Cisco Cisco Firepower Management Center 4000

Page of 1844
 
32-58
FireSIGHT System User Guide
 
Chapter 32      Understanding and Writing Intrusion Rules 
  Understanding Keywords and Arguments in Rules
dce_opnum
License: 
Protection
You can use the 
dce_opnum
 keyword in conjunction with the DCE/RPC preprocessor to detect packets 
that identify one or more specific operations that a DCE/RPC service provides.
Note that the DCE/RPC preprocessor must be enabled to allow processing of rules using the 
dce_opnum
 
keyword. When the DCE/RPC preprocessor is disabled and you enable rules that use this keyword, you 
are prompted whether to enable the preprocessor when you save the policy. See 
Client function calls request specific service functions, which are referred to in DCE/RPC specifications 
as operations. An operation number (opnum) identifies a specific operation in the DCE/RPC header. It 
is likely that an exploit would target a specific operation.
For example, the UUID 12345678-1234-abcd-ef00-01234567cffb identifies the interface for the 
netlogon service, which provides several dozen different operations. One of these is operation 6, the 
NetrServerPasswordSet operation.
You should precede a 
dce_opnum
 keyword with a 
dce_iface
 keyword to identify the service for the 
operation. See 
 for more information.
You can specify a single decimal value 0 to 65535 for a specific operation, a range of operations 
separated by a hyphen, or a comma-separated list of operations and ranges in any order.
Any of the following examples would specify valid netlogon operation numbers:
15
15-18
15, 18-20
15, 20-22, 17
15, 18-20, 22, 24-26
dce_stub_data
License: 
Protection
You can use the 
dce_stub_data
 keyword in conjunction with the DCE/RPC preprocessor to specify that 
the rules engine should start inspection at the beginning of the stub data, regardless of any other rule 
options. Packet payload rule options that follow the 
dce_stub_data
 keyword are applied relative to the 
stub data buffer.
Table 32-38
dce_iface
 Arguments 
Argument
Description
Interface UUID
The UUID, including hyphens, that identifies the application interface of the 
specific service that you want to detect in DCE/RPC traffic. Any request 
associated with the specified interface would match the interface UUID.
Version
Optionally, the application interface version number 0 to 65535 and an 
operator indicating whether to detect a version greater than (>), less than (<), 
equal to (=), or not equal to (!) the specified value.
All Fragments
Optionally, enable to match against the interface in all associated DCE/RPC 
fragments and, if specified, on the interface version. This argument is 
disabled by default, indicating that the keyword matches only if the first 
fragment or the entire unfragmented packet is associated with the specified 
interface. Note that enabling this argument may result in false positives.