Re: ASA - block access to a specific RPC service?

jedavis · ‎07-01-2021

This question arises as a result of CVE-2021-1675, the MS print spooler vulnerability. Is it possible to block access to a specific RPC service? Can the dcerpc application inspection engine dig that deep?

Sheraz.Salim · ‎07-01-2021

If you running SFR (Firepower module) with ASA code you can fine tune the Snort Rules.

Oracle servers running on a Windows platform may listen on any arbitrary port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this is applicable to the protected network.

here is the link Snort - Rule Docs

please do not forget to rate.

jedavis · ‎07-01-2021

Thanks Sheraz, but I am not running Firepower. And this question in no way relates to Oracle.

I was hoping that I could use "match uuid", but that only seems to accept a UUID type, not a UUID text string for a specific service like 12345678-1234-ABCD-EF00-0123456789AB. Then I was hoping to use "match regex", but that doesn't seem to be an option for an inspect dcerpc map.

Sheraz.Salim · ‎07-01-2021

Hi Jedavis, I google the CVE-2021-1675 and snort documentation the link I shared earlier. so apologies if i have provided the wrong information.

I never tried the match regex since cisco started doing the Layer 7 Inspection. I see what you reference to here the link or unless you play with TCP port 135.

please do not forget to rate.