base/protocols/dce-rpc/main.zeek¶
- DCE_RPC¶
- Namespace
DCE_RPC
- Imports
base/protocols/conn/removal-hooks.zeek, base/protocols/dce-rpc/consts.zeek
Summary¶
Runtime Options¶
These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks. |
Types¶
Redefinitions¶
|
|
Hooks¶
DCE_RPC finalization hook. |
|
Detailed Interface¶
Runtime Options¶
- DCE_RPC::ignored_operations¶
- Type
- Attributes
- Default
{ ["spoolss"] = { "RpcSplOpenPrinter", "RpcClosePrinter" }, ["wkssvc"] = { "NetrWkstaGetInfo" }, ["winreg"] = { "BaseRegCloseKey", "BaseRegGetVersion", "BaseRegOpenKey", "BaseRegDeleteKeyEx", "BaseRegEnumKey", "OpenLocalMachine", "BaseRegQueryValue", "OpenClassesRoot" } }
These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.
Types¶
- DCE_RPC::BackingState¶
- Type
-
info:
DCE_RPC::Infostate:
DCE_RPC::State
- DCE_RPC::Info¶
- Type
-
- ts:
time&log Timestamp for when the event happened.
- uid:
string&log Unique ID for the connection.
- id:
conn_id&log The connection’s 4-tuple of endpoint addresses/ports.
- rtt:
interval&log&optional Round trip time from the request to the response. If either the request or response wasn’t seen, this will be null.
- named_pipe:
string&log&optional Remote pipe name.
- endpoint:
string&log&optional Endpoint name looked up from the uuid.
- operation:
string&log&optional Operation seen in the call.
- ts:
Hooks¶
- DCE_RPC::finalize_dce_rpc¶
- Type
DCE_RPC finalization hook. Remaining DCE_RPC info may get logged when it’s called.