From 7938df7b54b5b5c66ff6c979cd2714a169b7609d Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 20 Apr 2020 14:54:21 +0200
Subject: [PATCH] tests: add dcerpc (over tcp) test

---
 ...1220_smb_psexec_mimikatz_ticket_dump-s2.pcap | Bin 0 -> 11363 bytes
 tests/dcerpc-dce-iface-01/README.md             |   4 ++++
 tests/dcerpc-dce-iface-01/test.rules            |   1 +
 tests/dcerpc-dce-iface-01/test.yaml             |  14 ++++++++++++++
 4 files changed, 19 insertions(+)
 create mode 100644 tests/dcerpc-dce-iface-01/20171220_smb_psexec_mimikatz_ticket_dump-s2.pcap
 create mode 100644 tests/dcerpc-dce-iface-01/README.md
 create mode 100644 tests/dcerpc-dce-iface-01/test.rules
 create mode 100644 tests/dcerpc-dce-iface-01/test.yaml

diff --git a/tests/dcerpc-dce-iface-01/20171220_smb_psexec_mimikatz_ticket_dump-s2.pcap b/tests/dcerpc-dce-iface-01/20171220_smb_psexec_mimikatz_ticket_dump-s2.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..372649bd5e6d547d664c42a877d970ca2a12e9a0
GIT binary patch
literal 11363
zc-obj2{@G9`}m(3V;E%5nl*&6XWwNf*|!%Vdv?j1ZR}f;B^9!k5VD7)C`+=hAxnF*
zlMw#%%-j2oe#3SB=emaHGBdaHxj*Ne`+m+0wN~ar0T}S#V}Bn2An4yrITNNh`}n{)
z^fmaz2hQZ4`GWo#QWK94C<A~n!do5)g#$oK5djnW$=G7rf-_!-oCTwVLYaZIY5;)3
zaH}CWIQS3<3<^eUI2;iZ>)*IwM7S&%@#0TRG%zYoiz#x7vj-h@E|i=ZcsKihBfdmO
z6h%i9#WqGx#8s?goI^+L)ggrdX+{5%GU6eCRrLG7=igD_9}w4$i9&;pk_rI003jYJ
zdJIi)c{mjPyN{}m3d{r)lT`>1))*kFl(8c6NGM}j93aI3{|>W=iJL#wNp=tY-;ktg
zR#414vA>t+RGkZXhP*P)Z%?2j1pMD?D->KB4oAWvxVX?96kI?61?R~T5a5F&xTDli
zo8%BE6muE%?<E2HoiGSW3<_mDa7~bh!u<h5;jX%&a2EwoxZiScpb*?#^bg`ZJRDqr
z8U2s)QLtcZ6f8gh1@rm$WfJ-mirN<pwDq<5&TA_woX?{dpaoxn=8_AL(!<oW^$qCp
zt!-VM+;}}~&>xpWe^d&5134HOl81uv!cZ`-S-y#2pOzoI40E`J&>&KKUIsFp(Vklp
z^tb2Zv^s*_bV8acT`$HqRktLr3Xv`uL=~x@E7_!l{iJJVWbSq2ycDiLK3$nNdh5A;
zKeG2;d4luE#r#X>PezcvthM8a*8Ws);lIgx$LEbhPT_KhLrvb+MtE~ctV4oaq*?dc
zHAh@KpL`UK`)ijC4$fG<>Wv??!Is;Dmo$qw^-97Ue2Xb1*0U}~3tpgXCD-!p5HFsg
zJL`Ya*A$16B$lbaLX8gp$ytV;FI)svlk~a)ccdy|3-AWG;brfd*Mp-ISqY4qLzCW}
z2<coSN6(CEBUzpevlPX-(;ku)yW+BANc?nf{#oJnCOHcm-_P5Corck1YXig%TL0E}
zV4Wd<n$=tRrCRTBz%oORqqGpI`>4rfVLASn_@{P<?|jtkQ1Sf1nMW6tU6$=l2}_a+
zn)zoSPT7FbtS%gP33=P$3-VUcE&IIg=VlL^p>$>WEm;tLY6{EORW;6Xn%rv}KF+~k
z2kFdy(1?ECmtqsNy=%MbM}LMh`7P_oiK^s|F=}c1MQ-j}Kd+O0zVm_Dz-6AuUBbCD
z@CB#vY?5(~-ONO=n5>Z83KII_!7Ivhmcvt=r5A_k)9YKy#08^d-FG9ZL{8E9iAvx5
z5IE)874Oly{*+$g^)<?__?)EJaPOB}hJAZc#icd2w1nD^euno@a4(A$W=GNzw&CQu
z5T~2S7cefpxg4(hT)c@kfwtYp`w?Nr_gWf-FuGu04%rEH8QlT}M7a9rRvx7>28HKb
zu0fp2?yvnHxJnU6cl5i~Og>?|_|j3+xilAUt~AdTQK0dxM4CAzy@pbBrvBdJS6&);
zd#f}jPO>EhDXbT2d~Un<F2}B^+?<PA8?k3%_ImC;vHL{1TyfR#uIQDLn^E%IYl4cu
z^obc<H%?O3yOQJdu0+MX+~m2FomByql9Wx}q_#CX6Zk<Re@ShlhtU8+*?zq@gM(E0
zdhGUTskq%qZPyjg7C^4D&&z5T855-cO@!_KIc6#Q6G2(3IsWag8Du-iRUv6%!FXyQ
zJXJ7PqYo<7FZ9&0cY|lmwx8yWkTPEvu6Psk6&W0-mBIkWUosFgQ(Bo&v9@pu;l5YW
z3r71Q$}-fj68mNWhJV=eS2Wz3Vb_P!N@aGLHRgZ$dI;8Ez8`P2aEhC;e)45zOa(EY
zw4u=F-lVD^FHfEvF|McbU+c`{LyCP_G?`B|$l9n?F0C1}?assuHKn@ILDx^$SvNte
zDqG{?3*o~AUUgL!!=>NqXn0grmTLXKJ{-&xbUmNR;<VM}roq6uJn03Dt38<9dJ`Mc
zk*qwGvTkTR<aIN#;PV?bdd6|_U{)&qELAclhblzI^A+_Z^RLUA<~Q%(VAEM&wbg!c
z<Hgp^(phrWACuI*R&Uh{P!L@K6hsTNh2)_iN-z{ezW6oSi)JU@z&Vo18@|);m$lz{
zm&9Fi{-Ce(){I*{qm79Y>2Dx=mQ${0vGgO$FYVjxx~FS7B3?!W*nEn+v&xxx;Z!64
z^c5nCf=Ng5n(yW#=64^@F=mI#B@%5R2Ut`hx8!whgp4Gcy%(Eg8SMJ<F7NZGnna%u
zB{cNm@_tG!A@IU+DPhV;>h;0{U3M-$bC>(X6EWW2A9U8N=>?g3`GyJFim2jLl6UeF
zi^?}bxqT4~UF5_tL;PNk{p<yw&%SUduA)k!&SExR6`UWJn5}ENr%&L=cz)&JGcu=^
zRDpaGMx{5}VvSjijS{#%4^1w<yJ3E>P0F)Pdv<!yK<%zlm()czVxnxyZGwlCnfO8B
z-E=}M3lA6!?SuVuMWsV==q?+OabIhyMLuubbr_2r)b|P@n}B@W_%&xx?+#YLPILv7
zMsM-b*eWw8Tn?;&mN<V^=HBr_p=_{@if#SZKY+0&2oQiIx<G-?zhgmo;PPNBi#@Ed
z(A6|72dt(<m}&}x6aoKL(`W<$zyV<iK@pMPRTX;$#Q|^tY>)q{Wo}rZKv-T54gmy`
zOL(9}=7lA~!s6V+q6NYt{#W}*^85sR{+(>@FxQH>xaJ?IXj5P3+lsYk?1n#_e2_O}
zN3w4rF7P-t%C?Ha4`r;BZ}obU_QFrKSN0*5mW>N<7Q^ARy=;R8ruEBZq#NSKZ}@kd
zjhD7PvvG=U87m}uv<AJ9OTW&L&0d9DZoiTFW$DI`NlHpsCzwe*A_PE=&LTPF|Mn#i
z7$O*3Um}!^oZ=ePp#k>OBfv}&<A9l*1QLLQeF^0MvoHCRy;y;;C`|V9EMXSzW&)-M
zlBFe}`ERn6VCU>PPNkkgeOVy#U8?2@G~bbZ935H^AQvOZ_GDU$#tL6m#LzW%J+$VH
zdTaMwdbD0pg&)xMJbVHvBudp^Zcb)VozDn61%tu%!3V~+ziwb|99Q?Gc0KEpnz}wP
zL#8JXz&-S9_pr^|WViyRqs%xw*SH493(p3C8M62VW{3onAt!+A&|E_|q!N&0=Gp%;
zaz=n1%m?uAaB=?(H^?SaX(P&U#Ws?G!(mwg94<2-0)V2ULa_)1))67tgq{sRPH{_P
zgnEO+1u(<y2F_!KYlRsE2>=z5t?>T*UgwDoA8w7#CVOX=!VoQ$E~!Lw$u%v)yF;x5
zr&K#rpG*I`xluk^pQ0M9_$*(~u#VxAPehB*mO6uWle%fr{aF_ZZbh;mcGK?Do9Qn6
zX@qs0FWUP%L!RUPhl>k??*pX3soz4b1=ScMigK;e^xfF{b-R=EYq^UbO?OsBetv<t
zT9@Rsx&hfA*r=6qOO414b2+)V5h0*%;@`$8_Q|(q8qA0-KLU7xj`aeYz-st8j6m<h
z0=cEf3x!qC8QI&@1~UT1WF+BtMreLZyD{FH<;J(h+=ohvSnz$9d}DH>T533>-{Dr^
zLUY$t0|Ji!n+Wd@QIJhml1;Y^A%DG0QGF&GU46*Yi)6G5tKT7bfwR$zew2`=7)ae9
zEniIm6qV!AeK)zT+?@Tc>Sg1Hd*UIkAW;vR$P4Y)3)`Z#MTBB=EUbd2>Hvw-Km2hl
z4LOh5%-S&H<OOW%Lo>?oPSd0fmc*w<zM<La4g9WmuJH;r!Q%V-I>TG|TUk@X*~=jc
zEIYCRq=ZQ60mYO6ia!5<AjQ6?RdBDKro_D$Nd&&+`?HS%Y5W${3aD(I(k%BMg>xhQ
za&~aOa@sti3s=loS9hteGWO&fZ;x7ustpHr;}oK}i@s=>sl(z>bHFY3)G6~$Ggqli
zwfX+V3H$9b2@>zODAVoBL_-94tlSsGL`ixIWtdpQBG-GMKr%h6KN0uqGsM&#4yj5O
zkFquL^twkQpe&6DI1#ov737j|63XF#q_mF;J8|wAqUlM1zkYPCEF`a77p9g!un^GE
z?q#IaK**LgNzJ6h{a{WvIfqy%tfk1Sf(|r5rG4z2QpC)uD}T+Yj`2bf6xzV9Na*1?
z1sXW@drm16PSJiVw`n3y;%BXjsTjE{#@WwTUu1%tw>_g*!4Qss!?4Y%Z2aqT-~1b+
z)heK|!PH7{`msAoE>2gP`~+8N!cB5d*NqMHUUmWEpAP{B^EnCk**KW^Y@bk$-!RKx
zYXFI24-*~UH>wd~*yfZ73OR)|z|1M(KXVEs0>?=Cn`nx+`?2M8%m?wSPPcN`EBaEa
z7Wt_dw4!r2qZn|VF5No9Q80vR_0;E!TiV0%{vk{aae_{x3o(S2X$cqghEdB?%2$7J
zT3=0{S5vt-60o+5L(iSPLv4NLJV%GkKNC+uA}5_=9VuZPc^!6yG#D=wB?cV{aUOOA
zJFxD@=zb)LF25=ZX*{9a+#oToH5(u`V(O%4+Wu~lC`Ikf5$paQ4%PeXu}gyZ^rQo1
zKU@5tO)L0?-*}toZSGH@wlF<n;C8`gN7jXQ9iSMvbRufmK!5A;H<Rqgs`fcfF(6Sr
znrIFkYYv;EAp{DWBT-^B)eK0KZt%xZDVhj<4TxjLNea+$QF~6RzMRLyy*2zwbv=FA
zf!JDILQ<&icK4~Pq`R@BrO&NCZhN>s=M#-?mP{3m;Sti7SmXfMh*)R^Sc}j8AwJ|V
zB$g(5MSszNb8YW^8POdMifzfWx{U#XrCA(t&2NTkwH_|da|#UgTV&l5U)AbY;krz1
zSL{w|(mZUA$N-6*b&qwZjB)7sm%|w}bpx9CS4PfZhqwnEO4DiW>nBjuj8wmsObHPr
z5nO$Ad9e_`gbhcyXGnLh;|Pa2ZcC3sBHof`>wMp#bA0*WlT9Ekxw%Rl{{45+-NS^$
z&h<C;zdC2U;V(ZyRXD@LADmo2{dBET&M%5e9#f6Fb&p+V;aD9uAg6d-Fb@A(XYl{+
z925YRV1GOxxrN)DadkUmS^W9*`;2Wx%baGUz#}Fb<!g<9c8)`iLT_!=O5Ww*e|<%}
z&*vsNj85Z%N~Ecic}LBw;t&)1fC)w!l;S_hZe7nP+neAF`?lj*i`9&U46z+N1|=X7
z=QRXSiH=o?%~1hd1>-36up=Iq@j@}MzV4)Z{&95eH_?BGg(=S_$GCgL&-~1MHS&bn
z;oF~`;*gWvf==EJp5W)1B5dKWWWu&W^^iOCncLi!JfEbxx5-~G=U4FzIM5A$4|Ebv
zN@*a<?Efh(c**z+`wm6uFi22)?N}!f*qn%=>nYC{aF+e;1n+-)9~_AAh^_j^-R7Q;
zfWo`Br)+mSI^QO6PxLZaN#*CFgx}5`vG;}f7TMB2*?SdUG|>G{SUEz%@NSTHRN&}b
ziY-pbrss!GQf9^yO<Yqpc^QxO<qU)AN8L@S8T`ELUg_plfJ85Xj$JpZ7$@$3Ir)O7
z8UURX6CGYRAQAI#Cmkyb&TMuA>rIxv#v)?6T+^v>w@JnpQp#69X{E(!CjRN-4mrwW
zPn2LM=eelc!$ugUChcofQO?DV%Xv~ekC5m^aXc-1#ytj`$&gJo)`0#|2CLfGHpfqd
zsccnW_M_7tgG6PNgvU9G#Oi1OImPRZnPq=D!av}MSBpl@uwnJ-g_mbEt8RwbZf7_b
zsswsyked0m&%cdA9^nW@<zZ{u%giMHL-00R^Y+coptc*|%`J<+bV(Tj;W3s4Gf75e
zmuiP<S4UmfN|afWz70Ax&3EePijEhpfJCZPgvU8j!#Hv~?1<NUyioiicoXYtf7lWJ
z0Y{-C_qIm$lDKktZE6YaJ2e@K^w!x2dJyF)d*w~~!!1WR%2(=ruM6>use18Lckks3
zwiZRN3iEi6F$*s8H0S!x*cC~Y<jpBIRWJERfh!NSH}=jF-E);T-Hke1b{zr|<x?H&
zC<>b+@r%eQJ^-5|#DN|n!LCi#1lqv4E(&o@Pl}A~E)^W5j>A3wHAi$}Y(5eH2uI;}
zmaKv<bzIpoY~wf)2IDR>d2UWNzUk8U!QLESPir}}vxGVO*}^!Dgww-cde+lBBE*vI
zSI^;f@OeGn2Z>6lk9DMuapZc~5g&l2`UW~OTs!OtaiIQ;dkWt}YRuv!=W7|@Tu$6p
zAt&x?a7<$J-n!EmnA=EyMExmfl}>bsU0n|GgM_eI^4+|D;&#`=p62FfPtsMxrWYr)
zFHs4QG-o_>wUP64Mb0F~$9qKpQc+gUqtpY`Aki-Mv5um#I{JpDN&t!ec0_Q%(M6N5
zWB**=yTChQ5u&hFJFuBlOIh^d);2$ZV;2A7snH`GMaWO>E&@e5B|GoT9Gu5y*Amid
z9i!H_s>52t#^~}Aovau=mwvv?LNY%i6z-7nUBs8{V{Lje&PAQ96ptaIIo6Q|#*xck
zjuOTTC49g;-qPN~jtCAo+B#8MJ3;x8B#)c7cH%1@{G*3Dfk6mWRx|5j)Owy7%Mp$W
zMHd<$j!T(2nDKow$`1Ft+P_@lvUhrBh!H}-ONUtdnVf&gHZ#Ze>Dzh2mqA;1yO}pz
zM>TQu6tsFQzkoz=9^&J^a;m`QNWup>#ZU9!S57SGC{IQ4fB|%b0c=s)DDEE<1vIVn
z$8;t-FNEM%M88i0#_90AL|&QP30$1H%j^?iL2r7J$M~`-{VRD<8iD%ZA9TH(6l<#F
zvdNk~fr^)eO^@h2A_-|sNvc?$0|YiP5{v9pX}|g)l@SFV!3FJ3#Wn93n|9^ae0u^d
zUQh(ejh+)qD{|~%IY(o>n4HJ=*&ZY;6T>^kJSnD^GB|tKJU`8Np(HtY&qAtj*gW9@
z^P$$83`>L8XKtPzS)vv~H8FO4VQbgoY+CRz9Ka#7{&9r)`*XfMp#iU$?N73c6mCy=
z%Luq#suh(9QWB9Y{M28rEB;McG`r}uX})B5(EHRUTakzj62V-hSufh<;HMzb7Mkej
z4xi!yHfNILXsQCt>CImqKGA^=-!7BBDtEKjDCB(zB&9e%q?5lIM*8wzz!|c1dcU0F
zwkU0qERIO`sHIQaQMA`yIi&qGdX@U+(lrkqP0NPaB-jxhew3KzfLEf4O~&BWy&#G=
zDKAPcu23sYZJv4dY=Wm`q+bh<ZpOIvp<<QYnY`K1-79b9%_yvI)p&S)Ntqf0iHF3G
zb%^P`421r2Sb(N(1|9ZnA9hG|z@caJoZcJ51wX-h1@0QF%Brggp#q*?J@_iN6wBk6
ze1?v2_&{fFM9xrbfv2pR6G7_qXhF_XSk|dOMzhtsqVf4+GxJSpJ}s_Er}Pib9EtV1
zUyMxjwT#@PEgDnC9x8xDOcHp<?64F?SRFParvwBr4*%L=PyCMv0$4jt*84AP+Zl9<
zE?Z2prg{Hls+>104OZ~>*TG5WtvkX|bkdd^yIL*ebOuU2-w;=&<=)70i^S^Z`hO~I
zV>iyVDmt=1!@;A?9cUrcq+Rb=zbR6=ivGjq0{xr*5RmA$<gt!0y_bRDVMhW2<AqWh
z;5`es;$cT84s<FDF8p0W9~}oeMxmb60rJ-(MLC@w8zJrU$cW~Dc;v4h(Ww-f5OCee
zDu-(X82HMU`RLysxUwysHP8sX%sf~0ZtK~nYiHb(jN3Is!)9#<cbT#k#V?6ndCJ;M
z+jOFj4J3Lmd90&{*c?e|psAX$opul(=q6L}Sp(US*75kJa~W1DJavs5)bcc2Z?o#k
zYHyX8$aEZ01!H_3)h{H>ZWS6|^Wl<GTAE!H_#po>I@|NXkIlZpz-x~!-%mv8n-h&$
z3wg@Av=#2vzTO&j^ND0i8&l2#iEyQlb%g1?3<Umi)P$xQ0UgCA9(F{0z>!?{K2OVc
z<=bsPd6_TgpZ<6%g9R^vsNC@?+miWUr@zY)jvo32*hGy2L5|W%M&y&h+--$kf&*XA
zIP2Moi51^(!y_)*FLZyzJV^g)&A)~<ui7ux5_Pt-ZD-y8TDB`lBqe>UqhhR%Mvzm2
zYS`|SNe(zl=(kY1nL?Q))AwZO`o#`Fx@)R`H9{0{ixzLvdl%AugrnGCBKUm;^@Wcm
zESbz}kuyb*BAz4%{R~gQu-HdZMmx}#KkjphbsWj%6~#FNV|bch)eVON&1=u>=n|tq
zq5_#?9btMe1OCH~1l7h1r7wZ^nY6fv9g!SxG(?q}vammFR6nCp$I1TOsfhdxgpKK+
z3!IWwk7AO#l8$gxYz-F{qE+P*Ssr?%$|tid+{eOpk=E*$lle{v8PxrK{7=35&492_
z6oPE3nIUMkn3TCep9T7IOg{U=d64L>?6HnYusM>xgr*w8=7{t_H>tanM$YCg@J)Zd
z_fGdS8fK1w?)jDVEM}7n?;21DW~w6`#oggik<+?iw)pIxAoGAk>)d=}-T(pJq-)TY
zHDd#9M8)XZsVOykw}tXl)n1nNk3|De+%H>*zTTbL%6O2dO72)kF&IaDe>oaLQ!Rpy
zDohSLB0W%#YTvZR@#Id+C`;(iEXo&MSKs9R34K>Xxh7mia*N9GsE)tnMnu`YofE3h
zATc8IapDsVNn$4H+tkJ>1vI92X=3tVor)72_E9Qd6F3yQ+W8w}b%y{TdEh#sa`POf
z!k(8uwx=k?>Sz%;C1iy;-T14gAUn`gyx2M+TUc&A7Gbe;<r86NUFf%y>NO0mYA0QO
zo>dYbojNrxU%98L&h%h2W+78vHTF5jW6ij`>GH!~f^V+eXnJ!*y^5!oe9W!hz0$6K
zwtnaucVXyWU8W<|T{0z)-u!5qj{!Up!hONbyZ}4J-8@sRUp2cnLs=h)X57U>{B|rs
z;&u6B9mZlD@*Z|5WHnwWa|gT+4Loz$A=v?kGg*3ybdSS&uLMhE(wbcjoM%WUa_%EY
zdaU``fGzPZ*AWg&c_cDd8QFLuLTR$bqZ4nkGPQ+p<CwYq!sp+0d>ve|+~OMKNbxE<
zpY84i*D!~<g4XH&oNwbP{5U0e{U8xi;n;Qd2%AHhJ7}u!*iNX(|F_PdfMu1z4VACm
zHTTr<1*`{ETTMMoHAaLKwltJq=fw=xs~oY;5`4nka-=`CPDYNLi_dqj*86HFi;6Oe
zE38qy^18jn0=5wsp|NA9Un|Q$>*Fjt`*5h%SDuI!z{4frsRxO;&*2?&YDgM~aU}hh
zqwnK|vK-*uNo(ohQ$z9tr-n1*xcsPnohqr!m9*~`it<OC8a}fAL<?kogT~!<zPX%3
zI+F0=%@F$x1ok8+t|$|~flevGg!V}#bJr-+u;VQBn<PGNX>v4NcWor*PD&C;V1Djc
zCuP{2$Z{a3&N^Z{?VvcY_hm+&BxzC53r-+=YvAi-GHUqk+}-;z6O;|hh<~i!)=3}X
zBymX1>Pbn{W>{?jvHG(yuN#KrR(;+NLnPx6v`ESi!f_wiPFqe|CrKJzwcYx$T&6S-
z5svh^nXLKEJU$R4dUx*FbrX+qf;{ZxtRtGL5_Dp6^6<K$IIwPl>NX>73FWI)Cw$n_
zG)y^43yP$2ABk39o#^hppfJ6C#JVX<N9Edd@%+3&<~^M9Q&d^=TKH8954W+ry!;QL
z?dNjq38UdmmzS;^Ez(yGvFCRdx6<#*Zz$q^3?<2X01}ZZ9_y$atD{OZ)jBpulm{F+
z8}3G{|G<40dL?DVZb!@^I{Vbe;o!&G4*0xW<&^!TM>x9v)+`}gb=COxNmWwa_gyUd
zQX%q#b+6uywc8slBYhK%$vmomuB!xF*uIQXD)AciA$n@<pF+u(@F4S>AxIRXc&wuY
zj3e&99IcNR%E^Lv7kT-I9Z?=|^bj`ma5qD9#p+g#zkL68E74lj=GLU5wxgs}z<D#z
z?jszPKgg4+FU%m=`#8WjwPEy%x4BunET^6uR_nFA+-5Xp!bbY~t@)D7ikbJ*)B&qi
q-pp<vTGOeJlk^5*n7xhg0^TvF9Te5r9LdQdr-Vaw(8C8$JN_TnN5xJ6

literal 0
Hc-jL100001

diff --git a/tests/dcerpc-dce-iface-01/README.md b/tests/dcerpc-dce-iface-01/README.md
new file mode 100644
index 000000000..1fdf0a615
--- /dev/null
+++ b/tests/dcerpc-dce-iface-01/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+Pcap from https://401trg.com/an-introduction-to-smb-for-network-security-analysts/
diff --git a/tests/dcerpc-dce-iface-01/test.rules b/tests/dcerpc-dce-iface-01/test.rules
new file mode 100644
index 000000000..0aaaac562
--- /dev/null
+++ b/tests/dcerpc-dce-iface-01/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any [135,139,445,1024:] (msg:"ET POLICY DCERPC  SVCCTL OpenSCManagerW Request"; flow:established,to_server; dce_iface:367abb81-9844-35f1-ad32-98f038001003; dce_opnum:15; classtype:bad-unknown; sid:1; rev:1;)
diff --git a/tests/dcerpc-dce-iface-01/test.yaml b/tests/dcerpc-dce-iface-01/test.yaml
new file mode 100644
index 000000000..32c6db3be
--- /dev/null
+++ b/tests/dcerpc-dce-iface-01/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+
-- 
2.47.2