Actions
Task #8692
open
SD
OD
tracking: detect: DCERPC keywords coverage
Task #8692:
tracking: detect: DCERPC keywords coverage
Description
Adding a few new keywords to simplify the rule detection logic. This should apply to both raw dcerpc (tcp/udp) and smb wrapped dcerpc.
dcerpc.ptype (packet type) - request (0x00), response (0x02), bind (0x0B), and fault (0x03)
Create sticky buffers for flags and header.dcerpc.flags (stick buffer)
- dcerpc.is_fragmented (bool) - standalone keyword indicating fragmentation.
dcerpc.header (stick buffer)
LS Updated by Lukas Sismis 1 day ago
- Tracker changed from Feature to Task
- Subject changed from New DCERPC Keywords to tracking: DCERPC keywords coverage
- Status changed from New to Triaged
- Assignee set to OISF Dev
I treat this original ticket as an idea aggregator.
When one starts creating the keywords, please create a ticket per keyword.
LS Updated by Lukas Sismis 1 day ago
- Subject changed from tracking: DCERPC keywords coverage to tracking: detect: DCERPC keywords coverage
Actions