base/protocols/dce-rpc/main.zeek

DCE_RPC
Namespace

DCE_RPC

Imports

base/protocols/conn/removal-hooks.zeek, base/protocols/dce-rpc/consts.zeek

Summary

Runtime Options

DCE_RPC::ignored_operations: table &redef

These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.

Types

DCE_RPC::BackingState: record

DCE_RPC::Info: record

DCE_RPC::State: record

Redefinitions

DPD::ignore_violations: set &redef

Log::ID: enum

connection: record

New Fields

connection

dce_rpc: DCE_RPC::Info &optional

dce_rpc_state: DCE_RPC::State &optional

dce_rpc_backing: table [count] of DCE_RPC::BackingState &optional

likely_server_ports: set &redef

Hooks

DCE_RPC::finalize_dce_rpc: Conn::RemovalHook

DCE_RPC finalization hook.

DCE_RPC::log_policy: Log::PolicyHook

Detailed Interface

Runtime Options

DCE_RPC::ignored_operations
Type

table [string] of set [string]

Attributes

&redef

Default
{
   ["spoolss"] = {
      "RpcSplOpenPrinter",
      "RpcClosePrinter"
   },
   ["wkssvc"] = {
      "NetrWkstaGetInfo"
   },
   ["winreg"] = {
      "BaseRegCloseKey",
      "BaseRegGetVersion",
      "BaseRegOpenKey",
      "BaseRegDeleteKeyEx",
      "BaseRegEnumKey",
      "OpenLocalMachine",
      "BaseRegQueryValue",
      "OpenClassesRoot"
   }
}

These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.

Types

DCE_RPC::BackingState
Type

record

info: DCE_RPC::Info

state: DCE_RPC::State

DCE_RPC::Info
Type

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

rtt: interval &log &optional

Round trip time from the request to the response. If either the request or response wasn’t seen, this will be null.

named_pipe: string &log &optional

Remote pipe name.

endpoint: string &log &optional

Endpoint name looked up from the uuid.

operation: string &log &optional

Operation seen in the call.

DCE_RPC::State
Type

record

uuid: string &optional

named_pipe: string &optional

ctx_to_uuid: table [count] of string &optional

Hooks

DCE_RPC::finalize_dce_rpc
Type

Conn::RemovalHook

DCE_RPC finalization hook. Remaining DCE_RPC info may get logged when it’s called.

DCE_RPC::log_policy
Type

Log::PolicyHook