Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system
First Claim
1. A method performed in a processor of an intrusion detection/prevention system (IDS/IPS), for checking for valid packets in a server message block (SMB) named pipe in a communication network, comprising:
- receiving, in a processor configured as an IDS/IPS, a fragment/segment, and determining a kind of application of a target of the fragment/segment in response to receiving the fragment/segment;
separating, in the IDS/IPS, fragments/segments with a same multiplex ID (MID) as part of a same SMB transaction command from fragments/segments with a different MID, the MID being in the SMB frame header, all for fragments/segments in the same SMB named pipe;
accessing a reassembly table that indicates the kind of application to determine whether the kind of application separates SMB transaction commands based on MID; and
responsive to a determination that the kind of application of the target separates SMB transaction commands based on MID, processing, in the IDS/IPS, the same SMB transaction command with the same MID as being in a distinct SMB transaction command instead of with the fragments/segments with the different MID.
2 Assignments
0 Petitions
Accused Products
Abstract
A method performed in a processor of an intrusion detection/prevention system (IDS/IPS) checks for valid packets in an SMB named pipe in a communication network. In a processor configured as an IDS/IPS, a packet in a transmission is received and a kind of application of a target of the packet is determined. Also, the data in the packet is inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that: (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and (b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table.
244 Citations
18 Claims
-
1. A method performed in a processor of an intrusion detection/prevention system (IDS/IPS), for checking for valid packets in a server message block (SMB) named pipe in a communication network, comprising:
-
receiving, in a processor configured as an IDS/IPS, a fragment/segment, and determining a kind of application of a target of the fragment/segment in response to receiving the fragment/segment; separating, in the IDS/IPS, fragments/segments with a same multiplex ID (MID) as part of a same SMB transaction command from fragments/segments with a different MID, the MID being in the SMB frame header, all for fragments/segments in the same SMB named pipe; accessing a reassembly table that indicates the kind of application to determine whether the kind of application separates SMB transaction commands based on MID; and responsive to a determination that the kind of application of the target separates SMB transaction commands based on MID, processing, in the IDS/IPS, the same SMB transaction command with the same MID as being in a distinct SMB transaction command instead of with the fragments/segments with the different MID. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus comprising:
-
a network sensor to sense packets in a server message block (SMB) named pipe in a communication network; and a processor to; receive via the network sensor, a fragment/segment and determine a kind of application of a target of the fragment/segment in response to receiving the fragment/segment; separate fragments/segments with a same multiplex ID (MID) as part of a same SMB transaction command from fragments/segments with a different MID, the MID being in the SMB frame header, all for fragments/segments in the same SMB named pipe; access a reassembly table that indicates the kind of application to determine whether the kind of application separates SMB transaction commands based on MID; and responsive to a determination that the kind of application of the target separates SMB transaction commands based on MID, process the same SMB transaction command with the same MID as being in a distinct SMB transaction command instead of with the fragments/segments with the different MID. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. One or more non-transitory computer readable media encoded with software comprising computer executable instructions and when the software is executed operable to cause a processor to check for valid packets in a server message block (SMB) named pipe in a communication network by:
-
receiving a fragment/segment, and determining a kind of application of a target of the fragment/segment in response to receiving the fragment/segment; separating fragments/segments with a same multiplex ID (MID) as part of a same SMB transaction command from fragments/segments with a different MID, the MID being in the SMB frame header, all for fragments/segments in the same SMB named pipe; accessing a reassembly table that indicates the kind of application to determine whether the kind of application separates SMB transaction commands based on MID; and responsive to a determination that the kind of application of the target separates SMB transaction commands based on MID, processing the same SMB transaction command with the same MID as being in a distinct SMB transaction command instead of with the fragments/segments with the different MID. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification