base/protocols/dce-rpc/main.zeek¶
-
DCE_RPC
¶
Namespace: | DCE_RPC |
---|---|
Imports: | base/frameworks/dpd, base/protocols/dce-rpc/consts.zeek |
Summary¶
Runtime Options¶
DCE_RPC::ignored_operations : table &redef |
These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks. |
Redefinitions¶
DPD::ignore_violations : set &redef |
|
Log::ID : enum |
|
connection : record |
|
likely_server_ports : set &redef |
Detailed Interface¶
Runtime Options¶
-
DCE_RPC::ignored_operations
¶ Type: Attributes: Default: { ["winreg"] = { "BaseRegOpenKey", "BaseRegEnumKey", "OpenClassesRoot", "BaseRegCloseKey", "OpenLocalMachine", "BaseRegQueryValue", "BaseRegDeleteKeyEx", "BaseRegGetVersion" }, ["spoolss"] = { "RpcSplOpenPrinter", "RpcClosePrinter" }, ["wkssvc"] = { "NetrWkstaGetInfo" } }
These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.
Types¶
-
DCE_RPC::BackingState
¶ Type: info:
DCE_RPC::Info
state:
DCE_RPC::State
-
DCE_RPC::Info
¶ Type: - ts:
time
&log
Timestamp for when the event happened.
- uid:
string
&log
Unique ID for the connection.
- id:
conn_id
&log
The connection’s 4-tuple of endpoint addresses/ports.
- rtt:
interval
&log
&optional
Round trip time from the request to the response. If either the request or response wasn’t seen, this will be null.
- named_pipe:
string
&log
&optional
Remote pipe name.
- endpoint:
string
&log
&optional
Endpoint name looked up from the uuid.
- operation:
string
&log
&optional
Operation seen in the call.
- ts: