[Snort-devel] DCERPC2 Questions

snort user snort.user at ...2499...
Wed Sep 9 15:32:20 EDT 2009


Thanks for the reply, Todd. I have a couple more questions.

> These are related to the potential multiple levels of reassembly in the
> preprocessor.

Can you explain what you meant by multiple levels of reassembly.

Does dcerpc2 depend on Stream5 only for state tracking (get and set
application data,
checking flow, direction etc) OR does it also depend on the reassembly
functionality
i.e. putting the separate TCP segments into a contiguous buffer.

If Stream5 already does that, then is there a separate reassembly that
dcerpc does on top
of that ?


Any clarification is much appreciated.


Thanks



On Wed, Sep 9, 2009 at 3:26 PM, Todd Wease <twease at ...402...> wrote:
> Hi snort user, replies inline...
>
> snort user wrote:
>> Hello !
>>
>> After dcerpc2 processing, is it a pseudo packet that goes thru the
>> matching engine?
>> [ i.e. passed to Detect( ) ]
>>
>
> The raw packet will go through the detection engine.  If there is any
> reassembly, those pseudo packets will also go through.
>
>> In case of an alert, is there a way to log the actual packet payload?
>>
>
> If the alert is generated by the raw packet, the raw packet will be
> logged.  In case of a reassembled pseudo packet, only the pseudo packet
> will be logged - no way currently to log the actual packet.
>
>> Also could someone explain briefly the use of stack in dcerpc2
>> - DCE2_CStackTop
>> - DCE2_PushPkt
>> - DCE2_PopPkt
>>
>
> These are related to the potential multiple levels of reassembly in the
> preprocessor.
>
>>
>> Thanks much for the help!
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>
>




More information about the Snort-devel mailing list