Cisco Cisco FirePOWER Appliance 8130
25-4
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
Auto-Detect Policy on SMB Session
Detects the Windows or Samba version that is identified in SMB
Session Setup AndX
requests and
responses. When the detected version is different from the Windows or Samba version configured
for the
for the
Policy
configuration option, the detected version overrides the configured version for that
session only. See
for more
information.
For example, if you set
Policy
to Windows XP and the preprocessor detects Windows Vista, the
preprocessor uses a Windows Vista policy for that session. Other settings remain in effect.
When the DCE/RPC transport is not SMB (that is, when the transport is TCP or UDP), the version
cannot be detected and the policy cannot be automatically configured.
cannot be detected and the policy cannot be automatically configured.
To enable this option, select one of the following from the drop-down list:
–
Select
Client
to inspect server-to-client traffic for the policy type.
–
Select
Server
to inspect client-to-server traffic for the policy type.
–
Select
Both
to inspect server-to-client and client-to-server traffic for the policy type.
Understanding Target-Based DCE/RPC Server Policies
License:
Protection
You can create one or more target-based server policies to configure the DCE/RPC preprocessor to
inspect DCE/RPC traffic the same as a specified type of server would process it. Target-based policy
configuration includes identifying the Windows or Samba version running on hosts you identify on your
network, enabling transport protocols and specifying the ports carrying DCE/RPC traffic to those hosts,
and setting other server-specific options.
inspect DCE/RPC traffic the same as a specified type of server would process it. Target-based policy
configuration includes identifying the Windows or Samba version running on hosts you identify on your
network, enabling transport protocols and specifying the ports carrying DCE/RPC traffic to those hosts,
and setting other server-specific options.
Windows and Samba DCE/RPC implementations differ significantly. For example, all versions of
Windows use the DCE/RPC context ID in the first fragment when defragmenting DCE/RPC traffic, and
all versions of Samba use the context ID in the last fragment. As another example, Windows Vista uses
the opnum (operation number) header field in the first fragment to identify a specific function call, and
Samba and all other Windows versions use the opnum field in the last fragment.
Windows use the DCE/RPC context ID in the first fragment when defragmenting DCE/RPC traffic, and
all versions of Samba use the context ID in the last fragment. As another example, Windows Vista uses
the opnum (operation number) header field in the first fragment to identify a specific function call, and
Samba and all other Windows versions use the opnum field in the last fragment.
There are also significant differences in Windows and Samba SMB implementations. For example,
Windows recognizes the SMB OPEN and READ commands when working with named pipes, but Samba
does not recognize these commands.
Windows recognizes the SMB OPEN and READ commands when working with named pipes, but Samba
does not recognize these commands.
When you enable the DCE/RPC preprocessor, you automatically enable a default target-based policy.
Optionally, you can add target-based policies that target other hosts running different Windows or Samba
versions by selecting the correct version from the
Optionally, you can add target-based policies that target other hosts running different Windows or Samba
versions by selecting the correct version from the
Policy
drop-down list. The default target-based policy
applies to any host not included in another target-based policy.
In each target-based policy, you can enable one or more transports and specify detection ports for each.
You can also enable and specify auto-detection ports. See
You can also enable and specify auto-detection ports. See
for more information.
You can also configure other target-based policy options. You can set the preprocessor to detect when
there is an attempt to connect to one or more shared SMB resources that you identify. You can configure
the preprocessor to detect files in SMB traffic, and to inspect a specified number of bytes in a detected
file. You can also modify an advanced option that should be modified only by a user with SMB protocol
expertise; this option lets you set the preprocessor to detect when a number of chained SMB AndX
commands exceed a specified maximum number.
there is an attempt to connect to one or more shared SMB resources that you identify. You can configure
the preprocessor to detect files in SMB traffic, and to inspect a specified number of bytes in a detected
file. You can also modify an advanced option that should be modified only by a user with SMB protocol
expertise; this option lets you set the preprocessor to detect when a number of chained SMB AndX
commands exceed a specified maximum number.
In each target-based policy, you can:
•
enable one or more transports and specify detection ports for each.