Project

General

Profile

Actions
Copy link

Bug #8577

open
SB

dcerpc: bind PDUs with 0 pfc_flags don't match without any_frag

Bug #8577: dcerpc: bind PDUs with 0 pfc_flags don't match without any_frag

Added by Shivani Bhardwaj 1 day ago. Updated about 4 hours ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Reported by @alexey -
-PCAP to be provided.

The issue was misrepresented. Conversation on this issue provides clarification.

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #8457: dcerpc.iface keyword matches any interface if PFC_FIRST_FRAG is missing in the BIND requestClosedPhilippe AntoineActions

SB Updated by Shivani Bhardwaj 1 day ago Actions
Copy link
 #1

  • Related to Bug #8457: dcerpc.iface keyword matches any interface if PFC_FIRST_FRAG is missing in the BIND request added

PA Updated by Philippe Antoine about 20 hours ago Actions
Copy link
 #2

Pcap is already merged in SV with previous ticket

PA Updated by Philippe Antoine about 20 hours ago Actions
Copy link
 #3

If we agree this is the desired behavior, we need mostly to update the doc

AM Updated by Alexey Monastyrskiy about 16 hours ago Actions
Copy link
 #4

any_frag does not match on PDU with pfc_flags set to 0

I think the issue being discussed is that a lack of `any_frag` makes the signature not match on single-fragment BIND PDUs with pfc_flags set to 0. The PCAP is the same as in #8457. The test is the same as provided in #8457 too. The one that got merged in SV was changed to only match on the session with "normal" BIND pfc_flags, but originally I made it to also match on zeroed-out pfc_flags. (The PCAP contains two sessions.)

SB Updated by Shivani Bhardwaj about 8 hours ago ยท Edited Actions
Copy link
 #5

  • Subject changed from dcerpc: any_frag does not match on PDU with pfc_flags set to 0 to dcerpc: bind PDUs with 0 pfc_flags don't match without any_frag
  • Status changed from New to Rejected

Thank you, alexey !
I apologize. I was using an incorrect Wireshark filter on the PCAP you provided and misunderstood you based on that.
I thought @dcerpc.cn_flags.first_frag won't show me packets with flags set to 0 but I had to use an explicit dcerpc.cn_flags.first_frag > 0

Based on Philippe's suggestion, I am rejecting this ticket and just keeping the doc update one. Thanks a lot for patiently and actively responding!

SB Updated by Shivani Bhardwaj about 8 hours ago Actions
Copy link
 #6

  • Description updated (diff)
  • Assignee deleted (OISF Dev)
  • Target version deleted (9.0.0-beta1)

SB Updated by Shivani Bhardwaj about 8 hours ago Actions
Copy link
 #7

  • Description updated (diff)

PA Updated by Philippe Antoine about 4 hours ago Actions
Copy link
 #8

  • Status changed from Rejected to New

Based on Philippe's suggestion, I am rejecting this ticket

That is not what I meant

I meant the code change is less than one line, but the doc change should be much bigger...

Actions
Copy link

Also available in: PDF Atom