Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

837

Using Application Layer Preprocessors

Decoding DCE/RPC Traffic

Chapter 23

The DCE/RPC preprocessor also desegments SMB and defragments DCE/RPC in

addition to IP defragmentation and TCP stream reassembly. Note that TCP

stream preprocessing must be enabled to detect TCP-transported DCE/RPC,

including SMB and RPC over HTTP, and IP defragmentation must be enabled

when you enable the DCE/RPC preprocessor because, ultimately, IP transports all

DCE/RPC traffic. See

Using TCP Stream Preprocessing

on page 966 and

Defragmenting IP Packets

on page 954.

Finally, the DCE/RPC preprocessor normalizes DCE/RPC traffic for processing by

the rules engine. See

DCE/RPC Keywords

on page 1149 for information on using

specific DCE/RPC rule keywords to detect DCE/RPC services, operations, and

stub data.
You configure the DCE/RPC preprocessor by modifying any of the global options

that control how the preprocessor functions, and by specifying one or more

target-based server policies that identify the DCE/RPC servers on your network

by IP address and by either the Windows or Samba version running on them:

•

You must enable DCE/RPC preprocessor rules, which have a generator ID

(GID) of 132 or 133, if you want these rules to generate events. A link on the

configuration page takes you to a filtered view of DCE/RPC preprocessor

rules on the intrusion policy Rules page, where you can enable and disable

rules and configure other rule actions. See

Setting Rule States

on page 770

for more information.

•

When a shared object rule or standard text rule that requires this

preprocessor is enabled in an intrusion policy where the preprocessor is

disabled, you must enable the preprocessor or choose to allow the system

to enable it automatically before you can save the policy. For more

information, see

Automatically Enabling Advanced Settings

on page 813.

See the following sections for more information:

•

Selecting Global DCE/RPC Options

on page 837

•

Understanding Target-Based DCE/RPC Server Policies

on page 839

•

Understanding DCE/RPC Transports

on page 840

•

Selecting DCE/RPC Target-Based Policy Options

on page 844

•

Configuring the DCE/RPC Preprocessor

on page 849

Selecting Global DCE/RPC Options

ICENSE

: Protection

Global DCE/RPC preprocessor options control how the preprocessor functions.

Except for the Memory Cap Reached option, modifying these options could have a

negative impact on performance or detection capability. You should not modify

them unless you have a thorough understanding of the preprocessor and the

interaction between the preprocessor and enabled DCE/RPC rules. In particular,

make sure that the Maximum Fragment Size option and Reassembly Threshold option

are greater than or equal to the depth to which the rules need to detect. For more

information, see

Constraining Content Matches

on page 1095 and

Using