DCE/RPC rule options
There are three Snort rule options that are provided by the DCE/RPC inspector functionality:
dce_iface: The DCE/RPC interfaces have a unique identifier called interface UUID that uniquely identifies the DCE/RPC interface that is called. The interfaces advertised by the server also have major and minor versions associated with them.This rule option takes in UUID as a parameter, a version, and frag settings.
If the UUID, version, and frag settings specified in the rule match the DCE/RPC request that is seen on the wire, the rule option succeeds.
dce_opnum: For a DCE/RPC request,opnumrepresents a specific function for the interface that is called. This rule option takes a number, a list of numbers, or a range.If the operation number of the DCE/RPC request seen in the traffic matches the specified list or range of numbers of the rule option, it is considered a successful match for the rule option.
dce_stub_data: This rule option is used to detect whether...
