base/protocols/dce-rpc/main.zeek

DCE_RPC
Namespace

DCE_RPC

Imports

base/frameworks/dpd, base/protocols/conn/removal-hooks.zeek, base/protocols/dce-rpc/consts.zeek

Summary

Runtime Options

DCE_RPC::ignored_operations: table &redef

These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.

Detailed Interface

Runtime Options

DCE_RPC::ignored_operations
Type

table [string] of set [string]

Attributes

&redef

Default
{
   ["spoolss"] = {
      "RpcSplOpenPrinter",
      "RpcClosePrinter"
   },
   ["wkssvc"] = {
      "NetrWkstaGetInfo"
   },
   ["winreg"] = {
      "BaseRegCloseKey",
      "BaseRegGetVersion",
      "BaseRegOpenKey",
      "BaseRegDeleteKeyEx",
      "BaseRegEnumKey",
      "OpenLocalMachine",
      "BaseRegQueryValue",
      "OpenClassesRoot"
   }
}

These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.

Types

DCE_RPC::BackingState
Type

record

info: DCE_RPC::Info

state: DCE_RPC::State

DCE_RPC::Info
Type

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

rtt: interval &log &optional

Round trip time from the request to the response. If either the request or response wasn’t seen, this will be null.

named_pipe: string &log &optional

Remote pipe name.

endpoint: string &log &optional

Endpoint name looked up from the uuid.

operation: string &log &optional

Operation seen in the call.

DCE_RPC::State
Type

record

uuid: string &optional

named_pipe: string &optional

ctx_to_uuid: table [count] of string &optional

Hooks

DCE_RPC::finalize_dce_rpc
Type

Conn::RemovalHook

DCE_RPC finalization hook. Remaining DCE_RPC info may get logged when it’s called.

DCE_RPC::log_policy
Type

Log::PolicyHook