Project

General

Profile

Actions
Copy link

Feature #7566

open

dcerpc: applayer events for anomalous parsing results

Added by Shivani Bhardwaj 4 months ago. Updated 10 days ago.

Status:
Assigned
Priority:
Normal
Assignee:
Shivani Bhardwaj
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

dcerpc lacks event handling which is important to convey what a possible issue could have led to an unexpected behavior.

Files

Download all files
rough_potato_broken_2.pcap (143 KB) rough_potato_broken_2.pcap pcap with dcerpc Artem Kartunchikov, 04/02/2025 12:02 PM
stats.log (5.17 KB) stats.log Artem Kartunchikov, 04/02/2025 12:03 PM
packets_stats.log (10 KB) packets_stats.log Artem Kartunchikov, 04/02/2025 12:03 PM
locks_stats.log (1.52 KB) locks_stats.log Artem Kartunchikov, 04/02/2025 12:03 PM
Actions
Copy link
 #1

Updated by Victor Julien 3 months ago

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Actions
Copy link Download all files
 #2

Updated by Artem Kartunchikov 3 months ago

I again encounter this issue but with other pcap file

Actions
Copy link
 #3

Updated by Victor Julien 16 days ago

  • Target version changed from 8.0.0-rc1 to 9.0.0-beta1
Actions
Copy link
 #4

Updated by Artem Kartunchikov 10 days ago

Also, I think it would be great if instead of the parser getting into an error state and shutting down, it would just skip the unknown RPC calls and continue analyzing the stream

Actions
Copy link

Also available in: Atom PDF