Cisco Cisco Firepower Management Center 4000
25-11
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
SMB File Inspection
Enables inspection of SMB traffic for file detection. You have the following options:
–
Select
Off
to disable file inspection.
–
Select
Only
to inspect file data without inspecting the DCE/RPC traffic in SMB. Selecting this
option can improve performance over inspecting both files and DCE/RPC traffic.
–
Select
On
to inspect both files and the DCE/RPC traffic in SMB. Selecting this option can impact
performance.
Inspection of SMB traffic for the following is not supported:
–
files transferred in SMB 2.0 and SMB 3.0
–
files transferred in an established TCP or SMB session before this option is enabled and the
policy applied
policy applied
–
files transferred concurrently in a single TCP or SMB session
–
files transferred across multiple TCP or SMB sessions
–
files transferred with non-contiguous data, such as when message signing is negotiated
–
files transferred with different data at the same offset, overlapping the data
–
files opened on a remote client for editing that the client saves to the file server
SMB File Inspection Depth
If
SMB File Inspection
is set to
Only
or
On
, the number of bytes inspected when a file is detected in
SMB traffic. Specify one of the following:
–
an integer from
1
to
2147483647
(about 2GB)
–
0
to inspect the entire file
–
-1
to disable file inspection
Enter a value in this field equal to or smaller than the one defined in your access control policy. If
you set a value for this option larger than the one defined for
you set a value for this option larger than the one defined for
Limit the number of bytes inspected when
doing file type detection
, the system uses the access control policy setting as the functional
maximum.See
for more
information.
If
SMB File Inspection
is set to
Off
, this field is disabled.
Configuring the DCE/RPC Preprocessor
License:
Protection
You can configure DCE/RPC preprocessor global options and one or more target-based server policies.
The preprocessor does not generate events unless you enable rules with generator ID (GID) 133. A link
on the configuration page takes you to a filtered view of DCE/RPC preprocessor rules on the intrusion
policy Rules page, where you can enable and disable rules and configure other rule actions. See
on the configuration page takes you to a filtered view of DCE/RPC preprocessor rules on the intrusion
policy Rules page, where you can enable and disable rules and configure other rule actions. See
and
for rules associated with specific detection options; see also
.
In addition, most DCE/RPC preprocessor rules generate events against anomalies and evasion
techniques detected in SMB, connection-oriented DCE/RPC, or connectionless DCE/RPC traffic. The
following table identifies the rules that you can enable for each type of traffic.
techniques detected in SMB, connection-oriented DCE/RPC, or connectionless DCE/RPC traffic. The
following table identifies the rules that you can enable for each type of traffic.