DCE/RPC Preprocessor
====================
Andrew Mullican <amullican@sourcefire.com>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! The dcerpc preprocessor is now considered deprecated and will be removed
! in a future release. Please use the dcerpc2 preprocessor in its place.
! See the Snort Manual and README.dcerpc2 for documentation.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Overview
========
The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
It is primarily interested in DCE/RPC requests, and only decodes SMB
to get to the potential DCE/RPC requests carried by SMB.
Currently, the preprocessor only handles desegmentation (at SMB
and TCP layers) and defragmentation of DCE/RPC. Snort rules can
be evaded by using both types of fragmentation. With the
preprocessor enabled, the rules are given reassembled DCE/RPC data
to examine.
At the SMB layer, only segmentation using WriteAndX is currently
reassembled. Other methods will be handled in future versions of
the preprocessor.
Autodetection of SMB is done by looking for "\xFFSMB" at the start of
the SMB data, as well as checking the NetBIOS header (which is always
present for SMB) for the type "Session Message".
Autodetection of DCE/RPC is not as reliable. Currently, two bytes are
checked in the packet. Assuming that the data is a DCE/RPC header,
one byte is checked for DCE/RPC version 5 and another for a DCE/RPC
PDU type of Request. If both match, the preprocessor proceeds with the
assumption that it is looking at DCE/RPC data. If subsequent checks
are nonsensical, it ends processing.
Configuration
=============
The preprocessor has several optional configuration options.
They are described below:
The configuration options are described below:
* autodetect
In addition to configured ports, try to autodetect DCE/RPC sessions.
Note that DCE/RPC can run on practically any port in addition to the
more common ports.
This option is not configured by default.
* ports smb { <int> [<int>] }
Ports that the preprocessor monitors for SMB traffic.
Default are ports 139 and 445.
* ports dcerpc { <int> [<int>] }
Ports that the preprocessor monitors for DCE/RPC over TCP traffic.
Default is port 135.
* disable_smb_frag
Do not do SMB desegmentation. Unless you are experiencing severe performance
issues, this option should not be configured as SMB segmentation provides
for an easy evasion opportunity.
This option is not configured by default.
* disable_dcerpc_frag
Do not do DCE/RPC defragmentation. Unless you are experiencing severe
performance issues, this option should not be configured as DCE/RPC
fragmentation provides for an easy evasion opportunity.
This option is not configured by default.
* max_frag_size
Maximum DCE/RPC fragment size to put in defragmentation buffer, in bytes.
Default is 3000 bytes.
* memcap
Maximum amount of memory available to the DCE/RPC preprocessor for
desegmentation and defragmentation, in kilobytes.
Default is 100000 kilobytes.
* disabled
This optional keyword is allowed with any policy to avoid packet processing.
This option disables the preprocessor. When the preprocessor is disabled
only the memcap option is applied when specified with the configuration.
The other options are parsed but not used. Any valid configuration may have
"disabled" added to it.
* alert_memcap
Alert if memcap is exceeded.
This option is not configured by default.
* reassemble_increment <int>
This option specifies how often the preprocessor should create a reassembled
packet to send to the detection engine with the data that's been accrued in
the segmentation and fragmentation reassembly buffers, before the final
desegmentation or defragmentation of the DCE/RPC request takes place. This
will potentially catch an attack earlier and is useful if in inline mode.
Since the preprocessor looks at TCP reassembled packets (to avoid TCP overlaps
and segmentation evasions), the last packet of an attack using DCE/RPC
segmented/fragmented evasion techniques may have already gone through before
the preprocessor looks at it, so looking at the data early will likely catch
the attack before all of the exploit data has gone through.
Note, however, that in using this option, Snort will potentially take a
performance hit. Not recommended if Snort is running in passive mode as it's
not really needed.
The argument to the option specifies how often the preprocessor should create
a reassembled packet if there is data in the segmentation/fragmentation buffers.
If not specified, this option is disabled. A value of 0 will in effect disable
this option as well.
Examples
--------
In addition to defaults, autodetect SMB and DCE/RPC sessions on
non-configured ports. Don't do desegmentation on SMB writes. Truncate
DCE/RPC fragment if greater than 4000 bytes.
preprocessor dcerpc: \
autodetect \
disable_smb_frag \
max_frag_size 4000
In addition to defaults, don't do DCE/RPC defragmentation. Set memory cap
for desegmentation/defragmentation to 50,000 kilobytes. (Since no DCE/RPC
defragmentation will be done the memory cap will only apply to desegmentation.)
preprocessor dcerpc: \
disable_dcerpc_frag \
memcap 50000
In addition to the defaults, detect on DCE/RPC (or TCP) ports 135 and 2103
(overrides default). Set memory cap for desegmentation/defragmentation to
200,000 kilobytes. Create a reassembly packet every time through the preprocessor
if there is data in the desegmentation/defragmentation buffers.
preprocessor dcerpc: \
ports dcerpc { 135 2103 } \
memcap 200000 \
reassemble_increment 1
-- Default --
preprocessor dcerpc: \
ports smb { 139 445 } \
ports dcerpc { 135 } \
max_frag_size 3000 \
memcap 100000 \
reassemble_increment 0
Preprocessor Events
===================
The DCE/RPC preprocessor uses generator ID 130 for the following events:
SID Description
--- -----------
1 Maximum memory usage reached
-- Note --
At the current time, there is not much to do with the dcerpc preprocessor
other than turn it on and let it reassemble fragmented DCE/RPC packets.
distrib
>
Mandriva
>
current
>
i586
>
media
>
main-updates
>
by-pkgid
>
ff1a1cc6fcf738dd1e56fbe0bb6e9d38
>
files
>
51
