Project

General

Profile

Actions

Task #8692

open
SD OD

tracking: detect: DCERPC keywords coverage

Task #8692: tracking: detect: DCERPC keywords coverage

Added by Stuart DC 4 days ago. Updated 1 day ago.

Status:
Triaged
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Adding a few new keywords to simplify the rule detection logic. This should apply to both raw dcerpc (tcp/udp) and smb wrapped dcerpc.

dcerpc.ptype (packet type) - request (0x00), response (0x02), bind (0x0B), and fault (0x03)

Create sticky buffers for flags and header.
dcerpc.flags (stick buffer)
  • dcerpc.is_fragmented (bool) - standalone keyword indicating fragmentation.

dcerpc.header (stick buffer)

Actions

Also available in: PDF Atom