Cisco Cisco Firepower Management Center 4000
25-7
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
•
The well-known TCP or UDP port 135 identifies DCE/RPC traffic in the TCP and UDP transports.
•
The figure does not include RPC over HTTP.
For RPC over HTTP, connection-oriented DCE/RPC is transported directly over TCP as shown in
the figure after an initial setup sequence over HTTP. See
the figure after an initial setup sequence over HTTP. See
for more information.
•
The DCE/RPC preprocessor typically receives SMB traffic on the well-known TCP port 139 for the
NetBIOS Session Service or the similarly implemented well-known Windows port 445.
NetBIOS Session Service or the similarly implemented well-known Windows port 445.
Because SMB has many functions other than transporting DCE/RPC, the preprocessor first tests
whether the SMB traffic is carrying DCE/RPC traffic, stops processing if it is not, and continues
processing if it is.
whether the SMB traffic is carrying DCE/RPC traffic, stops processing if it is not, and continues
processing if it is.
•
IP encapsulates all DCE/RPC transports.
You must ensure that IP defragmentation is enabled when you enable the DCE/RPC preprocessor.
See
See
for more information.
•
TCP transports all connection-oriented DCE/RPC.
You must ensure that TCP stream preprocessing is enabled when you enable the TCP, SMB, or RPC
over HTTP transport. See
over HTTP transport. See
for more information.
•
UDP transports connectionless DCE/RPC.
You must ensure that UDP stream preprocessing is enabled when you enable the UDP transport. See
for more information.
Understanding the RPC over HTTP Transport
License:
Protection
Microsoft RPC over HTTP allows you to tunnel DCE/RPC traffic through a firewall as shown in the
following diagram. The DCE/RPC preprocessor detects version 1 of Microsoft RPC over HTTP.
following diagram. The DCE/RPC preprocessor detects version 1 of Microsoft RPC over HTTP.