4.17. MSRPC network traffic
As explained in Section 4.3, “MSRPC transports”, MSRPC was designed to be
transport-independant, which implies that the MSRPC network traffic will be
observed over different network protocols (TCP, UDP, SMB, HTTP).
Being able to analyze MSRPC network traffic is important for several reasons:
MSRPC is a core protocol of Windows environments and as such, it is frequent to analyze MSRPC traffic to diagnose problems.
The numerous vulnerabilities discovered in the MSRPC subsystem (see Section 4.16, “MSRPC vulnerabilities”) pose a serious security risk for Windows
infrastructures. Network security devices such as Network Intrusion
Prevention/Detection Systems (NIPS/NIDS) and Firewalls must be capable of
analyzing MSRPC traffic to block exploitation of MSRPC vulnerabilities.