DCE SMB Inspector Overview
Type |
Inspector (service) |
Usage |
Inspect |
Instance Type |
Multiton |
Other Inspectors Required |
None |
Enabled |
|
The DCE/RPC protocol allows processes on separate network hosts to communicate as if the processes were on the same host. These inter-process communications are commonly transported between hosts over TCP and UDP. Within the TCP transport, DCE/RPC might also be further encapsulated in the Windows Server Message Block (SMB) protocol or in Samba, an open-source SMB implementation used for inter-process communication in a mixed environment comprised of Windows, and UNIX or Linux operating systems.
Although most DCE/RPC exploits occur in DCE/RPC client requests targeted for DCE/RPC servers, which could be practically any host on your network that is running Windows or Samba, exploits can also occur in server responses.
IP encapsulates all DCE/RPC transports. TCP transports all connection-oriented DCE/RPC, such as SMB.
The dce_smb
inspector detects connection-oriented DCE/RPC in the SMB protocol
and uses protocol-specific characteristics including header length and data fragment order
to:
-
Detect DCE/RPC requests and responses encapsulated in SMB transports.
-
Analyze DCE/RPC data streams and detect anomalous behavior and evasion techniques in DCE/RPC traffic.
-
Analyze SMB data streams and detect anomalous SMB behavior and evasion techniques.
-
Desegment SMB and defragment DCE/RPC.
-
Normalize DCE/RPC traffic for processing by the rules engine.
The following diagram illustrates the point at which the DCE SMB inspector begins processing traffic for the SMB transport.
The dce_smb
inspector typically receives SMB traffic on the well-known
TCP port 139 for the NetBIOS Session Service or the similarly implemented well-known
Windows port 445. Because SMB has many functions other than transporting DCE/RPC, the
inspector first tests whether the SMB traffic is carrying DCE/RPC traffic and stops
processing if it is not, or continues processing if it is.
Descriptions of the dce_smb
inspector parameters and functionality
include the Microsoft implementation of DCE/RPC known as Microsoft Remote Procedure Call (MSRPC),
as well as both SMB and Samba.
Target-Based Policies
Windows and Samba DCE/RPC implementations
differ significantly. For example, all versions of Windows use the DCE/RPC context
ID in the first fragment when defragmenting DCE/RPC traffic, and all versions of
Samba use the context ID in the last fragment. As another example, Windows Vista
uses the opnum
(operation number) header field in the first fragment to identify a
specific function call, and Samba and all other Windows versions use the opnum
field
in the last fragment.
There are significant differences in Windows and Samba SMB implementations. For example, Windows recognizes the SMB OPEN and READ commands when working with named pipes, but Samba does not recognize these commands.
For this reason, the dce_smb
inspector uses a target-based approach.
When you configure a dce_smb
inspector instance, the
policy
parameter specifies an implementation of the DCE/RPC SMB
protocol. This in combination with the host information establishes a default
target-based server policy. Optionally, you can configure additional inspectors that
target other hosts and DCE/RPC SMB implementations. The DCE/RPC SMB implementation
specified by the default target-based server policy applies to any host not targeted
by another dce_smb
inspector instance.
DCE/RPC SMB implementations which the dce_smb
inspector can target with
the policy
parameter are:
-
WinXP (default)
-
Win2000
-
WinVista
-
Win2003
-
Win2008
-
Win7
-
Samba
-
Samba-3.0.37
-
Samba-3.0.22
-
Samba-3.0.20
File Inspection
The dce_smb
inspector supports file inspection for SMB versions 1,
2, and 3.
The dce_smb
inspector examines normal SMB file transfers.
This includes checks of the file type and signature through the file processing as well as
setting a pointer for the file_data
rule option. The dce_smb
inspector supports inspection of normal
SMB file transfers for SMB version 1, 2, and 3 when used in coordination with the
file_id
inspector (described in Snort 3 open source
documentation, available at https://www.snort.org/snort3). To enable file inspection, configure the
file_id
inspector as needed, and set the
dce_smb
smb_file_inspection
and smb_file_depth
parameters.
The smb_file_depth
parameter indicates the number of file data
bytes the file_id
inspector examines beginning at the pointer
indicated by the file_data
IPS rule option. For more information, see the
Snort 3 open source documentation, available at https://www.snort.org/snort3).
Defragmentation
The dce_smb
inspector supports reassembling fragmented data packets.
This feature is useful in inline mode
to catch exploits early in the inspection process before full defragmentation is
done, or to catch exploits that take advantage of fragmentation to conceal
themselves. Be aware that disabling defragmentation may result in a large number of
false negatives.