DPIRuleRetrieve not returning correct values

[sudofez]

I'm trying to return the values of a specific rule and noticed I wasn't getting the values I expected. Can you please help?

Code executed:

Write-Host "Retrieving rules.."
$rules = $DSM.DPIRuleRetrieveAll($SID)
Write-Host "Total rules retrieved: " $rules.Count

$rules[0] #This is rule 1000456
$dr = $DSM.DPIRuleRetrieve(1000456, $SID)
$dr

Results:

Retrieving rules..
Total rules retrieved:  6332

TBUID                  : EF560703-D499-A1BE-1F66-F9B05E0E9B2B
applicationTypeID      : 36
authoritative          : True
cvssScore              : 7.5
detectOnly             : False
disableEvent           : False
eventOnPacketDrop      : True
eventOnPacketModify    : True
identifier             : 1000456
ignoreRecommendations  : False
includePacketData      : False
issued                 : 10/05/2006 03:17:35
patternAction          : DROP_CLOSE
patternCaseSensitive   : False
patternEnd             : 
patternIf              : ALL_PATTERNS_FOUND
patternPatterns        : 
patternStart           : 
priority               : NORMAL
raiseAlert             : False
ruleXML                : 
scheduleID             : 
severity               : HIGH
signatureAction        : DROP_CLOSE
signatureCaseSensitive : False
signatureSignature     : 
templateType           : CUSTOM_XML
cveNumbers             : CVE-2006-0027
msNumbers              : MS06-019
ID                     : 1
description            : A remote code execution vulnerability exists in Microsoft Exchange Server that could allow an attacker who successfully exploited this vulnerability to take 
                         complete control of the affected system.

                         An attacker could exploit the vulnerability by constructing a specially crafted message that could potentially allow remote code execution when an Exchange Server 
                         processes an email with certain vCal or iCal properties.
name                   : Calendar Remote Code Execution Vulnerability.

TBUID                  : 
applicationTypeID      : 
authoritative          : False
cvssScore              : 0
detectOnly             : False
disableEvent           : False
eventOnPacketDrop      : False
eventOnPacketModify    : False
identifier             : 
ignoreRecommendations  : False
includePacketData      : False
issued                 : 
patternAction          : 
patternCaseSensitive   : False
patternEnd             : 
patternIf              : 
patternPatterns        : 
patternStart           : 
priority               : 
raiseAlert             : False
ruleXML                : 
scheduleID             : 
severity               : 
signatureAction        : 
signatureCaseSensitive : False
signatureSignature     : 
templateType           : 
cveNumbers             : 
msNumbers              : 
ID                     : 
description            : 
name                   : 

I have also tried using the following with DPIRuleRetrieveByName but I get the same incorrect result: $DSM.DPIRuleRetrieveByName("Calendar Remote Code Execution Vulnerability", $SID)

If I loop through the rules list and print out the result equal to the identifier I get the right values:

$rules | % { 
    if($_.identifier -eq 1000456){ 
        Write-Host "Rule loop: "
        $_
         }  }

[424D57]

DPIRuleRetrieve(int id, string sid) accepts an integer which matches the ID field of the DPIRuleTransport object not the identifier. The ID is a unique ID; the identifier is the rule number displayed in the GUI. So for instance if you want to call DPIRuleRetrieve for the rule identifier 1000456 in your example, you would call DPIRuleRetrieve(1, $SID).

Hopefully that helps.

[sudofez]

Ah, I understand. $_.ID works! I stopped reading the properties as soon as I saw "identifier". Thanks for your help.