Project

General

Profile

Actions

Bug #5208

closed

DCERPC protocol detection when nested in SMB

Added by Brandon Murphy over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I'm not sure this is really a bug or maybe just some confusion due to the lack of documentation, or if dcerpc probing is not working in this use case.

Consider the 3 rules, I would expect all three of them to fire given the use case of DCERPC nested in SMB (though I could understand if only sid:1 fires)

alert dcerpc any any -> any any (msg:"ET POLICY DCERPC  SVCCTL OpenSCManagerW Request"; flow:established,to_server; dcerpc.iface:367abb81-9844-35f1-ad32-98f038001003; dcerpc.opnum:15; classtype:bad-unknown; sid:1; rev:1;)
alert smb any any -> any any (msg:"ET POLICY DCERPC  SVCCTL OpenSCManagerW Request"; flow:established,to_server; dcerpc.iface:367abb81-9844-35f1-ad32-98f038001003; dcerpc.opnum:15; classtype:bad-unknown; sid:2; rev:1;)
alert tcp any any -> any [135,139,445,1024:] (msg:"ET POLICY DCERPC  SVCCTL OpenSCManagerW Request"; flow:established,to_server; dcerpc.iface:367abb81-9844-35f1-ad32-98f038001003; dcerpc.opnum:15; classtype:bad-unknown; sid:3; rev:1;)

sid:3 is taken directly from suricata-test https://github.com/OISF/suricata-verify/blob/master/tests/dcerpc/dcerpc-dce-iface-01/test.rules

However, When running these rules against the attached pcap, only sid:2 and sid:3 fire with gitmaster, which is unexpected to me.

It would appear that the DCERPC protocol is not matching when it's nested in SMB, though the dcerpc keywords work fine when using the SMB protocol, so not sure what's going on there.


Files

cool_1.pcap (377 KB) cool_1.pcap Brandon Murphy, 03/25/2022 01:07 PM

Subtasks 2 (0 open2 closed)

Bug #5395: DCERPC protocol detection when nested in SMB (6.0.x backport)ClosedVictor JulienActions
Bug #5423: DCERPC protocol detection when nested in SMB (5.0.x backport)ClosedVictor JulienActions
Actions

Also available in: Atom PDF