Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
837
Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
Chapter 23
The DCE/RPC preprocessor also desegments SMB and defragments DCE/RPC in
addition to IP defragmentation and TCP stream reassembly. Note that TCP
stream preprocessing must be enabled to detect TCP-transported DCE/RPC,
including SMB and RPC over HTTP, and IP defragmentation must be enabled
when you enable the DCE/RPC preprocessor because, ultimately, IP transports all
DCE/RPC traffic. See
on page 966 and
Finally, the DCE/RPC preprocessor normalizes DCE/RPC traffic for processing by
the rules engine. See
on page 1149 for information on using
specific DCE/RPC rule keywords to detect DCE/RPC services, operations, and
stub data.
You configure the DCE/RPC preprocessor by modifying any of the global options
You configure the DCE/RPC preprocessor by modifying any of the global options
that control how the preprocessor functions, and by specifying one or more
target-based server policies that identify the DCE/RPC servers on your network
by IP address and by either the Windows or Samba version running on them:
•
You must enable DCE/RPC preprocessor rules, which have a generator ID
(GID) of 132 or 133, if you want these rules to generate events. A link on the
configuration page takes you to a filtered view of DCE/RPC preprocessor
rules on the intrusion policy Rules page, where you can enable and disable
rules and configure other rule actions. See
for more information.
•
When a shared object rule or standard text rule that requires this
preprocessor is enabled in an intrusion policy where the preprocessor is
disabled, you must enable the preprocessor or choose to allow the system
to enable it automatically before you can save the policy. For more
information, see
See the following sections for more information:
•
•
•
•
•
Selecting Global DCE/RPC Options
L
ICENSE
: Protection
Global DCE/RPC preprocessor options control how the preprocessor functions.
Except for the Memory Cap Reached option, modifying these options could have a
negative impact on performance or detection capability. You should not modify
them unless you have a thorough understanding of the preprocessor and the
interaction between the preprocessor and enabled DCE/RPC rules. In particular,
make sure that the Maximum Fragment Size option and Reassembly Threshold option
are greater than or equal to the depth to which the rules need to detect. For more
information, see
on page 1095 and