Cisco Cisco Firepower Management Center 4000
25-13
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
Step 7
You can modify any of the following target-based policy options:
•
To specify the host or hosts where you want to apply the DCE/RPC target-based server policy, enter
a single IP address or address block, or a comma-separated list of either or both in the
a single IP address or address block, or a comma-separated list of either or both in the
Networks
field.
You can specify up to 255 total profiles including the default policy. Note that you cannot modify
the setting for
the setting for
Networks
in the default policy. The default policy applies to all servers on your
network that are not identified in another policy.
•
To specify the type of policy you want to apply to the specified host or hosts on your network
segment, select one of the Windows or Samba policy types from the
segment, select one of the Windows or Samba policy types from the
Policy
drop-down list.
Note that you can enable the
Auto-Detect Policy on SMB Session
global option to automatically override
the setting for this option on a per session basis when SMB is the DCE/RPC transport. See
•
To set the preprocessor to detect when there is an attempt to connect to specified shared SMB
resources, enter a single or comma-separated list of the case-insensitive strings that identify the
shared resources in the
resources, enter a single or comma-separated list of the case-insensitive strings that identify the
shared resources in the
SMB Invalid Shares
field. Optionally, enclose individual strings in quotes,
which was required in previous software versions but is no longer required.
For example, to detect shared resources named C$, D$, admin, and private, you could enter:
"C$", D$, "admin", private
Note that to detect SMB invalid shares, you must also enable
SMB Ports
or
SMB Auto-Detect Ports,
and
enable the global
SMB Traffics
option.
Note also that in most cases you should append a dollar sign to a drive named by Windows that you
identify as an invalid share. For example, you would enter
identify as an invalid share. For example, you would enter
C$
or
"C$"
to identify drive C.
•
To inspect files detected in DCE/RPC traffic in SMB without analyzing the DCE/RPC traffic, from
the
the
SMB File Inspection
drop-down list, select
Only
. To inspect files detected in DCE/RPC traffic in
SMB as well as the DCE/RPC traffic, from the
SMB File Inspection
drop-down list, select
On
. Enter a
number of bytes to inspect in a detected file in the
SMB File Inspection Depth
field. Enter
0
to inspect
detected files in their entirety.
•
To specify a maximum number of chained SMB AndX commands to permit, enter 0 to 255 in the
SMB Maximum AndX Chains
field. Specify
1
to permit no chained commands. Specify
0
or leave this
option blank to disable this feature.
Note
Only someone who is expert in the SMB protocol should modify the setting for the
SMB
Maximum AndX Chains
option.
•
To enable the processing of DCE/RPC traffic over ports known to carry DCE/RPC traffic for a
Windows policy transport, select or clear the check box next to a detection transport and, optionally,
add or delete ports for the transport.
Windows policy transport, select or clear the check box next to a detection transport and, optionally,
add or delete ports for the transport.
Select one or any combination of
RPC over HTTP Proxy Ports
,
RPC over HTTP Server Ports
,
TCP Ports
, and
UDP Ports
for a Windows policy. Select
RPC Proxy Traffic Only
when
RPC over HTTP proxy
is enabled and
detected client-side RPC over HTTP traffic is proxy traffic only; that is, when it does not include
other web server traffic.
other web server traffic.
Select
SMB Ports
for a Samba policy.
In most cases, use the default settings. See
for more information.
You can type a single port, a range of port numbers separated by a dash (-), or a comma-separated
list of port numbers and ranges.
list of port numbers and ranges.