Cisco Cisco Firepower Management Center 2000
32-58
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
dce_opnum
License:
Protection
You can use the
dce_opnum
keyword in conjunction with the DCE/RPC preprocessor to detect packets
that identify one or more specific operations that a DCE/RPC service provides.
Note that the DCE/RPC preprocessor must be enabled to allow processing of rules using the
dce_opnum
keyword. When the DCE/RPC preprocessor is disabled and you enable rules that use this keyword, you
are prompted whether to enable the preprocessor when you save the policy. See
are prompted whether to enable the preprocessor when you save the policy. See
Client function calls request specific service functions, which are referred to in DCE/RPC specifications
as operations. An operation number (opnum) identifies a specific operation in the DCE/RPC header. It
is likely that an exploit would target a specific operation.
as operations. An operation number (opnum) identifies a specific operation in the DCE/RPC header. It
is likely that an exploit would target a specific operation.
For example, the UUID 12345678-1234-abcd-ef00-01234567cffb identifies the interface for the
netlogon service, which provides several dozen different operations. One of these is operation 6, the
NetrServerPasswordSet operation.
netlogon service, which provides several dozen different operations. One of these is operation 6, the
NetrServerPasswordSet operation.
You should precede a
dce_opnum
keyword with a
dce_iface
keyword to identify the service for the
operation. See
for more information.
You can specify a single decimal value 0 to 65535 for a specific operation, a range of operations
separated by a hyphen, or a comma-separated list of operations and ranges in any order.
separated by a hyphen, or a comma-separated list of operations and ranges in any order.
Any of the following examples would specify valid netlogon operation numbers:
15
15-18
15, 18-20
15, 20-22, 17
15, 18-20, 22, 24-26
dce_stub_data
License:
Protection
You can use the
dce_stub_data
keyword in conjunction with the DCE/RPC preprocessor to specify that
the rules engine should start inspection at the beginning of the stub data, regardless of any other rule
options. Packet payload rule options that follow the
options. Packet payload rule options that follow the
dce_stub_data
keyword are applied relative to the
stub data buffer.
Table 32-38
dce_iface
Arguments
Argument
Description
Interface UUID
The UUID, including hyphens, that identifies the application interface of the
specific service that you want to detect in DCE/RPC traffic. Any request
associated with the specified interface would match the interface UUID.
specific service that you want to detect in DCE/RPC traffic. Any request
associated with the specified interface would match the interface UUID.
Version
Optionally, the application interface version number 0 to 65535 and an
operator indicating whether to detect a version greater than (>), less than (<),
equal to (=), or not equal to (!) the specified value.
operator indicating whether to detect a version greater than (>), less than (<),
equal to (=), or not equal to (!) the specified value.
All Fragments
Optionally, enable to match against the interface in all associated DCE/RPC
fragments and, if specified, on the interface version. This argument is
disabled by default, indicating that the keyword matches only if the first
fragment or the entire unfragmented packet is associated with the specified
interface. Note that enabling this argument may result in false positives.
fragments and, if specified, on the interface version. This argument is
disabled by default, indicating that the keyword matches only if the first
fragment or the entire unfragmented packet is associated with the specified
interface. Note that enabling this argument may result in false positives.