DCE Specific Options

Snort features a DCE-RPC service inspector that keeps track of the DCE-RPC sessions, staying aware of (1) the DCE-RPC interfaces bound to, (2) the specific operation numbers (opnums) invoked, and (3) the stub data associated with DCE-RPC requests and responses. This service inspector also provides three rule options for each of these components, dce_iface, dce_opnum, and dce_stub_data, that are used to check packets against specific DCE-RPC requests or responses.

dce_iface

The dce_iface option is used to specify an interface UUID that a client has bound to. It is declared with dce_iface:, followed by uuid , and lastly followed by the actual UUID to match. Users can also optionally specify an interface version and operator to check that the DCE-RPC version is less than (<), greater than (>), equal to (=) or not equal to (!) the version specified. Valid version numbers include 0:65535.

Also, by default the rule will only be evaluated against a first fragment (or the full request if not fragmented) since most rules are written to start at the beginning of a request. However, rule-writers can specify the optional any_frag argument to evaluate against middle and last fragments as well.

Format:

DCE-RPC interface versions are not required, but there are two ways to check for a specific version or versions. Both formats are below.

Note: UUIDs are formatted like: 4hexbytes-2hexbytes-2hexbytes-2hexbytes-6hexbytes

Single value version comparison:

dce_iface:uuid uuid [, version [<|>|=|!|<=|>=]version][, any_frag];

Range of versions comparison:

dce_iface:uuid uuid [, version min_version{<>|<=>}max_version][, any_frag];

Examples:

dce_iface:uuid 4b324fc8-1670-01d3-1278-5a47bf6ee188;

dce_iface:uuid 4b324fc8-1670-01d3-1278-5a47bf6ee188, version <2;

dce_iface:uuid 4b324fc8-1670-01d3-1278-5a47bf6ee188, any_frag;

dce_iface:uuid 4b324fc8-1670-01d3-1278-5a47bf6ee188, version =1, any_frag;

dce_opnum

The dce_opnum option enables users to check that a packet belongs to a specific DCE-RPC operation invocation. It is declared with dce_opnum: followed by either a single opnum number, an opnum number range, or an opnum list containing a combination of opnums and/or opnum ranges, and the entire argument is enclosed in double quotes. The rule option option matches if any one of the opnums specified match the opnum associated with a DCE/RPC request or response.

An opnum range is declared with a hyphen between the two numbers of the range (e.g., 1-10), and multiple opnums or opnum ranges are separated by spaces.

Note: Multiple opnums and/or opnum ranges were previously separated by commas. Separating them by spaces is a change new to Snort 3.

Format:

dce_opnum:"{opnum|min_opnum-max_opnum}[ {opnum|min_opnum-max_opnum}]…";

Note: Valid opnum numbers are 0-65535.

Examples:

dce_opnum:"15";
dce_opnum:"15-18";
dce_opnum:"15 18-20";
dce_opnum:"15 17 20-22";

dce_stub_data

The dce_stub_data option is a sticky buffer that is used to set the detection cursor to the beginning of the DCE/RPC stub data, regardless of preceding rule options. All ensuing rule options are checked for in this stub data buffer, and the first rule option following dce_stub_data should use absolute location modifiers if it is position-dependent.

This option takes no arguments and is set just with the keyword itself.

Note: To leave the stub data buffer and return to the main payload buffer, use the "pkt_data" rule option after done inspecting dce_stub_data data.

Format:

dce_stub_data;

Examples:

dce_stub_data;
byte_test:4,>,128,8,dce;

dce_stub_data; 
pcre:"/^(\x00\x00\x00\x00|.{12})/s";

Snort 3 Rule Writing Guide