TARGET-BASED SMB AND DCE/RPC PROCESSING FOR AN INTRUSION DETECTION SYSTEM OR INTRUSION PREVENTION SYSTEM

US 20100088767A1
Filed: 10/08/2009
Published: 04/08/2010
Est. Priority Date: 10/08/2008
Status: Active Grant

First Claim

Patent Images

1. A method performed in a processor of an intrusion detection/prevention system (IDS/IPS), for checking for valid packets in an SMB named pipe in a communication network, comprising:

receiving, in a processor configured as an IDS/IPS, a packet in a transmission and determining a kind of application of a target of the packet in response to receiving the packet;

including, in the IDS/IPS, the data in the packet as part of the SMB named pipe data inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that;

(a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and(b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method performed in a processor of an intrusion detection/prevention system (IDS/IPS) checks for valid packets in an SMB named pipe in a communication network. In a processor configured as an IDS/IPS, a packet in a transmission is received and a kind of application of a target of the packet is determined. Also, the data in the packet is inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that: (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and (b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table.

115 Citations

21 Claims

1. A method performed in a processor of an intrusion detection/prevention system (IDS/IPS), for checking for valid packets in an SMB named pipe in a communication network, comprising:
- receiving, in a processor configured as an IDS/IPS, a packet in a transmission and determining a kind of application of a target of the packet in response to receiving the packet;
  
  including, in the IDS/IPS, the data in the packet as part of the SMB named pipe data inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that;
  
  (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and(b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as in claim 1, wherein the reassembly table indicates whether and how each of the different kinds of applications check the FID in the SMB command header of the packet.
  - 3. The method as in claim 1, further comprisingdetermining, in the IDS/IPS, whether a UID in an SMB frame header of the packet is valid for the FID in the segments/fragments in the SMB named pipe, for the determined kind of application of the target, and including the data in the packet as part of the SMB named pipe data only when the UID is valid for the FID.
  - 4. The method as in claim 1, further comprisingdetermining, in the IDS/IPS, whether a TID in an SMB frame header of the packet is valid for the FID in the segments/fragments in the SMB named pipe, for the determined kind of application of the target, and including the data in the packet as part of the SMB named pipe data only when the TID is valid for the FID.
  - 5. The method as in claim 1, further comprisingdetermining, in the IDS/IPS, whether a TID and a UID in an SMB frame header of the packet are both valid for the FID in the segments/fragments in the SMB named pipe, for the determined kind of application of the target, and including the data in the packet as part of the SMB named pipe data only when both the TID and the UID are valid for the FID.
  - 6. The method as in claim 1, further comprising inspecting, in the IDS/IPS, the data included as part of the SMB named pipe data, to determine whether the data includes an attack spanning plural packets.

7. A method performed in a processor of an intrusion detection/prevention system (IDS/IPS), for checking for valid packets in an SMB named pipe in a communication network, comprising:
- receiving, in a processor configured as an IDS/IPS, a fragment/segment, and determining a kind of application of a target of the fragment/segment in response to receiving the fragment/segment;
  
  separating, in the IDS/IPS, fragments/segments with a same multiplex ID (MID) as part of a same SMB transaction command from fragments/segments with a different MID, the MID being in the SMB frame header, all for fragments/segments in the same SMB named pipe, when a reassembly table indicates that the kind of application of the target separates based on MID; and
  
  processing, in the IDS/IPS, the same SMB transaction command with the same MID as being in a separate SMB transaction command instead of with the fragments/segments with the different MID when the kind of application of the target separates based on MID.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method as in claim 7, wherein the reassembly table indicates whether each of the different kinds of applications check the MID in the SMB frame header.
  - 9. The method as in claim 7, wherein the separating further comprises separating, in the IDS/IPS, fragments/segments with the same MID and a same PID in the SMB frame header as part of the same SMB transaction command, from fragments/segments with the different MID or a different PID, all for fragments/segments in the same SMB named pipe, when the kind of application of the target also separates based on PID.
  - 10. The method as in claim 9, wherein the reassembly table indicates whether each of the different kinds of applications check the MID and the PID in the SMB frame header.
  - 11. The method as in claim 7, wherein the SMB transaction command comprises a main transaction and a secondary transaction.
  - 12. The method as in claim 7, further comprising inspecting, in the IDS/IPS, the data included as part of the same SMB transaction command, to determine whether the data includes an attack spanning plural fragments/segments in the same SMB transaction command.

13. A method performed in a processor of an intrusion detection/prevention system (IDS/IPS), for reassembling distributed computing environment/remote procedure call (DCE/RPC) request fragments, comprising:
- receiving, in a processor configured as an IDS/IPS, plural request fragments belonging to a single DCE/RPC request;
  
  determining, in the IDS/IPS, the kind of application of a target of the DCE/RPC request;
  
  selecting, in the IDS/IPS, one of the request fragments as a source of a context ID depending on the target kind of application as indicated in a reassembly table;
  
  reassembling, in the IDS/IPS, the plural request fragments into a reassembled request; and
  
  inserting, in the IDS/IPS, the context ID from the selected request fragment into the context ID of a DCE/RPC header of the reassembled request.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method as in claim 13, wherein the reassembly table indicates which of the request fragments is selected as the source of the context ID for each of the different kinds of applications.
  - 15. The method of claim 13, further comprising:
    - selecting, in the IDS/IPS, a different one of the request fragments as a source of an operation number depending on the target kind of application; and
      
      inserting, in the IDS/IPS, the operation number from a DCE/RPC header of the selected different one of the request fragments into the operation number of the DCE/RPC header of the reassembled request.
  - 16. The method as in claim 15, wherein the reassembly table indicateswhich of the request fragments is selected as the source of the context ID, and which different one of the request fragments is selected as the source of the operation number, for each of the different kinds of applications.
  - 17. The method of claim 13, further comprising:
    - selecting, in the IDS/IPS, the one of the request fragments as a source of an operation number; and
      
      inserting, in the IDS/IPS, the operation number from the DCE/RPC header of the selected request fragment into the operation number of a DCE/RPC header of the reassembled request.
  - 18. The method as in claim 17, wherein the reassembly table indicates which of the request fragments is selected as the source of both the operation number and the context ID for each of the different kinds of applications.

19. A method performed in a processor of an intrusion detection/prevention system (IDS/IPS), for reassembling request fragments, comprising:
- receiving, in a processor configured as an IDS/IPS, plural request fragments belonging to a single request;
  
  determining, in the IDS/IPS, the kind of application of a target of the request;
  
  selecting, in the IDS/IPS, one of the request fragments as a source of an operation number as indicated in a reassembly table depending on the target kind of application;
  
  reassembling, in the IDS/IPS, the plural request fragments into a reassembled request; and
  
  inserting, in the IDS/IPS, the operation number from a DCE/RPC header of the selected request fragment into the operation number of a DCE/RPC header of the reassembled request.
- View Dependent Claims (20)
- - 20. The method as in claim 19, wherein the reassembly table indicates which of the request fragments is selected as the source of the operation number for each of the different kinds of applications.

21. A method performed in a processor of an intrusion detection/prevention system (IDS/IPS), for checking for valid packets in an SMB named pipe in a communication network, comprising:
- receiving, in a processor configured as an IDS/IPS, a packet in a transmission and determining a kind of application of a target of the packet in response to receiving the packet;
  
  including, in the IDS/IPS, the data in the packet as part of the SMB named pipe data inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that;
  
  (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and(b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table;
  
  receiving, in the processor configured as an IDS/IPS, a fragment/segment, and determining a kind of application of a target of the fragment/segment in response to receiving the fragment/segment;
  
  separating, in the IDS/IPS, fragments/segments with a same multiplex ID (MID) as part of a same SMB transaction command from fragments/segments with a different MID, the MID being in the SMB frame header, all for fragments/segments in the same SMB named pipe, when a reassembly table indicates that the kind of application of the target separates based on MID;
  
  processing, in the IDS/IPS, the same SMB transaction command with the same MID as being in a separate SMB transaction command instead of with the fragments/segments with the different MID when the kind of application of the target separates based on MID;
  
  receiving, in the processor configured as an IDS/IPS, plural request fragments belonging to a single DCE/RPC request;
  
  determining, in the IDS/IPS, the kind of application of a target of the DCE/RPC request;
  
  selecting, in the IDS/IPS, one of the request fragments as a source of a context ID depending on the target kind of application as indicated in a reassembly table;
  
  selecting, in the IDS/IPS, one of the request fragments as a source of an operation number as indicated in a reassembly table depending on the target kind of application;
  
  reassembling, in the IDS/IPS, the plural request fragments into a reassembled request; and
  
  inserting, in the IDS/IPS, the context ID from the selected request fragment into the context ID of a DCE/RPC header of the reassembled request; and
  
  inserting, in the IDS/IPS, the operation number from a DCE/RPC header of the selected request fragment into the operation number of a DCE/RPC header of the reassembled request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Wease, Kenneth Todd

Granted Patent

US 8,272,055 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0254   Stateful filtering

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

TARGET-BASED SMB AND DCE/RPC PROCESSING FOR AN INTRUSION DETECTION SYSTEM OR INTRUSION PREVENTION SYSTEM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

TARGET-BASED SMB AND DCE/RPC PROCESSING FOR AN INTRUSION DETECTION SYSTEM OR INTRUSION PREVENTION SYSTEM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links