Cisco Cisco Firepower Management Center 4000
32-57
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
dce_iface
License:
Protection
You can use the
dce_iface
keyword to identify a specific DCE/RPC service.
Optionally, you can also use
dce_iface
in combination with the
dce_opnum
and
dce_stub_data
keywords to further limit the DCE/RPC traffic to inspect. See
and
for more information.
Note that the DCE/RPC preprocessor must be enabled to allow processing of rules using the
dce_iface
keyword. When the DCE/RPC preprocessor is disabled and you enable rules that use this keyword, you
are prompted whether to enable the preprocessor when you save the policy. See
are prompted whether to enable the preprocessor when you save the policy. See
A fixed, sixteen-byte Universally Unique Identifier (UUID) identifies the application interface assigned
to each DCE/RPC service. For example, the UUID 4b324fc8-670-01d3-1278-5a47bf6ee188 identifies
the DCE/RPC lanmanserver service, also known as the srvsvc service, which provides numerous
management functions for sharing peer-to-peer printers, files, and SMB named pipes. The DCE/RPC
preprocessor uses the UUID and associated header values to track DCE/RPC sessions.
to each DCE/RPC service. For example, the UUID 4b324fc8-670-01d3-1278-5a47bf6ee188 identifies
the DCE/RPC lanmanserver service, also known as the srvsvc service, which provides numerous
management functions for sharing peer-to-peer printers, files, and SMB named pipes. The DCE/RPC
preprocessor uses the UUID and associated header values to track DCE/RPC sessions.
The interface UUID is comprised of five hexadecimal strings separated by hyphens:
<4hexbytes>-<2hexbytes>-<2hexbytes>-<2hexbytes>-<6hexbytes>
You specify the interface by entering the entire UUID including hyphens, as seen in the following UUID
for the netlogon interface:
for the netlogon interface:
12345678-1234-abcd-ef00-01234567cffb
Note that you must specify the first three strings in the UUID in big endian byte order. Although
published interface listings and protocol analyzers typically display UUIDs in the correct byte order, you
might encounter a need to rearrange the UUID byte order before entering it. Consider the following
messenger service UUID shown as it might sometimes be displayed in raw ASCII text with the first three
strings in little endian byte order:
published interface listings and protocol analyzers typically display UUIDs in the correct byte order, you
might encounter a need to rearrange the UUID byte order before entering it. Consider the following
messenger service UUID shown as it might sometimes be displayed in raw ASCII text with the first three
strings in little endian byte order:
f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc
You would specify the same UUID for the
dce_iface
keyword by inserting hyphens and putting the first
three strings in big endian byte order as follows:
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
Although a DCE/RPC session can include requests to multiple interfaces, you should include only one
dce_iface
keyword in a rule. Create additional rules to detect additional interfaces.
DCE/RPC application interfaces also have interface version numbers. You can optionally specify an
interface version with an operator indicating that the version equals, does not equal, is less than, or
greater than the specified value.
interface version with an operator indicating that the version equals, does not equal, is less than, or
greater than the specified value.
Both connection-oriented and connectionless DCE/RPC can be fragmented in addition to any TCP
segmentation or IP fragmentation. Typically, it is not useful to associate any DCE/RPC fragment other
than the first with the specified interface, and doing so may result in a large number of false positives.
However, for flexibility you can optionally evaluate all fragments against the specified interface.
segmentation or IP fragmentation. Typically, it is not useful to associate any DCE/RPC fragment other
than the first with the specified interface, and doing so may result in a large number of false positives.
However, for flexibility you can optionally evaluate all fragments against the specified interface.
The following table summarizes the
dce_iface
keyword arguments.