The dce_opnum Keyword
You can use the
dce_opnum
keyword in conjunction with the DCE/RPC
preprocessor to detect packets that identify one or more specific operations
that a DCE/RPC service provides.
Client function calls request specific service functions, which are referred to in DCE/RPC specifications as operations. An operation number (opnum) identifies a specific operation in the DCE/RPC header. It is likely that an exploit would target a specific operation.
For example, the UUID 12345678-1234-abcd-ef00-01234567cffb identifies the interface for the netlogon service, which provides several dozen different operations. One of these is operation 6, the NetrServerPasswordSet operation.
You should precede a
dce_opnum
keyword with a
dce_iface
keyword to identify the service for the
operation.
You can specify a single decimal value 0 to 65535 for a specific operation, a range of operations separated by a hyphen, or a comma-separated list of operations and ranges in any order.
Any of the following examples would specify valid netlogon operation numbers:
15
15-18
15, 18-20
15, 20-22, 17
15, 18-20, 22, 24-26