[Zeek] dpd framework and DCE_RPC/NTLM analyzers
Jon Siwek
jsiwek at corelight.com
Thu Jul 11 09:48:59 PDT 2019
On Thu, Jul 11, 2019 at 1:20 AM Palumbo Mauro <mauro.palumbo at aizoon.it> wrote:
> is there any particular reason why the DCE_RPC/NTLM protocols are disabled by default in the DPD framework? (both protocols are in DPD::ignore_violations).
Being in DPD::ignore_violations doesn't exactly mean "DPD is disabled
for those analyzers". It's more like "if an analyzer has previously
issued a protocol confirmation signal, but later issues a protocol
violation signal, then disable that analyzer except if it's in
DPD::ignore_violations". So it's actually used to prevent the
disabling of analyzers.
However, I don't know the origins of DPD::ignore_violations, why it
works that way, or why the DCE_RPC/NTLM protocols are in that set.
- Jon
More information about the Zeek
mailing list