I am digging thru the BinPAC code for the DCE-RPC analyzer, and I noticed a couple of
developer-comments that I think could be related, and perhaps even resolved, by a simple
1. Developer BinPAC Comments
See Lines 153-155 of dce_rpc-protocol.pac
stating that DCE_RPC_ALTER_CONTEXT and DCE_RPC_ALTER_CONTEXT_RESP are not being handled
correctly and consequently, the parsers for each one are disabled/commented out.
2. Issue / Problem: dce_rpc-protocol.pac
According to the original Open Group specification for DCE RPC (dated October 1997), the
format of the AlterContext packet is identical to the Bind packet, and the format of the
AlterContextResponse is identical to the BindAck. See the following URL for more info; or
I could send you the PDF document separately, if needed.
When looking at the BinPAC file, the type records for DCE_RPC_ALTER_CONTEXT and
DCE_RPC_BIND are different, should be identical.
Similarly, the type records for DCE_RPC_ALTER_CONTEXT_RESP and DCE_RPC_BIND_ACK are very
different, should be identical.
3. Proposed Fix: dce_rpc-protocol.pac
Modify the type record for DCE_RPC_ALTER_CONTEXT to be identical to DCE_RPC_BIND.
Modify the type record for DCE_RPC_ALTER_CONTEXT_RESP to be identical to
Remove '#' on Lines 154 and 155 to un-comment these lines and re-enable the
In dce_rpc-analyzer.pac, generate events resulting from the AlterContext packet to allow
logging of the new binding information in script-land.
4. Developer Script-land Comments
See Lines 137 and 187 of main.bro
stating a condition where sometimes the binding is not seen. I can think of a couple of
scenarios under which this would occur: (a) packet loss/drop; and (b) AlterContext packet
not parsed. I think the fix described above will address (b) and help reduce the number
instances where the binding isn't seen.
5. Bro Issue Tracker
I plan to submit this to Bro Issue Tracker. Just wanted to give you a heads up here.