Cisco Cisco FirePOWER Appliance 8390
32-53
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Inspecting Application Layer Protocol Values
License:
Protection
Although preprocessors perform most of the normalization and inspection of application layer protocol
values, you can continue to inspect application layer values using the keywords described in the
following sections:
values, you can continue to inspect application layer values using the keywords described in the
following sections:
•
•
•
•
•
•
•
•
RPC
License:
Protection
The
rpc
keyword identifies Open Network Computing Remote Procedure Call (ONC RPC) services in
TCP or UDP packets. This allows you to detect attempts to identify the RPC programs on a host.
Intruders can use an RPC portmapper to determine if any of the RPC services running on your network
can be exploited. They can also attempt to access other ports running RPC without using portmapper.
The following table lists the arguments that the
Intruders can use an RPC portmapper to determine if any of the RPC services running on your network
can be exploited. They can also attempt to access other ports running RPC without using portmapper.
The following table lists the arguments that the
rpc
keyword accepts.
To specify the arguments for the
rpc
keyword, use the following syntax:
application,procedure,version
where
application
is the RPC application number,
procedure
is the RPC procedure number, and
version
is the RPC version number. You must specify all arguments for the
rpc
keyword — if you are
not able to specify one of the arguments, replace it with an asterisk (
*
).
For example, to search for RPC portmapper (which is the RPC application indicated by the number
100000), with any procedure or version, use
100000), with any procedure or version, use
100000,*,*
as the arguments.
ASN.1
License:
Protection
The
asn1
keyword allows you to decode a packet or a portion of a packet, looking for various malicious
encodings.
Table 32-35
rpc Keyword Arguments
Argument
Description
application
The RPC application number
procedure
The RPC procedure invoked
version
The RPC version