[Snort-devel] ERROR: dcerpc2: dce2_co.c(1952) Could not create DCE/RPC frag reassembled packet.

Lukas Matt lukas.matt at ...3285...
Tue Jul 17 04:29:54 EDT 2012


Hi,

I have two request, first of all is a possible False Positive:
If you try to download this file 
(http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab), 
it will fail because of this:

    pattern/2922/finished_pullpork_rules/stub.rules:alert tcp
    $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CAB SIP
    authenticode alteration attempt"; sid:16530; gid:3; rev:6;
    classtype:attempted-user; reference:cve,2010-0487;
    reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-019; metadata:
    engine shared, soid 3|16530, service http, policy balanced-ips drop,
    policy security-ips drop;)

Unfortunately this SID is a binary rule, so can you check it for me?

The next thing is that our customers received following error message:

    ERROR: dcerpc2: dce2_co.c(1952) Could not create DCE/RPC frag
    reassembled packet.

This happens here:

    rpkt = DCE2_CoGetRpkt(sd, cot, co_rtype, &rpkt_type);
    if (rpkt == NULL) {
         DCE2_Log(DCE2_LOG_TYPE__ERROR,
             "%s(%d) Could not create DCE/RPC frag reassembled packet.\n",
             __FILE__, __LINE__);
         PREPROC_PROFILE_END(dce2_pstat_co_reass);
         return;
    }

In my opinion it is not a real problem, more a logging question.
Is it possible to change the logging method here? So that our customers 
will be not flooded?

Thanks in advance,
Lukas Matt


-- 
Lukas Matt | lukas.matt at ...3285... | Deep Packet Inspection Researcher
Astaro GmbH & Co. KG -- a Sophos company | www.astaro.com | www.sophos.com
Phone +49-721-25516-322 | Fax +49-721-25516-200
Amalienbadstr. 41, Bau 52 | 76227 Karlsruhe | Germany

Astaro GmbH & Co. KG -- a Sophos company,
Commercial Register: Mannheim HRA 702710,
Headquarter Location: Karlsruhe,

Represented by the General Partner Astaro Verwaltungs GmbH
Commercial Register: Mannheim HRB 708248 Amalienbadstr. 41, Bau 52 | 
76227 Karlsruhe | Germany
Executive Board: Gert Hansen, Markus Hennig, Jan Hichert, Günter Junk, 
Dr. Frank Nellissen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120717/a80442c0/attachment.html>


More information about the Snort-devel mailing list