An SMB command, which is utilized in packet network communications, can be separated into multiple packets that are sent to the target destination, as part of the same SMB named pipe. The multiple packets can be reassembled by the destination to re-create the original SMB command.
Also, a DCE/RPC request utilized in packet network communications can be separated into request fragments which are sent to the destination, as part of the same DCE/RPC request. Each request fragment still belongs to the original DCE/RPC, and can be reassembled by the destination to re-create the original DCE/RPC request.
The inventor has noted that different kinds of operating systems and/or applications have unique methods of SMB packet reassembly and DCE/RPC fragment reassembly. For example, different WINDOWS™ and SAMBA™ versions handle SMB and DCE/RPC processing differently. These methods of reassembling DCE/RPC request fragments and/or SMB command packets can be exploited by attackers.
The conventional IDS/IPS is not sensitive to these differences, and may reassemble the SMB packets, SMB transaction fragments/segments and/or DCE/RPC request fragments differently than the target destination host. The reassembled SMB command or DCE/RPC request analyzed by the IDS/IPS may be different from the SMB command or DCE/RPC request reassembled by the SMB or DCE/RPC processing at the target destination host. Consequently, an attack that successfully exploits these differences in reassembly can cause the IDS/IPS to miss the malicious traffic. An attacker may use such an evasion to exploit a vulnerability and go unnoticed.