Trouble with Custom MSRPC Based AppID

Reply
mfs
L0 Member

Trouble with Custom MSRPC Based AppID

I am trying to create a number of custom MSRPC based App's using the msrpc-req-bind-data contact. I have set msrpc as the parent app, dynamic TCP and UDP for the ports, and the signatures are set to the session scope. I pulled the hex for the BIND request interfaces directly from Wireshark running on the AD server.

See below screenshot for the signature (this is the interface for DFS):

Screen Shot 2014-10-31 at 5.16.40 PM.png

L4 Transporter

Re: Trouble with Custom MSRPC Based AppID

Can you please verify the issue?

Thanks

mfs
L0 Member

Re: Trouble with Custom MSRPC Based AppID

H,

The issue is that the custom signature(s) do not fire when I send specific MSRPC bind requests through the firewall. I only see msrpc identified by the firewall, but clearly see the specific BIND request in a PCAP on the server. In the case of the signature in the OP, I am looking for the DFS BIND request.

Thanks!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!