07-01-2021 07:51 AM
This question arises as a result of CVE-2021-1675, the MS print spooler vulnerability. Is it possible to block access to a specific RPC service? Can the dcerpc application inspection engine dig that deep?
07-01-2021 10:23 AM
If you running SFR (Firepower module) with ASA code you can fine tune the Snort Rules.
Oracle servers running on a Windows platform may listen on any arbitrary port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this is applicable to the protected network.
here is the link Snort - Rule Docs
07-01-2021 12:14 PM
Thanks Sheraz, but I am not running Firepower. And this question in no way relates to Oracle.
I was hoping that I could use "match uuid", but that only seems to accept a UUID type, not a UUID text string for a specific service like 12345678-1234-ABCD-EF00-0123456789AB. Then I was hoping to use "match regex", but that doesn't seem to be an option for an inspect dcerpc map.
07-01-2021 12:53 PM
Hi Jedavis, I google the CVE-2021-1675 and snort documentation the link I shared earlier. so apologies if i have provided the wrong information.
I never tried the match regex since cisco started doing the Layer 7 Inspection. I see what you reference to here the link or unless you play with TCP port 135.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide