[Snort-devel] DCERPC2 Questions

Todd Wease twease at ...402...
Fri Sep 11 09:29:42 EDT 2009


The preprocessor may have to reassemble a NetBIOS packet, DCE/RPC 
segmented packet or a DCE/RPC fragmented packet.


On 09/09/2009 03:32 PM, snort user wrote:
> Thanks for the reply, Todd. I have a couple more questions.
>
>> These are related to the potential multiple levels of reassembly in the
>> preprocessor.
>
> Can you explain what you meant by multiple levels of reassembly.
>
> Does dcerpc2 depend on Stream5 only for state tracking (get and set
> application data,
> checking flow, direction etc) OR does it also depend on the reassembly
> functionality
> i.e. putting the separate TCP segments into a contiguous buffer.
>
> If Stream5 already does that, then is there a separate reassembly that
> dcerpc does on top
> of that ?
>
>
> Any clarification is much appreciated.
>
>
> Thanks
>
>
>
> On Wed, Sep 9, 2009 at 3:26 PM, Todd Wease<twease at ...402...>  wrote:
>> Hi snort user, replies inline...
>>
>> snort user wrote:
>>> Hello !
>>>
>>> After dcerpc2 processing, is it a pseudo packet that goes thru the
>>> matching engine?
>>> [ i.e. passed to Detect( ) ]
>>>
>>
>> The raw packet will go through the detection engine.  If there is any
>> reassembly, those pseudo packets will also go through.
>>
>>> In case of an alert, is there a way to log the actual packet payload?
>>>
>>
>> If the alert is generated by the raw packet, the raw packet will be
>> logged.  In case of a reassembled pseudo packet, only the pseudo packet
>> will be logged - no way currently to log the actual packet.
>>
>>> Also could someone explain briefly the use of stack in dcerpc2
>>> - DCE2_CStackTop
>>> - DCE2_PushPkt
>>> - DCE2_PopPkt
>>>
>>
>> These are related to the potential multiple levels of reassembly in the
>> preprocessor.
>>
>>>
>>> Thanks much for the help!
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>>> trial. Simplify your report design, integration and deployment - and focus on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>
>>




More information about the Snort-devel mailing list