Cisco Cisco FirePOWER Appliance 7020
25-8
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
The Microsoft IIS proxy server and the DCE/RPC server can be on the same host or on different hosts.
Separate proxy and server options provide for both cases. Note the following in the figure:
Separate proxy and server options provide for both cases. Note the following in the figure:
•
The DCE/RPC server monitors port 593 for DCE/RPC client traffic, but the firewall blocks port 593.
Firewalls typically block port 593 by default.
•
RPC over HTTP transports DCE/RPC over HTTP using well-known HTTP port 80, which firewalls
are likely to permit.
are likely to permit.
•
Example 1 shows that you would select the
RPC over HTTP proxy
option to monitor traffic between the
DCE/RPC client and the MicroSoft IIS RPC proxy server.
•
Example 2 shows that you would select the
RPC over HTTP server
option when the MicroSoft IIS RPC
proxy server and the DCE/RPC server are located on different hosts and the device monitors traffic
between the two servers.
between the two servers.
•
Traffic is comprised solely of connection-oriented DCE/RPC over TCP after RPC over HTTP
completes the proxied setup between the DCE/RPC client and server.
completes the proxied setup between the DCE/RPC client and server.
Selecting DCE/RPC Target-Based Policy Options
License:
Protection
Each target-based policy allows you to specify the various options below. Note that, except for the
Memory Cap Reached
and
Auto-Detect Policy on SMB Session
options, modifying these options could have a
negative impact on performance or detection capability. You should not modify them unless you have a
thorough understanding of the preprocessor and the interaction between the preprocessor and enabled
DCE/RPC rules.
thorough understanding of the preprocessor and the interaction between the preprocessor and enabled
DCE/RPC rules.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
Networks
The host IP addresses where you want to apply the DCE/RPC target-based server policy.
You can specify a single IP address or address block, or a comma-separated list of either or both.
You can specify up to 255 total profiles including the default policy. For information on specifying
IPv4 and IPv6 address blocks in the FireSIGHT System, see
You can specify up to 255 total profiles including the default policy. For information on specifying
IPv4 and IPv6 address blocks in the FireSIGHT System, see
.
Note that the
default
setting in the default policy specifies all IP addresses on your monitored
network segment that are not covered by another target-based policy. Therefore, you cannot and do
not need to specify an IP address or CIDR block/prefix length for the default policy, and you cannot
leave this setting blank in another policy or use address notation to represent
not need to specify an IP address or CIDR block/prefix length for the default policy, and you cannot
leave this setting blank in another policy or use address notation to represent
any
(for example,
0.0.0.0/0 or ::/0).
Policy
The Windows or Samba DCE/RPC implementation used by the targeted host or hosts on your
monitored network segment. See
monitored network segment. See
for detailed information on these policies.
Note that you can enable the
Auto-Detect Policy on SMB Session
global option to automatically override
the setting for this option on a per session basis when SMB is the DCE/RPC transport. See
.