Cisco Cisco Firepower Management Center 4000
32-56
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Note in the table that you should always precede
dce_opnum
with
dce_iface
, and you should always
precede
dce_stub_data
with
dce_iface
+
dce_opnum
.
You can also use these DCE/RPC keywords in combination with other rule keywords. Note that for
DCE/RPC rules, you use the
DCE/RPC rules, you use the
byte_jump
,
byte_test
,
and byte_extract
keywords with their
DCE/RPC
arguments selected. For more information, see
Cisco recommends that you include at least one
content
keyword in rules that include DCE/RPC
keywords to ensure that the rules engine uses the fast pattern matcher, which increases processing speed
and improves performance. Note that the rules engine uses the fast pattern matcher when a rule includes
at least one
and improves performance. Note that the rules engine uses the fast pattern matcher when a rule includes
at least one
content
keyword, regardless of whether you enable the
content
keyword
Use Fast Pattern
Matcher
argument. See
and
for more information.
You can use the DCE/RPC version and adjoining header information as the matching content in the
following cases:
following cases:
•
the rule does not include another
content
keyword
•
the rule contains another
content
keyword, but the DCE/RPC version and adjoining information
represent a more unique pattern than the other content
For example, the DCE/RPC version and adjoining information are more likely to be unique than a
single byte of content.
single byte of content.
You should end qualifying rules with one of the following version and adjoining information content
matches:
matches:
•
For connection-oriented DCE/RPC rules, use the content
|05 00 00|
(for major version 05, minor
version 00, and the request PDU (protocol data unit) type 00).
•
For connectionless DCE/RPC rules, use the content
|04 00|
(for version 04, and the request PDU
type 00).
In either case, position the
content
keyword for version and adjoining information as the last keyword
in the rule to invoke the fast pattern matcher without repeating processing already completed by the
DCE/RPC preprocessor. Note that placing the
DCE/RPC preprocessor. Note that placing the
content
keyword at the end of the rule applies to version
content used as a device to invoke the fast pattern matcher, and not necessarily to other content matches
in the rule.
in the rule.
See the following sections for more information:
•
•
•
Table 32-37
DCE/RPC Keywords
Use this keyword...
In this way...
To detect...
dce_iface
alone
packets identifying a specific DCE/RPC service
dce_opnum
preceded by
dce_iface
packets identifying specific DCE/RPC service
operations
operations
dce_stub_data
preceded by
dce_iface
+
dce_opnum
stub data defining a specific operation request or
response
response