top of page
Writer's pictureglatmuffbegphyreg

DCE RPC (MS RPC) Inspection On Cisco ASA



DCERPC inspection module is responsible for processing the data portion of the packet and performing inspection related tasks such as applying translations to IP addresses and ports contained in the packet when applicable, opening secondary channel etc., with the help of other modules




DCE RPC (MS RPC) Inspection On Cisco ASA




What I expected was to see connections to the ephemeral ports but the new ace is keeping its hits count to zero. Actually even before adding the new acl entry I did not find any denied traffic on toward high tcp range. Is inspection in any way causing some issue between server and client? That is, does dcerpc inspection drops communication that it is not able to inspect correctly even if ephemeral ports are explicitly authorized?


What version of ASA software are you running? You should see issues between clients and domain controllers and Windows servers when using DCERPC inspection. We opened a SR at Cisco (SR 632578395) and Microsoft. According to Cisco TAC, issues may be solved in version 9.5.2.


To solve this issue I had to configure on asasms running 9.1(2) a service policy to exclude DCERPC traffic toward the CA Server from DCERPC inspection and explicity allow ephemeral ports. Anyway in the same policy I increased dcerpc pin holes time-out to avoid, so far unknown, issues with other decrcp traffic


DCERPC inspection maps inspection for native TCP communication between a server called the Endpoint Mapper (EPM) and client on the well-known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and port number are received from the applicable EPM response messages. Because a client can attempt multiple connections to the server port returned by EPM, creation of multiple pinholes is allowed


With six days of log collection, Figure 13 shows that WEF logging activities consumed a little over 10GB of network resources, which is 40 percent less than measured with WMI. As with WMI, this was not the full amount of bandwidth used but rather what was visible to the Nozomi NSM appliance. Since WEF uses HTTP as the outer protocol on TCP port 5985, the NSM appliance protocol inspection engine identifies WEF as HTTP and is displayed accordingly in Figure 12.


29. detect_anomalous_serversThis global configuration option enables generic HTTP server traffic inspectionon non-HTTP configured ports, and alerts if HTTP traffic is seen. Don't turnthis on if you don't have a default server configuration that encompasses allof the HTTP server ports that your users might access. In the future, we wantto limit this to specific networks so it's more useful, but for right now, thisinspects all network traffic. This option is turned off by default. 30. proxy_alertThis enables global alerting on HTTP server proxy usage. By configuring HTTPInspect servers and enabling allow_proxy_use, you will only receiveproxy use alerts for web users that aren't using the configured proxies or areusing a rogue proxy server.Please note that if users aren't required to configure web proxy use, then youmay get a lot of proxy alerts. So, please only use this feature withtraditional proxy environments. Blind firewall proxies don't count. 31. compress_depth integerThis option specifies the maximum amount of packet payload to decompress. Thisvalue can be set from 1 to 65535. The default for this option is 1460. Note: Please note, in case of multiple policies, the value specified in the default policyis used and this value overwrites the values specified in the other policies. In caseof unlimited_decompress this should be set to its max value. This value should be specified in the default policy even when the HTTP inspect preprocessor is turned off using the disabled keyword.


enable_cookieThis options turns on the cookie extraction from HTTP requests and HTTP response.By default the cookie inspection and extraction will be turned off. The cookie from the Cookie header line is extracted and stored in HTTP Cookie buffer for HTTP requests and cookie from the Set-Cookie is extracted and stored in HTTP Cookie buffer for HTTP responses. The Cookie: and Set-Cookie: header names itself along with leading spaces and the CRLF terminating the header line are stored in the HTTP header buffer and are not stored in the HTTP cookie buffer.Ex: Set-Cookie: mycookie \r\nIn this case, Set-Cookie: \r\n will be in the HTTP header buffer and the patternmycookie will be in the HTTP cookie buffer.inspect_gzipThis option specifies the HTTP inspect module to uncompress the compresseddata(gzip/deflate) in HTTP response. You should select the config option"extended_response_inspection" before configuring this option. Decompression is done across packets. So the decompression will end when either the 'compress_depth' or 'decompress_depth' is reached or when the compressed data ends.When the compressed data is spanned across multiple packets, the state of the last decompressed packet is used to decompressed the data of the next packet. But the decompressed data are individually inspected. (i.e. the decompressed data from different packets are not combined while inspecting). Also the amount of decompressed data that will be inspected depends on the 'server_flow_depth' configured.Http Inspect generates a preprocessor alert with gid 120 and sid 6 when the decompressionfails. When the decompression fails due to a CRC error encountered by zlib, HTTP Inspectwill also provide the detection module with the data that was decompressed by zlib.unlimited_decompressThis option enables the user to decompress unlimited gzip data (across multiple packets).Decompression will stop when the compressed data ends or when a out of sequence packet is received. To ensure unlimited decompression, user should set the 'compress_depth' and 'decompress_depth' to its maximum values in the default policy. The decompression in a single packet is still limited by the 'compress_depth' and 'decompress_depth'.decompress_swf This option will enable decompression of compressed SWF (Adobe Flash content) filesencountered as the HTTP Response body in a GET transaction. The available decompressionmodes are 'deflate' and 'lzma'. A prerequisite is enablingextended_response_inspection (described above). When enabled, the preprocessor willexamine the response body for the corresponding file signature. 'CWS' for Deflate/ZLIBcompressed and 'ZWS' for LZMA compressed. Each decompression mode can be individually enabled.e.g. ... lzma or deflate or lzma deflate . The compressed content is decompressed'in-place' with the content made available to the detection/rules 'file_data' option.If enabled and located, the compressed SWF file signature is converted to 'FWS' to indicatean uncompressed file.The 'decompress_depth', 'compress_depth', and 'unlimited_decompress' are optionally used to place limits on the decompression process. The semantics for SWF files are similar to thegzip decompression process.During the decompression process, the preprocessor may generate alert 120:12 if Deflatedecompression fails or alert 120:13 if LZMA decompression fails. Note: LZMA decompression is only available if Snort is built with the liblzma package presentand functional. If the LZMA package is not present, then the lzma option will indicatea fatal parsing error. If the liblzma package IS present, but one desires to disable LZMAsupport, then the -disable-lzma option on configure will disable usage of the library.


decompress_pdf This option will enable decompression of the compressed portions of PDF files encounteredas the HTTP Response body in a GET transaction. A prerequisite is enablingextended_response_inspection (described above).When enabled, the preprocessor will examine the response body for the 'PDF files are then parsed, locating PDF 'streams' with a single '/FlateDecode' filter. Thesestreams are decompressed in-place, replacing the compressed content.The 'decompress_depth', 'compress_depth', and 'unlimited_decompress' are optionally used to place limits on the decompression process. The semantics for PDF files are similar to thegzip decompression process.During the file parsing/decompression process, the preprocessor may generate several alerts:AlertDescription120:14Deflate decompression failure120:15Located a 'stream' with an unsupported compression ('/Filter') algorithm120:16Located a 'stream' with unsupported cascaded '/FlateDecode' options, e.g.: /Filter [ /FlateDecode /FlateDecode ]120:17PDF File parsing errornormalize_javascriptThis option enables the normalization of Javascript within the HTTP response body.You should select the config option extended_response_inspection before configuring this option. When this option is turned on, Http Inspect searches for a Javascript within the HTTP response body by searching for the script tags and starts normalizing it. When Http Inspect sees the script tag without a type, it is considered as a javascript.The obfuscated data within the javascript functions such as unescape, String.fromCharCode, decodeURI, decodeURIComponent will be normalized. The different encodings handled within the unescape/decodeURI/decodeURIComponent are %XX, %uXXXX, XX and uXXXXi. Apart from these encodings, Http Inspect will also detect the consecutive whitespaces and normalize it to a single space. Http Inspect will also normalize the plus and concatenate the strings. The rule option file_data can be used to access this normalized buffer from the rule.A preprocessor alert with SID 9 and GID 120 is generated when the obfuscation levels within the Http Inspect is equal to or greater than 2.Example:HTTP/1.1 200 OK\r\nDate: Wed, 29 Jul 2009 13:35:26 GMT\r\nServer: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c\r\nLast-Modified: Sun, 20 Jan 2008 12:01:21 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 214\r\nKeep-Alive: timeout=15, max=99\r\nConnection: Keep-Alive\r\nContent-Type: application/octet-stream\r\n\r\n FIXMEdocument.write(unescape(unescape("%48%65%6C%6C%6F%2C%20%73%6E%6F%72%74%20%74%65%61%6D%21")));The above javascript will generate the preprocessor alert with SID 9 and GIDF 120 when normalize_javascriptis turned on.Http Inspect will also generate a preprocessor alert with GID 120 and SID 11 when there are more than one type of encodings within the escaped/encoded data.For example:unescape("%48\x65%6C%6C%6F%2C%20%73%6E%6F%72%74%20%74%65%61%6D%21");String.fromCharCode(0x48, 0x65, 0x6c, 0x6c, 111, 44, 32, 115, 110, 111, 114, 116, 32, 116, 101, 97, 109, 33)\\endverbatimThe above obfuscation will generate the preprocessor alert with GID 120 and SID 11.This option is turned off by default in HTTP Inspect.\item \textttmax\_javascript\_whitespaces $$This option takes an integer as an argument. The integer determines the maximum numberof consecutive whitespaces allowed within the Javascript obfuscated data in a HTTPresponse body. The config option \textttnormalize\_javascript should be turned on before configuring this config option. When the whitespaces in the javascript obfuscated data is equal to or morethan this value a preprocessor alert with GID 120 and SID 10 is generated. The default value for this option is 200. To enable, specify an integer argument to \textttmax\_javascript\_spaces of 1 to 65535.Specifying a value of 0 is treated as disabling the alert.\item \textttenable\_xffThis option enables Snort to parse and log the original client IP present in theX-Forwarded-For or True-Client-IP HTTP request headers along with the generatedevents. The XFF/True-Client-IP Original client IP address is logged only withunified2 output and is not logged with console (-A cmg) output.\item \textttxff\_headersIf/When the \textttenable\_xff option is present, the \textttxff\_headers option specifies a set of custom 'xff'headers. This option allows the definition of up to six custom headers in addition to thetwo default (and always present) X-Forwarded-For and True-Client-IP headers. The optionpermits both the custom and default headers to be prioritized. The headers/priority pairsare specified as a list. Lower numerical values imply a higher priority. The headers donot need to be specified in priority order. Nor do the priorities need to be contiguous.Priority values can range from 1 to 255. The priority values and header names must be unique.The header names must not collide with known http headers such as 'host', 'cookie','content-length', etc.A example of the \textttxff\_header syntax is:\beginverbatimxff_headers [ x-forwarded-highest-priority 1 ] [ x-forwarded-second-highest-priority 2 ] \ [ x-forwarded-lowest-priority-custom 3 ] The default X-Forwarded-For and True-Client-IP headers are always present. They may be explicitlyspecified in the xff_headers config in order to determine their priority. If not specified, theywill be automatically added to the xff list as the lowest priority headers.For example, let us say that we have the following (abbreviated) HTTP request header:...Host: www.snort.orgX-Forwarded-For: 192.168.1.1X-Was-Originally-Forwarded-From: 10.1.1.1...With the default xff behavior (no xff_headers), the 'X-Forwarded-For' header would be used toprovide a 192.168.1.1 Original Client IP address in the unified2 log. Custom headers are notparsed.With:xff_headers [ x-was-originally-forwarded-from 1 ] [ x-another-forwarding-header 2 ] \ [ x-forwarded-for 3 ] The X-Was-Originally-Forwarded-From header is the highest priority present and its valueof 10.1.1.1 will be logged as the Original Client IP in the unified2 log.But with:xff_headers [ x-was-originally-forwarded-from 3 ] [ x-another-forwarding-header 2 ] \ [ x-forwarded-for 1 ] Now the X-Forwarded-For header is the highest priority and its value of 192.168.1.1 is logged. Note: The original client IP from XFF/True-Client-IP in unified2 logs can be viewed using the tool u2spewfoo. This tool is present in the tools/u2spewfoo directory of snort source tree. 2ff7e9595c


0 views0 comments

Recent Posts

See All

Comments


bottom of page