Bug #6191
closed
if protocol dcerpc first packet type is Alter_context, it will not parse dcerpc
Added by INTER xz over 1 year ago.
Updated over 1 year ago.
Description
When i use a dcerpc pcap, the first packet type is Alter_context, and next packet is Alter_context_resp. In this case, Suricata will not parse this pcap file.Because engine thought first packet is a response, and error is occurred.
file location is rust/src/dcerpc/dcerpc.rs:1337,
let is_request = hdr.hdrtype 0x00;
modify it as:
let is_request = hdr.hdrtype 0x00 || hdr.hdrtype == 0x0e;
it fix.
Files
- Status changed from New to Assigned
- Target version changed from TBD to 7.0.1
Pcap should be used to create a SV test. Backport should be considered.
- Status changed from Assigned to In Progress
Hi @INTER xz ! Thank you for your report! Since you have already done the fix, would you like to make that code contribution yourself to Suricata? :)
I have created a test with the pcap you've uploaded here: https://github.com/OISF/suricata-verify/pull/1324
Please let me know if you cannot do that for some reason, then, I'll give the credit to you in the commit.
- Label Needs backport to 6.0 added
- Label deleted (
Needs backport to 6.0)
Shivani Bhardwaj wrote in #note-3:
Hi @INTER xz ! Thank you for your report! Since you have already done the fix, would you like to make that code contribution yourself to Suricata? :)
I have created a test with the pcap you've uploaded here: https://github.com/OISF/suricata-verify/pull/1324
Please let me know if you cannot do that for some reason, then, I'll give the credit to you in the commit.
Thanks, there are some reasons why I can't commit the code, I'm happy to contribute to the open source community.
Thanks, there are some reasons why I can't commit the code, I'm happy to contribute to the open source community.
No problem. Thanks a lot for reporting and proposing the fix. Would you want your name be credited in the commit? If yes, please let me know your name.
I have created a PR with the fix you proposed here: https://github.com/OISF/suricata/pull/9291
- Status changed from In Progress to In Review
Shivani Bhardwaj wrote in #note-8:
Thanks, there are some reasons why I can't commit the code, I'm happy to contribute to the open source community.
No problem. Thanks a lot for reporting and proposing the fix. Would you want your name be credited in the commit? If yes, please let me know your name.
I have created a PR with the fix you proposed here: https://github.com/OISF/suricata/pull/9291
My name in github is InterNALXz, use it alright. thank u!
- Status changed from In Review to Resolved
- Status changed from Resolved to Closed
Also available in: Atom
PDF