Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
838
Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
Chapter 23
If no preprocessor rule is mentioned, the option is not associated with a
preprocessor rule.
Maximum Fragment Size
When Enable Defragmentation is selected, specifies the maximum DCE/RPC
fragment length allowed from 1514 to 65535 bytes. The preprocessor
truncates larger fragments for processing purposes to the specified size
before defragmenting but does not alter the actual packet. A blank field
disables this option.
Reassembly Threshold
When Enable Defragmentation is selected, 0 disables this option, or 1 to 65535
bytes specifies a minimum number of fragmented DCE/RPC bytes and, if
applicable, segmented SMB bytes to queue before sending a reassembled
packet to the rules engine. A low value increases the likelihood of early
detection but could have a negative impact on performance. You should test
for performance impact if you enable this option.
Enable Defragmentation
Specifies whether to defragment fragmented DCE/RPC traffic. When
disabled, the preprocessor still detects anomalies and sends DCE/RPC data
to the rules engine, but at the risk of missing exploits in fragmented DCE/RPC
data.
Although this option provides the flexibility of not defragmenting DCE/RPC
Although this option provides the flexibility of not defragmenting DCE/RPC
traffic, most DCE/RPC exploits attempt to take advantage of fragmentation to
hide the exploit. Disabling this option would bypass most known exploits,
resulting in a large number of false negatives.
Memory Cap Reached
Detects when the maximum memory limit allocated to the preprocessor is
reached or exceeded. When the maximum memory cap is reached or
exceeded, the preprocessor frees all pending data associated with the
session that caused the memory cap event and ignores the rest of that
session.
You can enable rule 133:1 to generate events for this option. See
You can enable rule 133:1 to generate events for this option. See
on page 770 for more information.
Auto-Detect Policy on SMB Session
Detects the Windows or Samba version that is identified in SMB
Session
Setup AndX
requests and responses. When the detected version is different
from the Windows or Samba version configured for the Policy configuration
option, the detected version overrides the configured version for that session