next up previous contents
Next: Events Up: DCE/RPC 2 Preprocessor Previous: Target Based   Contents

Configuration

The dcerpc2 preprocessor has a global configuration and one or more server configurations. The global preprocessor configuration name is dcerpc2 and the server preprocessor configuration name is dcerpc2_server.

Global Configuration 

    preprocessor dcerpc2

The global dcerpc2 configuration is required. Only one global dcerpc2 configuration can be specified.

Option syntax

Option Argument Required Default
memcap <memcap> NO memcap 102400
disable_defrag NONE NO OFF
max_frag_len <max-frag-len> NO OFF
events <events> NO OFF
reassemble_threshold <re-thresh> NO OFF
disabled NONE NO OFF
smb_fingerprint_policy <fp-policy> NO OFF 

    memcap           = 1024-4194303 (kilobytes)
    max-frag-len     = 1514-65535
    events           = pseudo-event | event | '[' event-list ']'
    pseudo-event     = "none" | "all"
    event-list       = event | event ',' event-list
    event            = "memcap" | "smb" | "co" | "cl"
    re-thresh        = 0-65535
    fp-policy        = "server" | "client" | "both"

Option explanations

memcap
Specifies the maximum amount of run-time memory that can be allocated. Run-time memory includes any memory allocated after configuration. Default is 100 MB.

disabled
Disables the preprocessor. By default this value is turned off. When the preprocessor is disabled only the memcap option is applied when specified with the configuration.

disable_defrag

Tells the preprocessor not to do DCE/RPC defragmentation. Default is to do defragmentation.

max_frag_len

Specifies the maximum fragment size that will be added to the defragmention module. If a fragment is greater than this size, it is truncated before being added to the defragmentation module. Default is set to -1. The allowed range for this option is 1514 - 65535.

events

Specifies the classes of events to enable. (See Events section for an enumeration and explanation of events.)

memcap

Only one event. If the memcap is reached or exceeded, alert.

smb

Alert on events related to SMB processing.

co

Stands for connection-oriented DCE/RPC. Alert on events related to connection-oriented DCE/RPC processing.

cl
Stands for connectionless DCE/RPC. Alert on events related to connectionless DCE/RPC processing.

reassemble_threshold
Specifies a minimum number of bytes in the DCE/RPC desegmentation and defragmentation buffers before creating a reassembly packet to send to the detection engine. This option is useful in inline mode so as to potentially catch an exploit early before full defragmentation is done. A value of 0 supplied as an argument to this option will, in effect, disable this option. Default is disabled.

smb_fingerprint_policy
In the initial phase of an SMB session, the client needs to authenticate with a SessionSetupAndX. Both the request and response to this command contain OS and version information that can allow the preprocessor to dynamically set the policy for a session which allows for better protection against Windows and Samba specific evasions.

Option examples 

    memcap 30000
    max_frag_len 16840
    events none
    events all
    events smb
    events co
    events [co]
    events [smb, co]
    events [memcap, smb, co, cl]
    reassemble_threshold 500
    smb_fingerprint_policy both
    smb_fingerprint_policy client

Configuration examples 

    preprocessor dcerpc2
    preprocessor dcerpc2: memcap 500000
    preprocessor dcerpc2: max_frag_len 16840, memcap 300000, events smb
    preprocessor dcerpc2: memcap 50000, events [memcap, smb, co, cl], max_frag_len 14440
    preprocessor dcerpc2: disable_defrag, events [memcap, smb]
    preprocessor dcerpc2: reassemble_threshold 500
    preprocessor dcerpc2: memcap 50000, events [memcap, smb, co, cl], max_frag_len 14440, smb_fingerprint_policy both

Default global configuration 

    preprocessor dcerpc2: memcap 102400

Server Configuration 

    preprocessor dcerpc2_server

The dcerpc2_server configuration is optional. A dcerpc2_server configuration must start with default or net options. The default and net options are mutually exclusive. At most one default configuration can be specified. If no default configuration is specified, default values will be used for the default configuration. Zero or more net configurations can be specified. For any dcerpc2_server configuration, if non-required options are not specified, the defaults will be used. When processing DCE/RPC traffic, the default configuration is used if no net configurations match. If a net configuration matches, it will override the default configuration. A net configuration matches if the packet's server IP address matches an IP address or net specified in the net configuration. The net option supports IPv6 addresses. Note that port and ip variables defined in snort.conf CANNOT be used.

Option syntax

Option Argument Required Default
default NONE YES NONE
net <net> YES NONE
policy <policy> NO policy WinXP
detect <detect> NO detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593]
autodetect <detect> NO autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:]
no_autodetect_http_proxy_ports NONE NO DISABLED (The preprocessor autodetects on all proxy ports by default)
smb_invalid_shares <shares> NO NONE
smb_max_chain <max-chain> NO smb_max_chain 3 

    net          = ip | '[' ip-list ']'
    ip-list      = ip | ip ',' ip-list
    ip           = ip-addr | ip-addr '/' prefix | ip4-addr '/' netmask
    ip-addr      = ip4-addr | ip6-addr
    ip4-addr     = a valid IPv4 address
    ip6-addr     = a valid IPv6 address (can be compressed)
    prefix       = a valid CIDR
    netmask      = a valid netmask
    policy       = "Win2000" | "Win2003" | "WinXP" | "WinVista" |
                   "Samba" | "Samba-3.0.22" | "Samba-3.0.20"
    detect       = "none" | detect-opt | '[' detect-list ']'
    detect-list  = detect-opt | detect-opt ',' detect-list
    detect-opt   = transport | transport port-item | 
                   transport '[' port-list ']'
    transport    = "smb" | "tcp" | "udp" | "rpc-over-http-proxy" | 
                   "rpc-over-http-server"
    port-list    = port-item | port-item ',' port-list
    port-item    = port | port-range
    port-range   = ':' port | port ':' | port ':' port
    port         = 0-65535
    shares       = share | '[' share-list ']'
    share-list   = share | share ',' share-list
    share        = word | '"' word '"' | '"' var-word '"'
    word         = graphical ASCII characters except ',' '"' ']' '[' '$'
    var-word     = graphical ASCII characters except ',' '"' ']' '['
    max-chain    = 0-255

Because the Snort main parser treats '$' as the start of a variable and tries to expand it, shares with '$' must be enclosed quotes.

Option explanations

default

Specifies that this configuration is for the default server configuration.

net

Specifies that this configuration is an IP or net specific configuration. The configuration will only apply to the IP addresses and nets supplied as an argument.

policy

Specifies the target-based policy to use when processing. Default is "WinXP".

detect

Specifies the DCE/RPC transport and server ports that should be detected on for the transport. Defaults are ports 139 and 445 for SMB, 135 for TCP and UDP, 593 for RPC over HTTP server and 80 for RPC over HTTP proxy.

autodetect

Specifies the DCE/RPC transport and server ports that the preprocessor should attempt to autodetect on for the transport. The autodetect ports are only queried if no detect transport/ports match the packet. The order in which the preprocessor will attempt to autodetect will be - TCP/UDP, RPC over HTTP server, RPC over HTTP proxy and lastly SMB. Note that most dynamic DCE/RPC ports are above 1024 and ride directly over TCP or UDP. It would be very uncommon to see SMB on anything other than ports 139 and 445. Defaults are 1025-65535 for TCP, UDP and RPC over HTTP server.

no_autodetect_http_proxy_ports

By default, the preprocessor will always attempt to autodetect for ports specified in the detect configuration for rpc-over-http-proxy. This is because the proxy is likely a web server and the preprocessor should not look at all web traffic. This option is useful if the RPC over HTTP proxy configured with the detect option is only used to proxy DCE/RPC traffic. Default is to autodetect on RPC over HTTP proxy detect ports.

smb_invalid_shares

Specifies SMB shares that the preprocessor should alert on if an attempt is made to connect to them via a Tree Connect or Tree Connect AndX. Default is empty.

smb_max_chain

Specifies the maximum amount of AndX command chaining that is allowed before an alert is generated. Default maximum is 3 chained commands. A value of 0 disables this option. This value can be set from 0 to 255.

Option examples 

    net 192.168.0.10
    net 192.168.0.0/24
    net [192.168.0.0/24]
    net 192.168.0.0/255.255.255.0
    net feab:45b3:ab92:8ac4:d322:007f:e5aa:7845
    net feab:45b3:ab92:8ac4:d322:007f:e5aa:7845/128
    net feab:45b3::/32
    net [192.168.0.10, feab:45b3::/32]
    net [192.168.0.0/24, feab:45b3:ab92:8ac4:d322:007f:e5aa:7845]
    policy Win2000
    policy Samba-3.0.22
    detect none
    detect smb
    detect [smb]
    detect smb 445
    detect [smb 445]
    detect smb [139,445]
    detect [smb [139,445]]
    detect [smb, tcp]
    detect [smb 139, tcp [135,2103]]
    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server [593,6002:6004]]
    autodetect none
    autodetect tcp
    autodetect [tcp]
    autodetect tcp 2025:
    autodetect [tcp 2025:]
    autodetect tcp [2025:3001,3003:]
    autodetect [tcp [2025:3001,3003:]]
    autodetect [tcp, udp]
    autodetect [tcp 2025:, udp 2025:]
    autodetect [tcp 2025:, udp, rpc-over-http-server [1025:6001,6005:]]
    smb_invalid_shares private
    smb_invalid_shares "private"
    smb_invalid_shares "C$"
    smb_invalid_shares [private, "C$"]
    smb_invalid_shares ["private", "C$"]
    smb_max_chain 1

Configuration examples 

    preprocessor dcerpc2_server: \
        default

    preprocessor dcerpc2_server: \
        default, policy Win2000

    preprocessor dcerpc2_server: \
        default, policy Win2000, detect [smb, tcp], autodetect tcp 1025:, \
        smb_invalid_shares ["C$", "D$", "ADMIN$"]

    preprocessor dcerpc2_server: net 10.4.10.0/24, policy Win2000

    preprocessor dcerpc2_server: \
        net [10.4.10.0/24,feab:45b3::/126], policy WinVista, smb_max_chain 1

    preprocessor dcerpc2_server: \
        net [10.4.10.0/24,feab:45b3::/126], policy WinVista, \
        detect [smb, tcp, rpc-over-http-proxy 8081], 
        autodetect [tcp, rpc-over-http-proxy [1025:6001,6005:]], \
        smb_invalid_shares ["C$", "ADMIN$"], no_autodetect_http_proxy_ports

    preprocessor dcerpc2_server: \
        net [10.4.11.56,10.4.11.57], policy Samba, detect smb, autodetect none

Default server configuration 

    preprocessor dcerpc2_server: default, policy WinXP, \
        detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
        autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], smb_max_chain 3

Complete dcerpc2 default configuration 

    preprocessor dcerpc2: memcap 102400

    preprocessor dcerpc2_server: \
        default, policy WinXP, \
        detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
        autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], smb_max_chain 3

next up previous contents
Next: Events Up: DCE/RPC 2 Preprocessor Previous: Target Based   Contents
Eugene Misnik 2013-05-08