From 36ae5e6662bae806c5c3316ea051dffa5ddb0f29 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 24 Oct 2016 13:50:13 -0400
Subject: [PATCH] Make DCE_RPC skip input in strange fragment circumstances.

If there are too many concurrent fragments or too much
data fragmented, skip further input on DCE_RPC.
---
 scripts/base/protocols/dce-rpc/consts.bro          | 4 ++--
 src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac | 3 +++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro
index 545828d776..e238ad55e4 100644
--- a/scripts/base/protocols/dce-rpc/consts.bro
+++ b/scripts/base/protocols/dce-rpc/consts.bro
@@ -4,12 +4,12 @@ module DCE_RPC;
 export {
 	## The maximum number of simultaneous fragmented commands that
 	## the analyzer will tolerate before the analyzer will generate
-	## a weird and remove itself from the connection.
+	## a weird and skip further input.
 	const max_cmd_reassembly = 20 &redef;
 
 	## The maximum number of fragmented bytes that will be tolerated 
 	## on a command before the analyzer will generate a weird and 
-	## remove itself from the connection.
+	## skip further input.
 	const max_frag_data = 30000 &redef;
 
 	const uuid_endpoint_map: table[string] of string = {
diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
index e135dfaf31..129bb11626 100644
--- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
@@ -198,12 +198,14 @@ flow DCE_RPC_Flow(is_orig: bool) {
 					{
 					reporter->Weird(connection()->bro_analyzer()->Conn(), 
 					                "too_many_dce_rpc_msgs_in_reassembly");
+					connection()->bro_analyzer()->SetSkip(true);
 					}
 
 				if ( fb[${header.call_id}]->data_length() > BifConst::DCE_RPC::max_frag_data )
 					{
 					reporter->Weird(connection()->bro_analyzer()->Conn(), 
 					                "too_much_dce_rpc_fragment_data");
+					connection()->bro_analyzer()->SetSkip(true);
 					}
 
 				return false;
@@ -218,6 +220,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 				{
 				reporter->Weird(connection()->bro_analyzer()->Conn(), 
 				                "too_much_dce_rpc_fragment_data");
+				connection()->bro_analyzer()->SetSkip(true);
 				}
 
 			return ${header.lastfrag};