Cisco Cisco Firepower Management Center 4000
25-10
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
RPC over HTTP Server Ports
Enables detection of DCE/RPC traffic tunneled by RPC over HTTP on each specified port when the
MicroSoft IIS RPC proxy server and the DCE/RPC server are located on different hosts and the
device monitors traffic between the two servers. See
MicroSoft IIS RPC proxy server and the DCE/RPC server are located on different hosts and the
device monitors traffic between the two servers. See
.
Typically, when you enable this option you should also enable
RPC over HTTP Server Auto-Detect Ports
with a port range from 1025 to 65535 for that option even if you are not aware of any proxy web
servers on your network. Note that the RPC over HTTP server port is sometimes reconfigured, in
which case you should add the reconfigured server port to port list for this option.
servers on your network. Note that the RPC over HTTP server port is sometimes reconfigured, in
which case you should add the reconfigured server port to port list for this option.
TCP Ports
Enables detection of DCE/RPC traffic in TCP on each specified port.
Legitimate DCE/RPC traffic and exploits might use a wide variety of ports, and other ports above
port 1024 are common. Typically, when this option is enabled you should also enable
port 1024 are common. Typically, when this option is enabled you should also enable
TCP Auto-Detect
Ports
with a port range from 1025 to 65535 for that option.
UDP Ports
Enables detection of DCE/RPC traffic in UDP on each specified port.
Legitimate DCE/RPC traffic and exploits might use a wide variety of ports, and other ports above
port 1024 are common. Typically, when this option is enabled you should also enable
port 1024 are common. Typically, when this option is enabled you should also enable
UDP Auto-Detect
Ports
with a port range from 1025 to 65535 for that option.
SMB Ports
Enables detection of DCE/RPC traffic in SMB on each specified port.
You could encounter SMB traffic using the default detection ports. Other ports are rare. Typically,
use the default settings.
use the default settings.
RPC over HTTP Proxy Auto-Detect Ports
Enables auto-detection of DCE/RPC traffic tunneled by RPC over HTTP on the specified ports when
your managed device is positioned between the DCE/RPC client and the MicroSoft IIS RPC proxy
server. See
your managed device is positioned between the DCE/RPC client and the MicroSoft IIS RPC proxy
server. See
When enabled, you would typically specify a port range from 1025 to 65535 to cover the entire range
of ephemeral ports.
of ephemeral ports.
RPC over HTTP Server Auto-Detect Ports
Enables auto-detection of DCE/RPC traffic tunneled by RPC over HTTP on the specified ports when
the MicroSoft IIS RPC proxy server and the DCE/RPC server are located on different hosts and the
device monitors traffic between the two servers. See
the MicroSoft IIS RPC proxy server and the DCE/RPC server are located on different hosts and the
device monitors traffic between the two servers. See
.
TCP Auto-Detect Ports
Enables auto-detection of DCE/RPC traffic in TCP on the specified ports.
UDP Auto-Detect Ports
Enables auto-detection of DCE/RPC traffic in UDP on each specified port.
SMB Auto-Detect Ports
Enables auto-detection of DCE/RPC traffic in SMB.