| Search Site |
| Search Rules |
| Account |
| not registered? |
| can't login? |
| user preferences |
 |
 |
|
|||||||||||||||||||
Next: Configuration Up: Preprocessors Previous: Examples/Default Configuration from snort.conf Contents
DCE/RPC
The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic. It is primarily interested in DCE/RPC data, and only decodes SMB to get at the DCE/RPC data carried by the SMB layer.
Currently, the preprocessor only handles reassembly of fragmentation at both the SMB and DCE/RPC layer. Snort rules can be evaded by using both types of fragmentation; with the preprocessor enabled the rules are given a buffer with a reassembled SMB or DCE/RPC packet to examine.
At the SMB layer, only fragmentation using WriteAndX is currently reassembled. Other methods will be handled in future versions of the preprocessor.
Autodetection of SMB is done by looking for "\xFFSMB" at the
start of the SMB data, as well as checking the NetBIOS header (which
is always present for SMB) for the type "SMB Session".
Autodetection of DCE/RPC is not as reliable. Currently, two bytes are checked in the packet. Assuming that the data is a DCE/RPC header, one byte is checked for DCE/RPC version (5) and another for the type "DCE/RPC Request". If both match, the preprocessor proceeds with that assumption that it is looking at DCE/RPC data. If subsequent checks are nonsensical, it ends processing.
Subsections
Next: Configuration Up: Preprocessors Previous: Examples/Default Configuration from snort.conf Contents Steven Sturges 2007-05-11
| Terms of Use | Privacy Policy | forum archives | site feedback ©2009 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved. |