base/protocols/dce-rpc/main.bro

DCE_RPC

Namespace:DCE_RPC Imports:base/frameworks/dpd, base/protocols/dce-rpc/consts.bro Source File:/scripts/base/protocols/dce-rpc/main.bro

Summary

Options

DCE_RPC::ignored_operations: table &redef

These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.

Types

DCE_RPC::BackingState: record
DCE_RPC::Info: record
DCE_RPC::State: record

Redefinitions

DPD::ignore_violations: set &redef
Log::ID: enum
connection: record
likely_server_ports: set &redef

Detailed Interface

Options

DCE_RPC::ignored_operations

Type:table [string] of set [string] Attributes:&redef Default:

{
   ["wkssvc"] = {
      "NetrWkstaGetInfo"
   },
   ["winreg"] = {
      "BaseRegCloseKey",
      "BaseRegDeleteKeyEx",
      "OpenLocalMachine",
      "BaseRegEnumKey",
      "BaseRegQueryValue",
      "BaseRegGetVersion",
      "BaseRegOpenKey",
      "OpenClassesRoot"
   },
   ["spoolss"] = {
      "RpcClosePrinter",
      "RpcSplOpenPrinter"
   }
}

These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.

Types

DCE_RPC::BackingState

Type:

record

info: DCE_RPC::Info

state: DCE_RPC::State

DCE_RPC::Info

Type:

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

rtt: interval &log &optional

Round trip time from the request to the response. If either the request or response wasn’t seen, this will be null.

named_pipe: string &log &optional

Remote pipe name.

endpoint: string &log &optional

Endpoint name looked up from the uuid.

operation: string &log &optional

Operation seen in the call.

DCE_RPC::State

Type:

record

uuid: string &optional

named_pipe: string &optional