Oddities / Potential Problems ============================= Policy-Layer ------------ Portmapper: * RPC_serer_map (from conn.bro, contains portmappings) doesn't have an 'expire' * pm_did_log and suppress_pm_log don't' have expire timers. Probably should give them a read expire. * has different events for requests and attempted request (both are triggered when a *reply* is parsed) for each Portmap procedure. They behave pretty much the same. Maybe reduce to just one event per procedure. + pm_request_* are generated if the call:reply pair was successful + pm_attempt_* events are generated if the call:reply either failed (can be any error situation) or the call was unanswered. Question: what happen when the connection times out? Do we get an pm_attempt_event?? Maybe differentiate which error occurred? Probably not necessary * Binpac analyzer does not generate rpc_call events when the call is times out (i.e., is unanswered) Event-Engine ------------ RPC Analyzer: * Inconsistent Weird generation: if DeliverRPC() fails, we will + get a Weird("partial_RPC") for TCP + get a Weird("bad_RPC") for UDP (DeliverRPC() is called to dispatch RPC message from the different transports, i.e., it is called by DeliverPacket() and DeliverStream()) * Might generate multiple Weird() for the same weird stuff. E.g., DeliverRPC() sometimes calls Weird("bad_RPC") and then returns 0, which will lead to another Weird call (see above). * Not sure whether unanswered calls are expired. Probably. See RPC_Interpreter::Timeout() * rpc_call event is only generated when a reply is received or the call (request) timed out. Portmapper (most of them apply to both binpac and C++): * Only does a Weird(), when the RPC program does not match, but maybe it should also stop parsing. * Does not check the program version. However, it actually only parses version 2 correctly. (Version 3 and 4 are specified, but it seems that they are unused). Version 3 and 4 differ at least in the way they specify protocols. * Is implemented as C++ and binpac, although binpac can only handle UDP. Currently C++ is used for TCP, binpac for UDP. * See also: http://bro.icir.org/devel/rpc-portmap-nfs-notes.html NFS: * Only does a Weird() when RPC program doesn't match * Does not check version, although parser is for NFSv3 (might also be able to parse v2....).