I am trying to create a number of custom MSRPC based App's using the msrpc-req-bind-data contact. I have set msrpc as the parent app, dynamic TCP and UDP for the ports, and the signatures are set to the session scope. I pulled the hex for the BIND request interfaces directly from Wireshark running on the AD server.
See below screenshot for the signature (this is the interface for DFS):
The issue is that the custom signature(s) do not fire when I send specific MSRPC bind requests through the firewall. I only see msrpc identified by the firewall, but clearly see the specific BIND request in a PCAP on the server. In the case of the signature in the OP, I am looking for the DFS BIND request.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!