base/protocols/dce-rpc/main.zeek

DCE_RPC
Namespace:

DCE_RPC

Imports:

base/protocols/conn/removal-hooks.zeek, base/protocols/dce-rpc/consts.zeek

Summary

Runtime Options

DCE_RPC::ignored_operations: table &redef

These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.

Types

DCE_RPC::BackingState: record

DCE_RPC::Info: record

DCE_RPC::State: record

Redefinitions

DPD::ignore_violations: set &redef

Log::ID: enum

connection: record
New Fields:

connection

dce_rpc: DCE_RPC::Info &optional

dce_rpc_state: DCE_RPC::State &optional

dce_rpc_backing: table [count] of DCE_RPC::BackingState &optional

likely_server_ports: set &redef

Hooks

DCE_RPC::finalize_dce_rpc: Conn::RemovalHook

DCE_RPC finalization hook.

DCE_RPC::log_policy: Log::PolicyHook

Detailed Interface

Runtime Options

DCE_RPC::ignored_operations
Type:

table [string] of set [string]

Attributes:

&redef

Default:
{
   ["spoolss"] = {
      "RpcSplOpenPrinter",
      "RpcClosePrinter"
   },
   ["wkssvc"] = {
      "NetrWkstaGetInfo"
   },
   ["winreg"] = {
      "BaseRegCloseKey",
      "BaseRegGetVersion",
      "BaseRegOpenKey",
      "BaseRegDeleteKeyEx",
      "BaseRegEnumKey",
      "OpenLocalMachine",
      "BaseRegQueryValue",
      "OpenClassesRoot"
   }
}

These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.

Types

DCE_RPC::BackingState
Type:

record

Fields:
info: DCE_RPC::Info
state: DCE_RPC::State
DCE_RPC::Info
Type:

record

Fields:
ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

rtt: interval &log &optional

Round trip time from the request to the response. If either the request or response wasn’t seen, this will be null.

named_pipe: string &log &optional

Remote pipe name.

Note that this value is from the “sec_addr” field in the protocol. Zeek uses the “named_pipe” name for historical reasons, but it may also contain local port numbers rather than named pipes.

If you prefer to use the “secondary address” name, consider using Log::default_field_name_map, a Log::Filter’s field_name_map field, or removing the &log attribute from this field, adding a new sec_addr field and populating it in a custom dce_rpc_bind_ack event handler based on the named_pipe value.

endpoint: string &log &optional

Endpoint name looked up from the uuid.

operation: string &log &optional

Operation seen in the call.

DCE_RPC::State
Type:

record

Fields:
uuid: string &optional
named_pipe: string &optional
ctx_to_uuid: table [count] of string &optional

Hooks

DCE_RPC::finalize_dce_rpc
Type:

Conn::RemovalHook

DCE_RPC finalization hook. Remaining DCE_RPC info may get logged when it’s called.

DCE_RPC::log_policy
Type:

Log::PolicyHook