Cisco Cisco Firepower Management Center 4000
25-9
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
SMB Invalid Shares
A case-insensitive, alphanumeric text string that identifies one or more SMB shared resources; the
preprocessor will detect when there is an attempt to connect to a shared resource that you specify.
You can specify multiple shares in a comma-separated list and, optionally, you can enclose shares
in quotes, which was required in previous software versions but is no longer required; for example:
preprocessor will detect when there is an attempt to connect to a shared resource that you specify.
You can specify multiple shares in a comma-separated list and, optionally, you can enclose shares
in quotes, which was required in previous software versions but is no longer required; for example:
"C$", D$, "admin", private
The preprocessor detects invalid shares in SMB traffic when you have enabled both SMB ports and
SMB traffic detection.
SMB traffic detection.
Note that in most cases you should append a dollar sign to a drive named by Windows that you
identify as an invalid share. For example, identify drive C as C$ or "C$".
identify as an invalid share. For example, identify drive C as C$ or "C$".
You can enable rule 133:26 to generate events for this option. See
for more information.
SMB Maximum AndX Chain
The maximum number between 0 and 255 of chained SMB AndX commands to permit. Typically,
more than a few chained AndX commands represent anomalous behavior and could indicate an
evasion attempt. Specify 1 to permit no chained commands or 0 to disable detecting the number of
chained commands.
more than a few chained AndX commands represent anomalous behavior and could indicate an
evasion attempt. Specify 1 to permit no chained commands or 0 to disable detecting the number of
chained commands.
Note that the preprocessor first counts the number of chained commands and generates an event if
accompanying SMB preprocessor rules are enabled and the number of chained commands equals or
exceeds the configured value. It then continues processing.
accompanying SMB preprocessor rules are enabled and the number of chained commands equals or
exceeds the configured value. It then continues processing.
Note
Only someone who is expert in the SMB protocol should modify the default setting for this
option.
option.
You can enable rule 133:20 to generate events for this option. See
for more information.
RPC proxy traffic only
When
RPC over HTTP Proxy Ports
is enabled, indicates whether detected client-side RPC over HTTP
traffic is proxy traffic only or might include other web server traffic. For example, port 80 could
carry both proxy and other web server traffic.
carry both proxy and other web server traffic.
When this option is disabled, both proxy and other web server traffic are expected. Enable this
option, for example, if the server is a dedicated proxy server. When enabled, the preprocessor tests
traffic to determine if it carries DCE/RPC, ignores the traffic if it does not, and continues processing
if it does. Note that enabling this option adds functionality only if the
option, for example, if the server is a dedicated proxy server. When enabled, the preprocessor tests
traffic to determine if it carries DCE/RPC, ignores the traffic if it does not, and continues processing
if it does. Note that enabling this option adds functionality only if the
RPC over HTTP Proxy Ports
check
box is also enabled.
RPC over HTTP Proxy Ports
Enables detection of DCE/RPC traffic tunneled by RPC over HTTP over each specified port when
your managed device is positioned between the DCE/RPC client and the MicroSoft IIS RPC proxy
server. See
your managed device is positioned between the DCE/RPC client and the MicroSoft IIS RPC proxy
server. See
When enabled, you can add any ports where you see DCE/RPC traffic, although this is unlikely to
be necessary because web servers typically use the default port for both DCE/RPC and other traffic.
When enabled, you would not enable
be necessary because web servers typically use the default port for both DCE/RPC and other traffic.
When enabled, you would not enable
RPC over HTTP Proxy Auto-Detect Ports
, but you would enable the
RPC Proxy Traffic Only
when detected client-side RPC over HTTP traffic is proxy traffic only and does
not include other web server traffic.