dpd framework and DCE_RPC/NTLM analyzers

Hi everybody,

is there any particular reason why the DCE_RPC/NTLM protocols are disabled by default in the DPD framework? (both protocols are in DPD::ignore_violations).



Being in DPD::ignore_violations doesn't exactly mean "DPD is disabled
for those analyzers". It's more like "if an analyzer has previously
issued a protocol confirmation signal, but later issues a protocol
violation signal, then disable that analyzer except if it's in
DPD::ignore_violations". So it's actually used to prevent the
disabling of analyzers.

However, I don't know the origins of DPD::ignore_violations, why it
works that way, or why the DCE_RPC/NTLM protocols are in that set.

- Jon