[Bro-Dev] [JIRA] (BIT-1469) dpd.log contains lots of binpac exceptions for RDP

Vlad Grigorescu (JIRA) jira at bro-tracker.atlassian.net
Thu Sep 3 15:37:00 PDT 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21927#comment-21927 ] 

Vlad Grigorescu commented on BIT-1469:

I looked into this, and I don't think that it's trivial to solve correctly. We could easily ignore traffic that generates this warning, but we risk allowing some types of evasion.

The issue is exhibited in frame 38 of the attached PCAP, among others.

> TPKT, Version: 3, Length: 8
> ISO 8073/X.224 COTP Connection-Oriented Transport Protocol
>     Length: 2
>     PDU Type: DT Data (0x0f)
> Data (1 byte)
> 0000  28                                                (
>     Data: 28

DT_Data tries to parse the PDU Type, a uint8 (application_defined_type), and another uint8 (application_type). In this case, there are not 3 bytes available to process.

We could trust the lengths, but comments in the code indicate that they're often incorrect. I'm also unsure if these short packets are designed to be reassembled by the application.

Curious to hear other people's thoughts, but I think bumping this back to 2.5 is a reasonable step for now.

> dpd.log contains lots of binpac exceptions for RDP
> --------------------------------------------------
>                 Key: BIT-1469
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1469
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: BinPAC, Bro
>    Affects Versions: git/master
>         Environment: RHEL  6.6, 2.4-10 bro build from git
>            Reporter: Gary Faulkner
>              Labels: analyzer
>             Fix For: 2.5
>         Attachments: rdp-31AUG15.pcap
> RDP scanners seem to generate a lot of binpac errors in dpd.log for RDP connections.
> The following log line is an example of the error that repeats continuously during the activity:
> 1441031469.413008	CPNcey4q2i8mGVUvEg	62082	3389	tcp	RDP	Binpac exception: binpac exception: out_of_bound: DT_Data:application_type: 3 > 2
> The 10.x.x.x IP is the redacted local IP. The other IP is the scanner.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list