Cisco Cisco Firepower Management Center 4000
25-2
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
•
explains how you can use the SSL preprocessor to identify
encrypted traffic and eliminate false positives by stopping inspection of that traffic.
•
explains how you can use the Modbus and DNP3
preprocessors to detect anomalies in corresponding traffic and provide data to the rules engine for
inspection of certain protocol fields.
inspection of certain protocol fields.
Decoding DCE/RPC Traffic
License:
Protection
The DCE/RPC protocol allows processes on separate network hosts to communicate as if the processes
were on the same host. These inter-process communications are commonly transported between hosts
over TCP and UDP. Within the TCP transport, DCE/RPC might also be further encapsulated in the
Windows Server Message Block (SMB) protocol or in Samba, an open-source SMB implementation
used for inter-process communication in a mixed environment comprised of Windows and UNIX- or
Linux-like operating systems. In addition, Windows IIS web servers on your network might use IIS RPC
over HTTP, which provides distributed communication through a firewall, to proxy TCP-transported
DCE/RPC traffic.
were on the same host. These inter-process communications are commonly transported between hosts
over TCP and UDP. Within the TCP transport, DCE/RPC might also be further encapsulated in the
Windows Server Message Block (SMB) protocol or in Samba, an open-source SMB implementation
used for inter-process communication in a mixed environment comprised of Windows and UNIX- or
Linux-like operating systems. In addition, Windows IIS web servers on your network might use IIS RPC
over HTTP, which provides distributed communication through a firewall, to proxy TCP-transported
DCE/RPC traffic.
Note that descriptions of DCE/RPC preprocessor options and functionality include the Microsoft
implementation of DCE/RPC known as MSRPC; descriptions of SMB options and functionality refer to
both SMB and Samba.
implementation of DCE/RPC known as MSRPC; descriptions of SMB options and functionality refer to
both SMB and Samba.
Although most DCE/RPC exploits occur in DCE/RPC client requests targeted for DCE/RPC servers,
which could be practically any host on your network that is running Windows or Samba, exploits can
also occur in server responses. The DCE/RPC preprocessor detects DCE/RPC requests and responses
encapsulated in TCP, UDP, and SMB transports, including TCP-transported DCE/RPC using version 1
RPC over HTTP. The preprocessor analyzes DCE/RPC data streams and detects anomalous behavior and
evasion techniques in DCE/RPC traffic. It also analyzes SMB data streams and detects anomalous SMB
behavior and evasion techniques.
which could be practically any host on your network that is running Windows or Samba, exploits can
also occur in server responses. The DCE/RPC preprocessor detects DCE/RPC requests and responses
encapsulated in TCP, UDP, and SMB transports, including TCP-transported DCE/RPC using version 1
RPC over HTTP. The preprocessor analyzes DCE/RPC data streams and detects anomalous behavior and
evasion techniques in DCE/RPC traffic. It also analyzes SMB data streams and detects anomalous SMB
behavior and evasion techniques.
The DCE/RPC preprocessor also desegments SMB and defragments DCE/RPC in addition to IP
defragmentation and TCP stream reassembly. Note that TCP stream preprocessing must be enabled to
detect TCP-transported DCE/RPC, including SMB and RPC over HTTP, and IP defragmentation must
be enabled when you enable the DCE/RPC preprocessor because, ultimately, IP transports all DCE/RPC
traffic. See
defragmentation and TCP stream reassembly. Note that TCP stream preprocessing must be enabled to
detect TCP-transported DCE/RPC, including SMB and RPC over HTTP, and IP defragmentation must
be enabled when you enable the DCE/RPC preprocessor because, ultimately, IP transports all DCE/RPC
traffic. See
Finally, the DCE/RPC preprocessor normalizes DCE/RPC traffic for processing by the rules engine. See
for information on using specific DCE/RPC rule keywords to detect
DCE/RPC services, operations, and stub data.
You configure the DCE/RPC preprocessor by modifying any of the global options that control how the
preprocessor functions, and by specifying one or more target-based server policies that identify the
DCE/RPC servers on your network by IP address and by either the Windows or Samba version running
on them:
preprocessor functions, and by specifying one or more target-based server policies that identify the
DCE/RPC servers on your network by IP address and by either the Windows or Samba version running
on them:
•
You must enable DCE/RPC preprocessor rules, which have a generator ID (GID) of 132 or 133, if
you want these rules to generate events. A link on the configuration page takes you to a filtered view
of DCE/RPC preprocessor rules on the intrusion policy Rules page, where you can enable and
disable rules and configure other rule actions. See
you want these rules to generate events. A link on the configuration page takes you to a filtered view
of DCE/RPC preprocessor rules on the intrusion policy Rules page, where you can enable and
disable rules and configure other rule actions. See
for more
information.
•