From: Modupe Falodun <falodunmodupeola@gmail.com>
Date: Tue, 22 Feb 2022 17:26:00 +0000 (+0100)
Subject: dcerpc: update keywords
X-Git-Tag: suricata-6.0.5~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F761%2Fhead;p=thirdparty%2Fsuricata-verify.git

dcerpc: update keywords
---

diff --git a/tests/dcerpc/dcerpc-dce-iface-02/test.rules b/tests/dcerpc/dcerpc-dce-iface-02/test.rules
index a9018d05d..9cf9a10f1 100644
--- a/tests/dcerpc/dcerpc-dce-iface-02/test.rules
+++ b/tests/dcerpc/dcerpc-dce-iface-02/test.rules
@@ -1,4 +1,4 @@
-alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989;sid:1;)
+alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989;sid:1;)
 alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989,=1; sid:2;)
 alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989,=0; sid:3;)
 alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989,>1,any_frag; sid:4;)
diff --git a/tests/dcerpc/dcerpc-dce-iface-03/test.rules b/tests/dcerpc/dcerpc-dce-iface-03/test.rules
index 5f24a9c2f..8254e2cd2 100644
--- a/tests/dcerpc/dcerpc-dce-iface-03/test.rules
+++ b/tests/dcerpc/dcerpc-dce-iface-03/test.rules
@@ -1 +1 @@
-alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989,=1;sid:1;)
+alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989,=1;sid:1;)
diff --git a/tests/dcerpc/dcerpc-dce-iface-04/test.rules b/tests/dcerpc/dcerpc-dce-iface-04/test.rules
index 2e0250bad..fe37a5475 100644
--- a/tests/dcerpc/dcerpc-dce-iface-04/test.rules
+++ b/tests/dcerpc/dcerpc-dce-iface-04/test.rules
@@ -1 +1 @@
-alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989,<1;sid:1;)
+alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989,<1;sid:1;)
diff --git a/tests/dcerpc/dcerpc-dcepayload/test.rules b/tests/dcerpc/dcerpc-dcepayload/test.rules
index 450b51230..a246badf9 100644
--- a/tests/dcerpc/dcerpc-dcepayload/test.rules
+++ b/tests/dcerpc/dcerpc-dcepayload/test.rules
@@ -1 +1 @@
-alert tcp any any -> any any (msg:"DCE Response stub data"; flow:established,to_client; dce_stub_data; content:"no"; offset:22; content:"12DOM"; within:13; content:"REDHAT"; distance:5; sid:1;)
+alert tcp any any -> any any (msg:"DCE Response stub data"; flow:established,to_client; dcerpc.stub_data; content:"no"; offset:22; content:"12DOM"; within:13; content:"REDHAT"; distance:5; sid:1;)
diff --git a/tests/dcerpc/zerologon/test.rules b/tests/dcerpc/zerologon/test.rules
index 9b886d439..7da3ab317 100644
--- a/tests/dcerpc/zerologon/test.rules
+++ b/tests/dcerpc/zerologon/test.rules
@@ -1,2 +1,2 @@
-alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Attempt"; flow:established,to_server; dce_opnum:26; content:"|00 00 00 00 00 00 00 00 ff ff 2f 21|"; endswith; reference:url,https://github.com/corelight/zerologon; classtype:attempted-admin; sid:20166330; rev:2;)
-alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Password Reset"; flow:established,to_server; dce_opnum:30; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,https://github.com/corelight/zerologon; classtype:attempted-admin; sid:20166331; rev:2;)
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Attempt"; flow:established,to_server; dcerpc.opnum:26; content:"|00 00 00 00 00 00 00 00 ff ff 2f 21|"; endswith; reference:url,https://github.com/corelight/zerologon; classtype:attempted-admin; sid:20166330; rev:2;)
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Password Reset"; flow:established,to_server; dcerpc.opnum:30; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,https://github.com/corelight/zerologon; classtype:attempted-admin; sid:20166331; rev:2;)