Cisco Cisco Firepower Management Center 4000

Protection

Although preprocessors perform most of the normalization and inspection of application layer protocol 
values, you can continue to inspect application layer values using the keywords described in the 
following sections:

Protection

The 

rpc

 keyword identifies Open Network Computing Remote Procedure Call (ONC RPC) services in 

TCP or UDP packets. This allows you to detect attempts to identify the RPC programs on a host. 
Intruders can use an RPC portmapper to determine if any of the RPC services running on your network 
can be exploited. They can also attempt to access other ports running RPC without using portmapper. 
The following table lists the arguments that the 

rpc

 keyword accepts.

To specify the arguments for the 

rpc

 keyword, use the following syntax:

application,procedure,version

where 

 is the RPC application number, 

 is the RPC procedure number, and 

 is the RPC version number. You must specify all arguments for the 

rpc

 keyword — if you are 

not able to specify one of the arguments, replace it with an asterisk (

*

).

For example, to search for RPC portmapper (which is the RPC application indicated by the number 
100000), with any procedure or version, use 

100000,*,*

 as the arguments. 

Protection

The 

asn1

 keyword allows you to decode a packet or a portion of a packet, looking for various malicious 

encodings.

application

The RPC application number

procedure

The RPC procedure invoked

version

The RPC version