Bro DCE-RPC Fix for AlterContext and AlterContextResponse Parsers

Development
1

Bro-Dev Group,

I am digging thru the BinPAC code for the DCE-RPC analyzer, and I noticed a couple of developer-comments that I think could be related, and perhaps even resolved, by a simple fix.

1. Developer BinPAC Comments

See Lines 153-155 of dce_rpc-protocol.pac [https://github.com/bro/bro/blob/master/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac#L153], stating that DCE_RPC_ALTER_CONTEXT and DCE_RPC_ALTER_CONTEXT_RESP are not being handled correctly and consequently, the parsers for each one are disabled/commented out.

2. Issue / Problem: dce_rpc-protocol.pac

According to the original Open Group specification for DCE RPC (dated October 1997), the format of the AlterContext packet is identical to the Bind packet, and the format of the AlterContextResponse is identical to the BindAck. See the following URL for more info; or I could send you the PDF document separately, if needed.

http://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06_04_01

http://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06_04_02

When looking at the BinPAC file, the type records for DCE_RPC_ALTER_CONTEXT and DCE_RPC_BIND are different, should be identical.

Similarly, the type records for DCE_RPC_ALTER_CONTEXT_RESP and DCE_RPC_BIND_ACK are very different, should be identical.

3. Proposed Fix: dce_rpc-protocol.pac

Modify the type record for DCE_RPC_ALTER_CONTEXT to be identical to DCE_RPC_BIND.

Modify the type record for DCE_RPC_ALTER_CONTEXT_RESP to be identical to DCE_RPC_BIND_ACK.

Remove ‘#’ on Lines 154 and 155 to un-comment these lines and re-enable the parsers.

In dce_rpc-analyzer.pac, generate events resulting from the AlterContext packet to allow logging of the new binding information in script-land.

4. Developer Script-land Comments

See Lines 137 and 187 of main.bro [https://github.com/bro/bro/blob/master/scripts/base/protocols/dce-rpc/main.bro#L137], stating a condition where sometimes the binding is not seen. I can think of a couple of scenarios under which this would occur: (a) packet loss/drop; and (b) AlterContext packet not parsed. I think the fix described above will address (b) and help reduce the number instances where the binding isn’t seen.

5. Bro Issue Tracker

I plan to submit this to Bro Issue Tracker. Just wanted to give you a heads up here.

Cheers!

Mark

2

Thanks Mark! Those were probably my comments. Unfortunately there were a number of areas where I just ran out of steam doing investigations into why things were happening the way they were so this investigation is deeply appreciated.

Do you have PCAPs with ALTER_CONTEXT messages in them? Because this is difficult-to-understand change without seeing actual traffic it would be best if you were able to submit the changes along with tests.

Thanks,
   .Seth

3

Hi Seth,

Yes, I have a pcap containing the ALTER_CONTEXT req/resp packets. I will start working on the bug fix and submit to BIT, with pcap and test script, hopefully soon.

Cheers,
Mark

4

Cool, thanks Mark!

   .Seth