Cisco Cisco Firepower Management Center 4000
25-3
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
See the following sections for more information:
•
•
•
•
•
Selecting Global DCE/RPC Options
License:
Protection
Global DCE/RPC preprocessor options control how the preprocessor functions. Except for the
Memory Cap Reached
option, modifying these options could have a negative impact on performance
or detection capability. You should not modify them unless you have a thorough understanding of
the preprocessor and the interaction between the preprocessor and enabled DCE/RPC rules. In
particular, make sure that the
the preprocessor and the interaction between the preprocessor and enabled DCE/RPC rules. In
particular, make sure that the
Maximum Fragment Size
option and
Reassembly Threshold
option are
greater than or equal to the depth to which the rules need to detect. For more information, see
and
.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
Maximum Fragment Size
When
Enable Defragmentation
is selected, specifies the maximum DCE/RPC fragment length allowed
from 1514 to 65535 bytes. The preprocessor truncates larger fragments for processing purposes to
the specified size before defragmenting but does not alter the actual packet. A blank field disables
this option.
the specified size before defragmenting but does not alter the actual packet. A blank field disables
this option.
Reassembly Threshold
When
Enable Defragmentation
is selected, 0 disables this option, or 1 to 65535 bytes specifies a
minimum number of fragmented DCE/RPC bytes and, if applicable, segmented SMB bytes to queue
before sending a reassembled packet to the rules engine. A low value increases the likelihood of
early detection but could have a negative impact on performance. You should test for performance
impact if you enable this option.
before sending a reassembled packet to the rules engine. A low value increases the likelihood of
early detection but could have a negative impact on performance. You should test for performance
impact if you enable this option.
Enable Defragmentation
Specifies whether to defragment fragmented DCE/RPC traffic. When disabled, the preprocessor still
detects anomalies and sends DCE/RPC data to the rules engine, but at the risk of missing exploits
in fragmented DCE/RPC data.
detects anomalies and sends DCE/RPC data to the rules engine, but at the risk of missing exploits
in fragmented DCE/RPC data.
Although this option provides the flexibility of not defragmenting DCE/RPC traffic, most DCE/RPC
exploits attempt to take advantage of fragmentation to hide the exploit. Disabling this option would
bypass most known exploits, resulting in a large number of false negatives.
exploits attempt to take advantage of fragmentation to hide the exploit. Disabling this option would
bypass most known exploits, resulting in a large number of false negatives.
Memory Cap Reached
Detects when the maximum memory limit allocated to the preprocessor is reached or exceeded.
When the maximum memory cap is reached or exceeded, the preprocessor frees all pending data
associated with the session that caused the memory cap event and ignores the rest of that session.
When the maximum memory cap is reached or exceeded, the preprocessor frees all pending data
associated with the session that caused the memory cap event and ignores the rest of that session.
You can enable rule 133:1 to generate events for this option. See
for
more information.