DCE/RPC Keywords

The three DCE/RPC keywords described in the following table allow you to monitor DCE/RPC session traffic for exploits. When the system processes rules with these keywords, it invokes the DCE/RPC preprocessor.

DCE/RPC Keywords
Use...	In this way...	To detect...
`dce_iface`	alone	packets identifying a specific DCE/RPC service
`dce_opnum`	preceded by `dce_iface`	packets identifying specific DCE/RPC service operations
`dce_stub_data`	preceded by `dce_iface`+ `dce_opnum`	stub data defining a specific operation request or response

Note in the table that you should always precede dce_opnum with dce_iface, and you should always precede dce_stub_data with dce_iface + dce_opnum.

You can also use these DCE/RPC keywords in combination with other rule keywords. Note that for DCE/RPC rules, you use the byte_jump, byte_test, and byte_extract keywords with their DCE/RPC arguments selected.

Cisco recommends that you include at least one content keyword in rules that include DCE/RPC keywords to ensure that the rules engine uses the fast pattern matcher, which increases processing speed and improves performance. Note that the rules engine uses the fast pattern matcher when a rule includes at least one content keyword, regardless of whether you enable the content keyword Use Fast Pattern Matcher argument.

You can use the DCE/RPC version and adjoining header information as the matching content in the following cases:

the rule does not include another content keyword
the rule contains another content keyword, but the DCE/RPC version and adjoining information represent a more unique pattern than the other content

For example, the DCE/RPC version and adjoining information are more likely to be unique than a single byte of content.

You should end qualifying rules with one of the following version and adjoining information content matches:

For connection-oriented DCE/RPC rules, use the content |05 00 00| (for major version 05, minor version 00, and the request PDU (protocol data unit) type 00).
For connectionless DCE/RPC rules, use the content |04 00| (for version 04, and the request PDU type 00).

In either case, position the content keyword for version and adjoining information as the last keyword in the rule to invoke the fast pattern matcher without repeating processing already completed by the DCE/RPC preprocessor. Note that placing the content keyword at the end of the rule applies to version content used as a device to invoke the fast pattern matcher, and not necessarily to other content matches in the rule.