dce_iface
You can use the
dce_iface keyword to identify a specific DCE/RPC
service.
Optionally, you can also use
dce_iface in combination with the
dce_opnum and
dce_stub_data keywords to further limit the DCE/RPC
traffic to inspect.
A fixed, sixteen-byte Universally Unique Identifier (UUID) identifies the application interface assigned to each DCE/RPC service. For example, the UUID 4b324fc8-670-01d3-1278-5a47bf6ee188 identifies the DCE/RPC lanmanserver service, also known as the srvsvc service, which provides numerous management functions for sharing peer-to-peer printers, files, and SMB named pipes. The DCE/RPC preprocessor uses the UUID and associated header values to track DCE/RPC sessions.
The interface UUID is comprised of five hexadecimal strings separated by hyphens:
<4hexbytes>-<2hexbytes>-<2hexbytes>-<2hexbytes>-<6hexbytes>
You specify the interface by entering the entire UUID including hyphens, as seen in the following UUID for the netlogon interface:
12345678-1234-abcd-ef00-01234567cffb
Note that you must specify the first three strings in the UUID in big endian byte order. Although published interface listings and protocol analyzers typically display UUIDs in the correct byte order, you might encounter a need to rearrange the UUID byte order before entering it. Consider the following messenger service UUID shown as it might sometimes be displayed in raw ASCII text with the first three strings in little endian byte order:
f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc
You would specify the same UUID for the
dce_iface keyword by inserting hyphens and putting the
first three strings in big endian byte order as follows:
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
Although a DCE/RPC session can include requests to multiple
interfaces, you should include only one
dce_iface keyword in a rule. Create additional rules to
detect additional interfaces.
DCE/RPC application interfaces also have interface version numbers. You can optionally specify an interface version with an operator indicating that the version equals, does not equal, is less than, or greater than the specified value.
Both connection-oriented and connectionless DCE/RPC can be fragmented in addition to any TCP segmentation or IP fragmentation. Typically, it is not useful to associate any DCE/RPC fragment other than the first with the specified interface, and doing so may result in a large number of false positives. However, for flexibility you can optionally evaluate all fragments against the specified interface.
The following table summarizes the
dce_iface keyword arguments.
|
Argument |
Description |
|---|---|
|
Interface UUID |
The UUID, including hyphens, that identifies the application interface of the specific service that you want to detect in DCE/RPC traffic. Any request associated with the specified interface would match the interface UUID. |
|
Version |
Optionally, the application interface version number 0 to 65535 and an operator indicating whether to detect a version greater than (>), less than (<), equal to (=), or not equal to (!) the specified value. |
|
All Fragments |
Optionally, enable to match against the interface in all associated DCE/RPC fragments and, if specified, on the interface version. This argument is disabled by default, indicating that the keyword matches only if the first fragment or the entire unfragmented packet is associated with the specified interface. Note that enabling this argument may result in false positives. |