Exercise
Let’s do an exercise that encapsulates all the things we learned together. We will use the packet capture file we discussed in this chapter that has the DCE/RPC traffic to the Witness interface. This packet capture can be downloaded at https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/dcerpc_witness.pcapng
We will make sure that the DCE/RPC inspectors are enabled in the lua configuration file:
dce_smb = { }
dce_tcp = { }
dce_udp = { }
dce_http_proxy = { }
dce_http_server = { } We will also create a Snort signature that will detect DCE/RPC traffic that uses the Witness interface (UUID ccd8c074-d0e5-4a40-92b4-d074faa6ba28):
alert tcp any any -> any any (msg:"DCERPC Witness Interface"; flow:established; dce_iface: uuid ccd8c074-d0e5-4a40-92b4-d074faa6ba28; sid:2344; priority:3;)
We will run the snort command as follows:
./build/src/snort -c lua/snort.lua -R ~/Rules/local.rules -r ~/dcerpc_witness.pcapng -k none ...
