1. ISSUE / PROBLEM : dce_rpc-protocol.pac
DCE_RPC_ALTER_CONTEXT and DCE_RPC_ALTER_CONTEXT_RESP are not being handled correctly.
See Lines 155-157 of dce_rpc-protocol.pac https://github.com/bro/bro/blob/master/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac#L155, stating that DCE_RPC_ALTER_CONTEXT and DCE_RPC_ALTER_CONTEXT_RESP are not being handled correctly and consequently, the parsers for each one are disabled/commented out.
According to the original Open Group specification for DCE RPC (dated October 1997), the format of the DCE_RPC_ALTER_CONTEXT packet is identical to the DCE_RPC_BIND packet, and the format of the DCE_RPC_ALTER_CONTEXT_RESP is identical to the DCE_RPC_BIND_ACK. See the following URLs for more info:
When looking at the BinPAC file, the type records for DCE_RPC_ALTER_CONTEXT and DCE_RPC_BIND are different, but they should be identical to each other.
Similarly, the type records for DCE_RPC_ALTER_CONTEXT_RESP and DCE_RPC_BIND_ACK are very different, but they should be identical to each other.
2. BUG FIX SUMMARY
2.1 File: src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
2.1.1 Modified the type record for DCE_RPC_ALTER_CONTEXT to be identical to DCE_RPC_BIND.
2.1.2 Modified the type record for DCE_RPC_ALTER_CONTEXT_RESP to be identical to DCE_RPC_BIND_ACK.
2.1.3 Modified the type record for DCE_RPC_Body to remove ‘#’ on Lines 156 and 157 to un-comment these lines and re-enable the parsers.
2.1.4 Modified the type record for ContextList to accept the PTYPE as an input argument, in order to distinguish between DCE_RPC_BIND and DCE_RPC_ALTER_CONTEXT.
2.1.4 Modified the type record for ContextRequest to accept the PTYPE as an input argument, in order to distinguish between DCE_RPC_BIND and DCE_RPC_ALTER_CONTEXT.
2.2 File: src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
2.2.1 Modified refine type attribute for ContextRequest to switch on PTYPE, in order to distinguish between DCE_RPC_BIND and DCE_RPC_ALTER_CONTEXT and to call either proc_dce_rpc_bind or dce_rpc_alter_context, as appropriate.
2.2.2 Added functions process_dce_rpc_alter_context and process_dce_rpc_alter_context_resp to generate an event to allow logging of the new binding information in script-land.
2.2.3 Added refine type attribute for DCE_RPC_ALTER_CONTEXT_RESP to call function process_dce_rpc_alter_context_resp.
2.3 File: src/analyzer/protocol/dce-rpc/events.bif
2.3.1 Added an event for dce_rpc_alter_context.
2.3.2 Added an event for dce_rpc_alter_context_resp.
2.4 File: scripts/base/protocols/dce-rpc/main.bro
2.4.1 Added event handler for dce_rpc_alter_context to do same stuff as dce_rpc_bind event handler.
2.4.1 Added event handler for dce_rpc_alter_context_resp to do same stuff as dce_rpc_bind_ack event handler.
2.5 Diff Files
I include diff-files comparing the original source code files to the bug-fix files described above.
3. BUG FIX TEST
I modified the source files above and re-built Bro. I ran two dce-rpc btests, as follows:
Both tests passed OK.
3.2 Test Script for AlterContext
I created a test script called _bug-fix-test.bro. It has event handlers for dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_alter_context, and dce_rpc_alter_context_resp. It merely does a print statement for each to show that it handles all four events.
3.3 PCAP File for Alter-Context
I downloaded the "windows7-join" pcap file from the Cloudshark public repository, at the URL:
It contains an AlterContext request and response within TCP stream 92. I extracted stream #92 and submit only that stream to Bro to use for testing.
Using the sample PCAP above, the RPC interface to which the AlterContext message is binding is the same as the UUID endpoint in the original Bind request. Therefore, we won't observe any difference in the Bro dce-rpc.log, whether we use the original Bro parser or the new parser. However, according to the DCE-RPC specifications, a different UUID endpoint could be used in the AlterContext message; and consequently, we would miss that binding using the original Bro parser.
See Lines 137 and 187 of main.bro https://github.com/bro/bro/blob/master/scripts/base/protocols/dce-rpc/main.bro#L137, stating a condition where sometimes the binding is not seen. I can think of a couple of scenarios under which this would occur: (a) packet loss/drop; and (b) DCE_RPC_ALTER_CONTEXT packets are not parsed. I think the bug-fix provided here will address (b) and help reduce the number instances where the binding isn’t seen.
Approved for public release. Distribution unlimited. Case number 18-0741.
© 2018 The MITRE Corporation. All rights reserved.
Thanks, patch is applied via https://github.com/bro/bro/commit/620cd671ba9463eb128e8656669e4c417e6c4f73
With a minor change to the dce_rpc_alter_context_resp event: the spec says that the sec_addr field is ignored, so I don't bother passing it along in the event.
When double checking differences in unit test baselines, I also noticed that the script was not properly tracking context identifiers (so wrong endpoint/operation could be logged in some cases). To fix that, I ended up adding a ctx_id argument to the dce_rpc_bind, dce_rpc_request, and dce_rpc_response events with corresponding logic to inspect those mappings before writing out a log entry.