Cisco Cisco Firepower Management Center 4000
25-5
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
•
enable and specify auto-detection ports. See
for
more information.
•
set the preprocessor to detect when there is an attempt to connect to one or more shared SMB
resources that you identify.
resources that you identify.
•
configure the preprocessor to detect files in SMB traffic, and to inspect a specified number of bytes
in a detected file.
in a detected file.
•
modify an advanced option that should be modified only by a user with SMB protocol expertise; this
option lets you set the preprocessor to detect when a number of chained SMB AndX commands
exceed a specified maximum number.
option lets you set the preprocessor to detect when a number of chained SMB AndX commands
exceed a specified maximum number.
Note that you can enable the
Auto-Detect Policy on SMB Session
global option to automatically override the
policy type configured for a targeted policy on a per session basis when SMB is the DCE/RPC transport.
See
See
.
In addition to enabling SMB traffic file detection in the DCE/RPC preprocessor, you can configure a file
policy to optionally capture and block these files, or submit them to the Collective Security Intelligence
Cloud for dynamic analysis. Within that policy, you must create a file rule with an
policy to optionally capture and block these files, or submit them to the Collective Security Intelligence
Cloud for dynamic analysis. Within that policy, you must create a file rule with an
Action
of
Detect Files
or
Block Files
and a selected
Application Protocol
of
Any
or
NetBIOS-ssn (SMB)
. See
for more information.
Understanding DCE/RPC Transports
License:
Protection
In each target-based policy, you can enable one or more of the TCP, UDP, SMB, and RPC over HTTP
transports. When you enable a transport, you must also specify one or more detection ports, that is, ports
that are known to carry DCE/RPC traffic. Optionally, you can also enable and specify auto-detection
ports, that is, ports that the preprocessor tests first to determine if they carry DCE/RPC traffic and
continues processing only when it detects DCE/RPC traffic.
transports. When you enable a transport, you must also specify one or more detection ports, that is, ports
that are known to carry DCE/RPC traffic. Optionally, you can also enable and specify auto-detection
ports, that is, ports that the preprocessor tests first to determine if they carry DCE/RPC traffic and
continues processing only when it detects DCE/RPC traffic.
Cisco recommends that you use the default detection ports, which are either well-known ports or
otherwise commonly-used ports for each protocol. You would add detection ports only if you detected
DCE/RPC traffic on a non-default port.
otherwise commonly-used ports for each protocol. You would add detection ports only if you detected
DCE/RPC traffic on a non-default port.
When you enable auto-detection ports, ensure that they are set to the port range from 1024 to 65535 to
cover the entire ephemeral port range. Note that it is unlikely that you would enable or specify
auto-detection ports for the RPC over HTTP Proxy Auto-Detect Ports option or the SMB Auto-Detect
Ports option because there is little likelihood that traffic for either would occur or even be possible except
on the specified default detection ports. Note also that auto-detection occurs only for ports not already
identified by transport detection ports. See
cover the entire ephemeral port range. Note that it is unlikely that you would enable or specify
auto-detection ports for the RPC over HTTP Proxy Auto-Detect Ports option or the SMB Auto-Detect
Ports option because there is little likelihood that traffic for either would occur or even be possible except
on the specified default detection ports. Note also that auto-detection occurs only for ports not already
identified by transport detection ports. See
for recommendations for enabling or disabling auto-detection ports for each transport.
Note that any port configured for the
TCP Ports
or
TCP Auto-Detect Ports
option is automatically activated
as a TCP stream preprocessor client or server reassembly port for the duration of a DCE/RPC session
over the configured TCP port. Only TCP ports are activated, and TCP ports are automatically deactivated
at the end of the session. See
over the configured TCP port. Only TCP ports are activated, and TCP ports are automatically deactivated
at the end of the session. See
and
for more information.
You can specify ports for one or more transports in any combination in a Windows target-based policy
to match the traffic on your network, but you can only specify ports for the SMB transport in a Samba
target-based policy.
to match the traffic on your network, but you can only specify ports for the SMB transport in a Samba
target-based policy.