Bro-Dev Group,

I am digging thru the BinPAC code for the DCE-RPC analyzer, and I noticed a 
couple of developer-comments that I think could be related, and perhaps even 
resolved, by a simple fix.

1. Developer BinPAC Comments

See Lines 153-155 of dce_rpc-protocol.pac 
being handled correctly and consequently, the parsers for each one are 
disabled/commented out.

2. Issue / Problem: dce_rpc-protocol.pac

According to the original Open Group specification for DCE RPC (dated October 
1997), the format of the AlterContext packet is identical to the Bind packet, 
and the format of the AlterContextResponse is identical to the BindAck.  See 
the following URL for more info; or I could send you the PDF document 
separately, if needed.

When looking at the BinPAC file, the type records for DCE_RPC_ALTER_CONTEXT and 
DCE_RPC_BIND are different, should be identical.

Similarly, the type records for DCE_RPC_ALTER_CONTEXT_RESP and DCE_RPC_BIND_ACK 
are very different, should be identical.

3. Proposed Fix: dce_rpc-protocol.pac

Modify the type record for DCE_RPC_ALTER_CONTEXT to be identical to 

Modify the type record for DCE_RPC_ALTER_CONTEXT_RESP to be identical to 

Remove '#' on Lines 154 and 155 to un-comment these lines and re-enable the 

In dce_rpc-analyzer.pac, generate events resulting from the AlterContext packet 
to allow logging of the new binding information in script-land.

4. Developer Script-land Comments

See Lines 137 and 187 of main.bro 
 stating a condition where sometimes the binding is not seen.  I can think of a 
couple of scenarios under which this would occur: (a) packet loss/drop; and (b) 
AlterContext packet not parsed.  I think the fix described above will address 
(b) and help reduce the number instances where the binding isn't seen.

5. Bro Issue Tracker

I plan to submit this to Bro Issue Tracker.  Just wanted to give you a heads up 

bro-dev mailing list

Reply via email to