[Snort-devel] DCERPC2 Questions

Todd Wease twease at ...402...
Wed Sep 9 15:26:06 EDT 2009

Hi snort user, replies inline...

snort user wrote:
> Hello !
> After dcerpc2 processing, is it a pseudo packet that goes thru the
> matching engine?
> [ i.e. passed to Detect( ) ]

The raw packet will go through the detection engine.  If there is any
reassembly, those pseudo packets will also go through.

> In case of an alert, is there a way to log the actual packet payload?

If the alert is generated by the raw packet, the raw packet will be
logged.  In case of a reassembled pseudo packet, only the pseudo packet
will be logged - no way currently to log the actual packet.

> Also could someone explain briefly the use of stack in dcerpc2
> - DCE2_CStackTop
> - DCE2_PushPkt
> - DCE2_PopPkt

These are related to the potential multiple levels of reassembly in the

> Thanks much for the help!
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
> trial. Simplify your report design, integration and deployment - and focus on 
> what you do best, core application coding. Discover what's new with 
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

More information about the Snort-devel mailing list