Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ERROR: dcerpc2: dce2_co.c(1952) Could not create DCE/RPC frag reassembled packet.

From: Lukas Matt <lukas.matt () sophos com>
Date: Tue, 17 Jul 2012 10:29:54 +0200
Hi,

I have two request, first of all is a possible False Positive:
If you try to download this file (http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab), it will fail because of this: 

   pattern/2922/finished_pullpork_rules/stub.rules:alert tcp
   $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CAB SIP
   authenticode alteration attempt"; sid:16530; gid:3; rev:6;
   classtype:attempted-user; reference:cve,2010-0487;
   reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-019; metadata:
   engine shared, soid 3|16530, service http, policy balanced-ips drop,
   policy security-ips drop;)

Unfortunately this SID is a binary rule, so can you check it for me?

The next thing is that our customers received following error message:

   ERROR: dcerpc2: dce2_co.c(1952) Could not create DCE/RPC frag
   reassembled packet.

This happens here:

   rpkt = DCE2_CoGetRpkt(sd, cot, co_rtype, &rpkt_type);
   if (rpkt == NULL) {
        DCE2_Log(DCE2_LOG_TYPE__ERROR,
            "%s(%d) Could not create DCE/RPC frag reassembled packet.\n",
            __FILE__, __LINE__);
        PREPROC_PROFILE_END(dce2_pstat_co_reass);
        return;
   }

In my opinion it is not a real problem, more a logging question.
Is it possible to change the logging method here? So that our customers will be not flooded? 

Thanks in advance,
Lukas Matt


--
Lukas Matt | lukas.matt () sophos com | Deep Packet Inspection Researcher
Astaro GmbH & Co. KG -- a Sophos company | www.astaro.com | www.sophos.com
Phone +49-721-25516-322 | Fax +49-721-25516-200
Amalienbadstr. 41, Bau 52 | 76227 Karlsruhe | Germany

Astaro GmbH & Co. KG -- a Sophos company,
Commercial Register: Mannheim HRA 702710,
Headquarter Location: Karlsruhe,

Represented by the General Partner Astaro Verwaltungs GmbH
Commercial Register: Mannheim HRB 708248 Amalienbadstr. 41, Bau 52 | 76227 Karlsruhe | Germany Executive Board: Gert Hansen, Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen 
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: