the implementation and I see the functionality was never present.
VJ Updated by Victor Julien about 2 months ago
- Copied from Feature #8179: dcerpc.opnum: doesn't support operators >,<,!,= added
OT Updated by OISF Ticketbot about 2 months ago
- Subtask #8331 added
OT Updated by OISF Ticketbot about 2 months ago
- Label deleted (
Needs backport to 8.0)
OT Updated by OISF Ticketbot about 2 months ago
- Subtask #8332 added
OT Updated by OISF Ticketbot about 2 months ago
- Label deleted (
Needs backport to 7.0)
VJ Updated by Victor Julien about 2 months ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Victor Julien
VJ Updated by Victor Julien about 1 month ago
- Status changed from In Review to Resolved
SB Updated by Shivani Bhardwaj about 1 month ago
- Tracker changed from Feature to Documentation
Feature ticket is linked. The tracker came from #8179. This is just the documentation update, so, updated tracker accordingly.
PA Updated by Philippe Antoine about 1 month ago
- Status changed from Resolved to Closed
Actions