Zeek can't recognize some UDP based DCE/RPC "connections"

Ankith_Kumar_Hanuman · December 1, 2020, 3:12am

Hello.

I’m currently developing a Zeek plugin that parses the Profinet_IO_CM protocol traffic.
The PROFINET_IO_CM protocol is transported within a DCE/RPC protocol wrapper.
The DCE/RPC protocol is transported within a UDP packet.

So,
I’ve run into a problem, when Zeek is trying to detect UDP based DCE/RPC “connections.”

Zeek can correctly recognize “normal” UDP based client/server connections.
(e.g. From a DNS client to a DNS server)
but, it runs into problems when parsing the UDP based PROFINET_IO_CM protocol.

I’ve attached a detailed write-up (.txt) document that describes the nature of the problem
(along with a proposed solution)
-and- a small .pcapng file that contains actual PROFINET_IO_CM protocol traffic.

Any ideas on how to resolve this issue?
It seems like a “Zeek source code change” will be required, to correct this issue?

Thanks,

–Brett

pn_io_cm_udp_connections.txt (6.01 KB)

PROFINET_only.pcapng (3.68 KB)

Jan · December 1, 2020, 8:39am

Hi Brett,

there is a Profinet plugin: https://github.com/amzn/zeek-plugin-profinet
At first glance, it does not seem to reassemble connections. However, it might be worth a look. For RPC there is also a Portmap analyzer: https://github.com/zeek/zeek/tree/master/src/analyzer/protocol
Again, I don't know how it works but might be related.

Jan

Topic		Replies	Views
[EXT] Zeek can't recognize some UDP based DCE/RPC "connections" Zeek	1	120	May 6, 2022
Zeek DCE-RPC Analyzer Update Development development	1	130	May 6, 2022
Zeek conn.log questions Zeek	2	375	May 6, 2022
[EXT] Zeek DCE-RPC Analyzer Update Development development	3	161	May 6, 2022
add protocol analyzer to bro Zeek	1	107	May 6, 2022

Zeek can't recognize some UDP based DCE/RPC "connections"

Related topics