Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system

US 8,272,055 B2
Filed: 10/08/2009
Issued: 09/18/2012
Est. Priority Date: 10/08/2008
Status: Active Grant

First Claim

Patent Images

1. A method performed in a processor of an intrusion detection/prevention system (IDS/IPS), for checking for valid packets in a server message block (SMB) named pipe in a communication network, comprising:

receiving, in a processor configured as an IDS/IPS, a packet in a transmission and determining a kind of application of a target of the packet in response to receiving the packet;

including, in the IDS/IPS, data in the packet as part of the SMB named pipe data inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that;

(a) a file ID (FID) in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and(b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table;

receiving, in the processor configured as an IDS/IPS, a fragment/segment, and determining a kind of application of a target of the fragment/segment in response to receiving the fragment/segment;

separating, in the IDS/IPS, fragments/segments with a same multiplex ID (MID) as part of a same SMB transaction command from fragments/segments with a different MID, the MID being in the SMB frame header, all for fragments/segments in the same SMB named pipe, when a reassembly table indicates that the kind of application of the target separates based on MID;

processing, in the IDS/IPS, the same SMB transaction command with the same MID as being in a separate SMB transaction command instead of with the fragments/segments with the different MID when the kind of application of the target separates based on MID;

receiving, in the processor configured as an IDS/IPS, plural request fragments belonging to a single distributed computing environment/remote procedure call (DCE/RPC) request;

determining, in the IDS/IPS, the kind of application of a target of the DCE/RPC request;

selecting, in the IDS/IPS, one of the request fragments as a source of a context ID depending on the target kind of application as indicated in a reassembly table;

selecting, in the IDS/IPS, one of the request fragments as a source of an operation number as indicated in a reassembly table depending on the target kind of application;

reassembling, in the IDS/IPS, the plural request fragments into a reassembled request; and

inserting, in the IDS/IPS, the context ID from the selected request fragment into the context ID of a DCE/RPC header of the reassembled request; and

inserting, in the IDS/IPS, the operation number from a DCE/RPC header of the selected request fragment into the operation number of a DCE/RPC header of the reassembled request.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method performed in a processor of an intrusion detection/prevention system (IDS/IPS) checks for valid packets in an SMB named pipe in a communication network. In a processor configured as an IDS/IPS, a packet in a transmission is received and a kind of application of a target of the packet is determined. Also, the data in the packet is inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that: (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and (b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table.

220 Citations

1 Claim

1. A method performed in a processor of an intrusion detection/prevention system (IDS/IPS), for checking for valid packets in a server message block (SMB) named pipe in a communication network, comprising:
- receiving, in a processor configured as an IDS/IPS, a packet in a transmission and determining a kind of application of a target of the packet in response to receiving the packet;
  
  including, in the IDS/IPS, data in the packet as part of the SMB named pipe data inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that;
  
  (a) a file ID (FID) in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and(b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table;
  
  receiving, in the processor configured as an IDS/IPS, a fragment/segment, and determining a kind of application of a target of the fragment/segment in response to receiving the fragment/segment;
  
  separating, in the IDS/IPS, fragments/segments with a same multiplex ID (MID) as part of a same SMB transaction command from fragments/segments with a different MID, the MID being in the SMB frame header, all for fragments/segments in the same SMB named pipe, when a reassembly table indicates that the kind of application of the target separates based on MID;
  
  processing, in the IDS/IPS, the same SMB transaction command with the same MID as being in a separate SMB transaction command instead of with the fragments/segments with the different MID when the kind of application of the target separates based on MID;
  
  receiving, in the processor configured as an IDS/IPS, plural request fragments belonging to a single distributed computing environment/remote procedure call (DCE/RPC) request;
  
  determining, in the IDS/IPS, the kind of application of a target of the DCE/RPC request;
  
  selecting, in the IDS/IPS, one of the request fragments as a source of a context ID depending on the target kind of application as indicated in a reassembly table;
  
  selecting, in the IDS/IPS, one of the request fragments as a source of an operation number as indicated in a reassembly table depending on the target kind of application;
  
  reassembling, in the IDS/IPS, the plural request fragments into a reassembled request; and
  
  inserting, in the IDS/IPS, the context ID from the selected request fragment into the context ID of a DCE/RPC header of the reassembled request; and
  
  inserting, in the IDS/IPS, the operation number from a DCE/RPC header of the selected request fragment into the operation number of a DCE/RPC header of the reassembled request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Wease, Kenneth Todd
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
RAHMAN, MOHAMMAD L

Application Number

US12/575,612
Publication Number

US 20100088767A1
Time in Patent Office

1,076 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

H04L 63/0254   Stateful filtering

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

220 Citations

1 Claim

Specification

Solutions

Use Cases

Quick Links

Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

220 Citations

1 Claim

Specification

Subscription Required

Solutions

Use Cases

Quick Links