![snort logo](/images/snort-logo.png)
Snort mailing list archives
ERROR: dcerpc2: dce2_co.c(1952) Could not create DCE/RPC frag reassembled packet.
From: Lukas Matt <lukas.matt () sophos com>
Date: Tue, 17 Jul 2012 10:29:54 +0200
Hi, I have two request, first of all is a possible False Positive:If you try to download this file (http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab), it will fail because of this:
pattern/2922/finished_pullpork_rules/stub.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CAB SIP authenticode alteration attempt"; sid:16530; gid:3; rev:6; classtype:attempted-user; reference:cve,2010-0487; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-019; metadata: engine shared, soid 3|16530, service http, policy balanced-ips drop, policy security-ips drop;) Unfortunately this SID is a binary rule, so can you check it for me? The next thing is that our customers received following error message: ERROR: dcerpc2: dce2_co.c(1952) Could not create DCE/RPC frag reassembled packet. This happens here: rpkt = DCE2_CoGetRpkt(sd, cot, co_rtype, &rpkt_type); if (rpkt == NULL) { DCE2_Log(DCE2_LOG_TYPE__ERROR, "%s(%d) Could not create DCE/RPC frag reassembled packet.\n", __FILE__, __LINE__); PREPROC_PROFILE_END(dce2_pstat_co_reass); return; } In my opinion it is not a real problem, more a logging question.Is it possible to change the logging method here? So that our customers will be not flooded?
Thanks in advance, Lukas Matt -- Lukas Matt | lukas.matt () sophos com | Deep Packet Inspection Researcher Astaro GmbH & Co. KG -- a Sophos company | www.astaro.com | www.sophos.com Phone +49-721-25516-322 | Fax +49-721-25516-200 Amalienbadstr. 41, Bau 52 | 76227 Karlsruhe | Germany Astaro GmbH & Co. KG -- a Sophos company, Commercial Register: Mannheim HRA 702710, Headquarter Location: Karlsruhe, Represented by the General Partner Astaro Verwaltungs GmbHCommercial Register: Mannheim HRB 708248 Amalienbadstr. 41, Bau 52 | 76227 Karlsruhe | Germany Executive Board: Gert Hansen, Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- ERROR: dcerpc2: dce2_co.c(1952) Could not create DCE/RPC frag reassembled packet. Lukas Matt (Jul 17)