Project

General

Profile

Actions

Task #8692

open
SD OD

tracking: detect: DCERPC keywords coverage

Task #8692: tracking: detect: DCERPC keywords coverage

Added by Stuart DC 4 days ago. Updated 1 day ago.

Status:
Triaged
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Adding a few new keywords to simplify the rule detection logic. This should apply to both raw dcerpc (tcp/udp) and smb wrapped dcerpc.

dcerpc.ptype (packet type) - request (0x00), response (0x02), bind (0x0B), and fault (0x03)

Create sticky buffers for flags and header.
dcerpc.flags (stick buffer)
  • dcerpc.is_fragmented (bool) - standalone keyword indicating fragmentation.

dcerpc.header (stick buffer)

LS Updated by Lukas Sismis 1 day ago Actions #1

  • Tracker changed from Feature to Task
  • Subject changed from New DCERPC Keywords to tracking: DCERPC keywords coverage
  • Status changed from New to Triaged
  • Assignee set to OISF Dev

I treat this original ticket as an idea aggregator.
When one starts creating the keywords, please create a ticket per keyword.

LS Updated by Lukas Sismis 1 day ago Actions #2

  • Subject changed from tracking: DCERPC keywords coverage to tracking: detect: DCERPC keywords coverage
Actions

Also available in: PDF Atom