DCE TCP Inspector Overview
Type |
Inspector (service) |
Usage |
Inspect |
Instance Type |
Multiton |
Other Inspectors Required |
None |
Enabled |
|
The DCE/RPC protocol allows processes on separate network hosts to communicate as if the processes were on the same host. These inter-process communications are commonly transported between hosts over TCP. Within the TCP transport, DCE/RPC might also be further encapsulated in the Windows Server Message Block (SMB) protocol or in Samba, an open-source SMB implementation used for inter-process communication in a mixed environment comprised of Windows, and UNIX or Linux operating systems.
Although most DCE/RPC exploits occur in DCE/RPC client requests targeted for DCE/RPC servers, which could be practically any host on your network that is running Windows or Samba, exploits can also occur in server responses.
IP encapsulates all DCE/RPC transports. TCP transports all connection-oriented DCE/RPC. The DCE TCP inspector detects connection-oriented DCE/RPC and uses protocol-specific characteristics (such as header length and data fragment order) to:
-
Detect DCE/RPC requests and responses encapsulated in TCP transports, including TCP-transported DCE/RPC using version 1 RPC over HTTP.
-
Analyze DCE/RPC data streams and detect anomalous behavior and evasion techniques in DCE/RPC traffic.
-
Defragment DCE/RPC.
-
Normalize DCE/RPC traffic for processing by the rules engine.
The following diagram illustrates the point at which the DCE TCP inspector begins processing traffic for the TCP transport.
The well-known TCP port 135 identifies DCE/RPC traffic in the TCP transport. The figure does not include RPC over HTTP. For RPC over HTTP, connection-oriented DCE/RPC is transported directly over TCP as shown in the figure after an initial setup sequence over HTTP.
Target-Based Policies
Windows and Samba DCE/RPC implementations differ significantly. For example, all versions of Windows use the DCE/RPC context ID in the first fragment when defragmenting DCE/RPC traffic, and all versions of Samba use the context ID in the last fragment. As another example, Windows Vista uses the opnum (operation number) header field in the first fragment to identify a specific function call, and Samba and all other Windows versions use the opnum field in the last fragment.
For this reason, the dce_tcp
inspector uses a target-based approach.
When you configure a dce_tcp
inspector instance, the
policy
parameter specifies a specific implementation of the
DCE/RPC TCP protocol. This in combination with the host information establishes a
default target-based server policy. Optionally, you can configure additional
inspectors that target other hosts and DCE/RPC TCP implementations. The DCE/RPC TCP
implementation specified by the default target-based server policy applies to any
host not targeted by another dce_tcp
inspector instance.
The DCE/RPC implementations the DCE TCP inspector can target with the
policy
parameter are:
-
WinXP (default)
-
Win2000
-
WinVista
-
Win2003
-
Win2008
-
Win7
-
Samba
-
Samba-3.0.37
-
Samba-3.0.22
-
Samba-3.0.20
Defragmentation
The DCE TCP inspector supports reassembling fragmented data packets before sending them to the detection engine. This feature is useful in inline mode to catch exploits early in the inspection process before full defragmentation is done, or to catch exploits that take advantage of fragmentation to conceal themselves. Be aware that disabling defragmentation may result in a large number of false negatives.