Bug #5208
closedDCERPC protocol detection when nested in SMB
Description
I'm not sure this is really a bug or maybe just some confusion due to the lack of documentation, or if dcerpc probing is not working in this use case.
Consider the 3 rules, I would expect all three of them to fire given the use case of DCERPC nested in SMB (though I could understand if only sid:1 fires)
alert dcerpc any any -> any any (msg:"ET POLICY DCERPC SVCCTL OpenSCManagerW Request"; flow:established,to_server; dcerpc.iface:367abb81-9844-35f1-ad32-98f038001003; dcerpc.opnum:15; classtype:bad-unknown; sid:1; rev:1;) alert smb any any -> any any (msg:"ET POLICY DCERPC SVCCTL OpenSCManagerW Request"; flow:established,to_server; dcerpc.iface:367abb81-9844-35f1-ad32-98f038001003; dcerpc.opnum:15; classtype:bad-unknown; sid:2; rev:1;) alert tcp any any -> any [135,139,445,1024:] (msg:"ET POLICY DCERPC SVCCTL OpenSCManagerW Request"; flow:established,to_server; dcerpc.iface:367abb81-9844-35f1-ad32-98f038001003; dcerpc.opnum:15; classtype:bad-unknown; sid:3; rev:1;)
sid:3 is taken directly from suricata-test https://github.com/OISF/suricata-verify/blob/master/tests/dcerpc/dcerpc-dce-iface-01/test.rules
However, When running these rules against the attached pcap, only sid:2 and sid:3 fire with gitmaster, which is unexpected to me.
It would appear that the DCERPC protocol is not matching when it's nested in SMB, though the dcerpc keywords work fine when using the SMB protocol, so not sure what's going on there.
Files