DCE/RPC inspectors
The DCE/RPC inspectors inspect and analyze the various types of DCE/RPC traffic that use the following transports – namely, TCP, UDP, SMB, and HTTP. This covers both connection-oriented as well as connectionless DCE/RPC cases.
In this section, we will discuss briefly how the DCE/RPC inspectors process the incoming traffic. We will also discuss the configuration of different DCE/RPC inspectors.
The DCE/RPC inspector traffic analysis ensures the following points:
- Detects anomalous and evasion attempts using DCE/RPC protocol characteristics.
- Enables the rules engine to match against DCE/RPC traffic using protocol-specific rule options.
Based on the transport protocol that is used, we have the following DCE/RPC inspectors – namely, dce_tcp, dce_udp, dce_smb, and dce_http.
Of these, dce_udp is the only connectionless protocol. All the others are connection-oriented. In the case of DCE/RPC over HTTP, only the setup phase happens...
