Configuring the DCE/RPC Preprocessor

Note	This section applies to Snort 2 preprocessors. For information on Snort 3 inspectors, see https://www.cisco.com/go/snort3-inspectors.

You configure the DCE/RPC preprocessor by modifying any of the global options that control how the preprocessor functions, and by specifying one or more target-based server policies that identify the DCE/RPC servers on your network by IP address and by either the Windows or Samba version running on them. Target-based policy configuration also includes enabling transport protocols, specifying the ports carrying DCE/RPC traffic to those hosts, and setting other server-specific options.

Before you begin

Confirm that networks you want to identify in a custom target-based policy match or are a subset of the networks, zones, and VLANs handled by its parent network analysis policy. See Advanced Settings for Network Analysis Policies for more information.

Procedure

Step 1

Choose Policies > Access Control, then click Network Analysis Policy or Policies > Access Control > Intrusion, then click Network Analysis Policies.

Note	If your custom user role limits access to the first path listed here, use the second path to access the policy.

Step 2

Click Snort 2 Version next to the policy you want to edit.

Step 3

Click Edit ( edit icon ) next to the policy you want to edit.

If View (

) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 4

Click Settings in the navigation panel on the left.

Step 5

If DCE/RPC Configuration under Application Layer Preprocessors is disabled, click Enabled.

Step 6

Click Edit ( edit icon ) next to DCE/RPC Configuration.

Step 7

Modify the options in the Global Settings section; see DCE/RPC Global Options.

Step 8

You have the following choices:

Add a server profile — Click Add () next to Servers. Specify one or more IP addresses in the Server Address field, then click OK.
Delete a server profile — Click Delete () next to the policy.
Edit a server profile — Click the configured address for the profile under Servers, or click default. You can modify any of the settings in the Configuration section; see DCE/RPC Target-Based Policy Options.

Step 9

To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes.

If you leave the policy without committing changes, cached changes since the last commit are discarded if you edit a different policy.

What to do next

If you want to generate intrusion events, enable DCE/RPC preprocessor rules (GID 132 or 133). For more information, see Setting Intrusion Rule States, DCE/RPC Global Options, DCE/RPC Target-Based Policy Options, and Traffic-Associated DCE/RPC Rules.
Deploy configuration changes.