Cisco Cisco Firepower Management Center 4000
25-12
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
To configure the DCE/RPC preprocessor:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue.See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
DCE/RPC Configuration
under Application Layer
Preprocessors is enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The DCE/RPC Configuration page appears. A message at the bottom of the page identifies the intrusion
policy layer that contains the configuration. See
policy layer that contains the configuration. See
for more
information.
Step 5
You can modify any of the options described in
Step 6
You have two options:
•
Add a new target-based policy. Click the add icon (
) next to
Servers
on the left side of the page.
The Add Target pop-up window appears. Specify a one or more IP addresses in the
Server Address
field and click
OK
.
You can specify a single IP address or address block, or a comma-separated list of either or both.
For information on using IPv4 and IPv6 address blocks in the FireSIGHT System, see
For information on using IPv4 and IPv6 address blocks in the FireSIGHT System, see
You can configure up to 255 policies, including the default policy.
A new entry appears in the list of servers on the left side of the page, highlighted to indicate that it
is selected, and the Configuration section updates to reflect the current configuration for the profile
you added.
is selected, and the Configuration section updates to reflect the current configuration for the profile
you added.
•
Modify the settings for an existing target-based policy. Click the configured address for a policy you
have added under
have added under
Servers
on the left side of the page, or click
default
.
Your selection is highlighted and the Configuration section updates to display the current
configuration for the policy you selected. To delete an existing policy, click the delete icon (
configuration for the policy you selected. To delete an existing policy, click the delete icon (
)
next to the policy you want to remove.
Table 25-1
Traffic-Associated DCE/RPC Rules
Traffic
Preprocessor Rule GID:SID
SMB
133:2 through 133:26, and 133:48 through 133:57
Connection-Oriented DCE/RPC
133:27 through 133:39
Detect Connectionless DCE/RPC
133:40 through 133:43