main.zeek¶

DCE_RPC¶

Namespace:	DCE_RPC
Imports:	base/frameworks/dpd, base/protocols/dce-rpc/consts.zeek

Summary¶

Runtime Options¶

DCE_RPC::ignored_operations: table &redef These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.

Types¶

`DCE_RPC::BackingState`: `record`
`DCE_RPC::Info`: `record`
`DCE_RPC::State`: `record`

Redefinitions¶

`DPD::ignore_violations`: `set` `&redef`
`Log::ID`: `enum`
`connection`: `record`
`likely_server_ports`: `set` `&redef`

Detailed Interface¶

Runtime Options¶

DCE_RPC::ignored_operations¶

Type:

table [string] of set [string]

Attributes:

&redef

Default:

{
   ["winreg"] = {
      "BaseRegOpenKey",
      "BaseRegEnumKey",
      "OpenClassesRoot",
      "BaseRegCloseKey",
      "OpenLocalMachine",
      "BaseRegQueryValue",
      "BaseRegDeleteKeyEx",
      "BaseRegGetVersion"
   },
   ["spoolss"] = {
      "RpcSplOpenPrinter",
      "RpcClosePrinter"
   },
   ["wkssvc"] = {
      "NetrWkstaGetInfo"
   }
}

These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.

Types¶

DCE_RPC::BackingState¶

Type:

record

info: DCE_RPC::Info

state: DCE_RPC::State

DCE_RPC::Info¶

Type:

record

ts: time &log: Timestamp for when the event happened.
uid: string &log: Unique ID for the connection.
id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.
rtt: interval &log &optional: Round trip time from the request to the response. If either the request or response wasn’t seen, this will be null.
named_pipe: string &log &optional: Remote pipe name.
endpoint: string &log &optional: Endpoint name looked up from the uuid.
operation: string &log &optional: Operation seen in the call.

DCE_RPC::State¶

Type:

record

uuid: string &optional

named_pipe: string &optional

ctx_to_uuid: table [count] of string &optional