Bro-Dev Group,

I am digging thru the BinPAC code for the DCE-RPC analyzer, and I noticed a 
couple of developer-comments that I think could be related, and perhaps even 
resolved, by a simple fix.

1. Developer BinPAC Comments

See Lines 153-155 of dce_rpc-protocol.pac 
[https://github.com/bro/bro/blob/master/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac#L153],
 stating that DCE_RPC_ALTER_CONTEXT and DCE_RPC_ALTER_CONTEXT_RESP are not 
being handled correctly and consequently, the parsers for each one are 
disabled/commented out.


2. Issue / Problem: dce_rpc-protocol.pac

According to the original Open Group specification for DCE RPC (dated October 
1997), the format of the AlterContext packet is identical to the Bind packet, 
and the format of the AlterContextResponse is identical to the BindAck.  See 
the following URL for more info; or I could send you the PDF document 
separately, if needed.

http://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06_04_01
http://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06_04_02

When looking at the BinPAC file, the type records for DCE_RPC_ALTER_CONTEXT and 
DCE_RPC_BIND are different, should be identical.

Similarly, the type records for DCE_RPC_ALTER_CONTEXT_RESP and DCE_RPC_BIND_ACK 
are very different, should be identical.


3. Proposed Fix: dce_rpc-protocol.pac

Modify the type record for DCE_RPC_ALTER_CONTEXT to be identical to 
DCE_RPC_BIND.

Modify the type record for DCE_RPC_ALTER_CONTEXT_RESP to be identical to 
DCE_RPC_BIND_ACK.

Remove '#' on Lines 154 and 155 to un-comment these lines and re-enable the 
parsers.

In dce_rpc-analyzer.pac, generate events resulting from the AlterContext packet 
to allow logging of the new binding information in script-land.


4. Developer Script-land Comments

See Lines 137 and 187 of main.bro 
[https://github.com/bro/bro/blob/master/scripts/base/protocols/dce-rpc/main.bro#L137],
 stating a condition where sometimes the binding is not seen.  I can think of a 
couple of scenarios under which this would occur: (a) packet loss/drop; and (b) 
AlterContext packet not parsed.  I think the fix described above will address 
(b) and help reduce the number instances where the binding isn't seen.


5. Bro Issue Tracker

I plan to submit this to Bro Issue Tracker.  Just wanted to give you a heads up 
here.


Cheers!
Mark
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to