4.17.2. MSRPC network traffic analysis in Network Intrusion Prevention Systems

Because of the numerous vulnerabilities discovered in MSRPC (see Section 4.16, “MSRPC vulnerabilities”), Network Intrusion Prevention and Detection Systems must inspect MSRPC traffic to detect or block malicious traffic.

Because the protocols involved (SMB, MSRPC) are complex, implementation of MSRPC traffic analysis in a network security device is a complex task that requires a good understanding of the protocols. Several evasion techniques are possible if the implementation of these protocols is not complete.

The successive improvements in NFR's MSRPC package gives a good idea of the work required to successfully implement MSRPC in NIPS: