Open Information Security Foundation

06/06/2011

09:38 AM Suricata Feature #289 (Closed): Improve DCERPC Big Endian support.

See http://www.antievasion.com/principles/principles/part-3
Specifically the msrpc_big_endian.pcap
Also made the ... Kirby Kuehl

07/25/2010

04:36 PM Suricata Bug #206: Missed detection when dealing with fragmented RPC traffic (ms03-026)

The alert:
sid:3409 in VRT rules
The UUID suricata decodes:... Kirby Kuehl

04:12 PM Suricata Bug #206: Missed detection when dealing with fragmented RPC traffic (ms03-026)

This patch fixes handling multiple DCERPC fragments within a single packet.
When dumping the UUID and the fully asse... Kirby Kuehl

07/09/2010

06:34 PM Suricata Bug #200: smb/dcerpc attack traffic not parsed properly

The patch correctly addresses the problem where the smb parser was not correctly invoking the DCERPC parser, so I bel... Kirby Kuehl

12:03 PM Suricata Bug #200: smb/dcerpc attack traffic not parsed properly

Properly handle ByteCount of 0. Kirby Kuehl

12:06 PM Suricata Bug #206: Missed detection when dealing with fragmented RPC traffic (ms03-026)

Will, can you try this again with the patch contained in Bug ID #200. Kirby Kuehl

06/19/2010

05:49 PM Suricata Bug #94: dcerpc over udp

Please ignore that two patches dated 02/16/2010 and apply the latest three. Kirby Kuehl

03:54 PM Suricata Bug #168: memory leak in DCERPC handling

Nevermind, found the leak just by looking. Patch coming soon. Kirby Kuehl

03:46 PM Suricata Bug #168: memory leak in DCERPC handling

Do you have a packet capture that generates this leak, or how was it produced? Starting to investigate with valgrind. Kirby Kuehl

05/07/2010

10:42 AM Suricata Bug #150: Supress AppLayerParse() errors emitted by SMB and DCERPC by returning 0 instead of -1 on nonfatal errors.

Yes, your fix looks correct. I do not know why the
if ((p - input < 0))
check was there in the first place. Consi... Kirby Kuehl