DCE SMB Inspector Overview
Other Inspectors Required
The DCE/RPC protocol allows processes on separate network hosts to communicate as if the processes were on the same host. These inter-process communications are commonly transported between hosts over TCP and UDP. Within the TCP transport, DCE/RPC might also be further encapsulated in the Windows Server Message Block (SMB) protocol or in Samba, an open-source SMB implementation used for inter-process communication in a mixed environment comprised of Windows, and UNIX or Linux operating systems.
Although most DCE/RPC exploits occur in DCE/RPC client requests targeted for DCE/RPC servers, which could be practically any host on your network that is running Windows or Samba, exploits can also occur in server responses.
IP encapsulates all DCE/RPC transports. TCP transports all connection-oriented DCE/RPC, such as SMB.
dce_smb inspector detects connection-oriented DCE/RPC in the SMB protocol
and uses protocol-specific characteristics including header length and data fragment order
Detect DCE/RPC requests and responses encapsulated in SMB transports.
Analyze DCE/RPC data streams and detect anomalous behavior and evasion techniques in DCE/RPC traffic.
Analyze SMB data streams and detect anomalous SMB behavior and evasion techniques.
Desegment SMB and defragment DCE/RPC.
Normalize DCE/RPC traffic for processing by the rules engine.
The following diagram illustrates the point at which the DCE SMB inspector begins processing traffic for the SMB transport.
dce_smb inspector typically receives SMB traffic on the well-known
TCP port 139 for the NetBIOS Session Service or the similarly implemented well-known
Windows port 445. Because SMB has many functions other than transporting DCE/RPC, the
inspector first tests whether the SMB traffic is carrying DCE/RPC traffic and stops
processing if it is not, or continues processing if it is.
Descriptions of the
dce_smb inspector parameters and functionality
include the Microsoft implementation of DCE/RPC known as Microsoft Remote Procedure Call (MSRPC),
as well as both SMB and Samba.
Windows and Samba DCE/RPC implementations
differ significantly. For example, all versions of Windows use the DCE/RPC context
ID in the first fragment when defragmenting DCE/RPC traffic, and all versions of
Samba use the context ID in the last fragment. As another example, Windows Vista
opnum (operation number) header field in the first fragment to identify a
specific function call, and Samba and all other Windows versions use the
in the last fragment.
There are significant differences in Windows and Samba SMB implementations. For example, Windows recognizes the SMB OPEN and READ commands when working with named pipes, but Samba does not recognize these commands.
For this reason, the
dce_smb inspector uses a target-based approach.
When you configure a
dce_smb inspector instance, the
policy parameter specifies an implementation of the DCE/RPC SMB
protocol. This in combination with the host information establishes a default
target-based server policy. Optionally, you can configure additional inspectors that
target other hosts and DCE/RPC SMB implementations. The DCE/RPC SMB implementation
specified by the default target-based server policy applies to any host not targeted
dce_smb inspector instance.
DCE/RPC SMB implementations which the
dce_smb inspector can target with
policy parameter are:
dce_smb inspector supports file inspection for SMB versions 1,
2, and 3.
dce_smb inspector examines normal SMB file transfers.
This includes checks of the file type and signature through the file processing as well as
setting a pointer for the
file_data rule option. The
dce_smb inspector supports inspection of normal
SMB file transfers for SMB version 1, 2, and 3 when used in coordination with the
file_id inspector (described in Snort 3 open source
documentation, available at https://www.snort.org/snort3). To enable file inspection, configure the
file_id inspector as needed, and set the
smb_file_depth parameter indicates the number of file data
file_id inspector examines beginning at the pointer
indicated by the
file_data IPS rule option. For more information, see the
Snort 3 open source documentation, available at https://www.snort.org/snort3).
dce_smb inspector supports reassembling fragmented data packets.
This feature is useful in inline mode
to catch exploits early in the inspection process before full defragmentation is
done, or to catch exploits that take advantage of fragmentation to conceal
themselves. Be aware that disabling defragmentation may result in a large number of