DCE/RPC Global Options
Global DCE/RPC preprocessor options control how the preprocessor functions. Note that, except for the Memory Cap Reached and Auto-Detect Policy on SMB Session options, modifying these options could have a negative impact on performance or detection capability. You should not modify them unless you have a thorough understanding of the preprocessor and the interaction between the preprocessor and enabled DCE/RPC rules.
If no preprocessor rule is mentioned in the following descriptions, the option is not associated with a preprocessor rule.
Maximum Fragment Size
When Enable Defragmentation is selected, specifies the maximum DCE/RPC fragment length allowed. The preprocessor truncates larger fragments for processing purposes to the specified size before defragmenting but does not alter the actual packet. A blank field disables this option.
Make sure that the Maximum Fragment Size option is greater than or equal to the depth to which the rules need to detect.
Reassembly Threshold
When Enable Defragmentation is selected, 0 disables this option, or specifies a minimum number of fragmented DCE/RPC bytes and, if applicable, segmented SMB bytes to queue before sending a reassembled packet to the rules engine. A low value increases the likelihood of early detection but could have a negative impact on performance. You should test for performance impact if you enable this option.
Make sure that the Reassembly Threshold option is greater than or equal to the depth to which the rules need to detect.
Enable Defragmentation
Specifies whether to defragment fragmented DCE/RPC traffic. When disabled, the preprocessor still detects anomalies and sends DCE/RPC data to the rules engine, but at the risk of missing exploits in fragmented DCE/RPC data.
Although this option provides the flexibility of not defragmenting DCE/RPC traffic, most DCE/RPC exploits attempt to take advantage of fragmentation to hide the exploit. Disabling this option would bypass most known exploits, resulting in a large number of false negatives.
Memory Cap Reached
Detects when the maximum memory limit allocated to the preprocessor is reached or exceeded. When the maximum memory cap is reached or exceeded, the preprocessor frees all pending data associated with the session that caused the memory cap event and ignores the rest of that session.
You can enable rule 133:1 to generate events and, in an inline deployment, drop offending packets for this option. See Setting Intrusion Rule States.
Auto-Detect Policy on SMB Session
Detects the Windows or Samba version that is identified in SMB
Session Setup AndX requests and responses. When the
detected version is different from the Windows or Samba version configured for
the
Policy configuration option, the detected version
overrides the configured version for that session only.
For example, if you set Policy to Windows XP and the preprocessor detects Windows Vista, the preprocessor uses a Windows Vista policy for that session. Other settings remain in effect.
When the DCE/RPC transport is not SMB (that is, when the transport is TCP or UDP), the version cannot be detected and the policy cannot be automatically configured.
To enable this option, choose one of the following from the drop-down list:
-
Choose Client to inspect server-to-client traffic for the policy type.
-
Choose Server to inspect client-to-server traffic for the policy type.
-
Choose Both to inspect server-to-client and client-to-server traffic for the policy type.
Legacy SMB Inspection Mode
When Legacy SMB Inspection Mode is enabled, the system applies SMB intrusion rules only to SMB Version 1 traffic, and applies DCE/RPC intrusion rules to DCE/RPC traffic using SMB Version 1 as a transport. When this option is disabled, the system applies SMB intrusion rules to traffic using SMB Versions 1, 2, and 3, but applies DCE/RPC intrusion rules to DCE/RPC traffic using SMB as a transport only for SMB Version 1.