Cisco Cisco FirePOWER Appliance 7020
25-6
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding DCE/RPC Traffic
Note that you must enable at least one DCE/RPC transport in the default target-based policy except when
you have added a DCE/RPC target-based policy that has at least one transport enabled. For example, you
might want to specify the hosts for all DCE/RPC implementations and not have the default target-based
policy apply to unspecified hosts, in which case you would not enable a transport for the default
target-based policy.
you have added a DCE/RPC target-based policy that has at least one transport enabled. For example, you
might want to specify the hosts for all DCE/RPC implementations and not have the default target-based
policy apply to unspecified hosts, in which case you would not enable a transport for the default
target-based policy.
See the following sections for more information:
•
•
Understanding Connectionless and Connection-Oriented DCE/RPC Traffic
License:
Protection
DCE/RPC messages comply with one of two distinct DCE/RPC Protocol Data Unit (PDU) protocols:
•
the connection-oriented DCE/RPC PDU protocol
The DCE/RPC preprocessor detects connection-oriented DCE/RPC in the TCP, SMB, and RPC over
HTTP transports.
HTTP transports.
•
the connectionless DCE/RPC PDU protocol
The DCE/RPC preprocessor detects connectionless DCE/RPC in the UDP transport.
The two DCE/RPC PDU protocols have their own unique headers and data characteristics. For example,
the connection-oriented DCE/RPC header length is typically 24 bytes and the connectionless DCE/RPC
header length is fixed at 80 bytes. Also, correct fragment order of fragmented connectionless DCE/RPC
cannot be handled by a connectionless transport and, instead, must be ensured by connectionless
DCE/RPC header values; in contrast, the transport protocol ensures correct fragment order for
connection-oriented DCE/RPC. The DCE/RPC preprocessor uses these and other protocol-specific
characteristics to monitor both protocols for anomalies and other evasion techniques, and to decode and
defragment traffic before passing it to the rules engine.
the connection-oriented DCE/RPC header length is typically 24 bytes and the connectionless DCE/RPC
header length is fixed at 80 bytes. Also, correct fragment order of fragmented connectionless DCE/RPC
cannot be handled by a connectionless transport and, instead, must be ensured by connectionless
DCE/RPC header values; in contrast, the transport protocol ensures correct fragment order for
connection-oriented DCE/RPC. The DCE/RPC preprocessor uses these and other protocol-specific
characteristics to monitor both protocols for anomalies and other evasion techniques, and to decode and
defragment traffic before passing it to the rules engine.
The following diagram illustrates the point at which the DCE/RPC preprocessor begins processing
DCE/RPC traffic for the different transports.
DCE/RPC traffic for the different transports.
Note the following in the figure: