Trouble with Custom MSRPC Based AppID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Trouble with Custom MSRPC Based AppID

L0 Member

I am trying to create a number of custom MSRPC based App's using the msrpc-req-bind-data contact. I have set msrpc as the parent app, dynamic TCP and UDP for the ports, and the signatures are set to the session scope. I pulled the hex for the BIND request interfaces directly from Wireshark running on the AD server.

See below screenshot for the signature (this is the interface for DFS):

Screen Shot 2014-10-31 at 5.16.40 PM.png

2 REPLIES 2

L4 Transporter

Can you please verify the issue?

Thanks

H,

The issue is that the custom signature(s) do not fire when I send specific MSRPC bind requests through the firewall. I only see msrpc identified by the firewall, but clearly see the specific BIND request in a PCAP on the server. In the case of the signature in the OP, I am looking for the DFS BIND request.

Thanks!

  • 3017 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!