One of the key new features in ExtraHop v4.0 is Universal Payload Analysis -- with this advanced feature, we now have the ability to understand previously unsupported protocols. New methods and events introduced into the Application Inspection Triggers grants you access to TCP and UDP payloads and enables the ability to parse those payloads. For more information on this feature, read the Universal Payload Analysis datasheet.
This bundle is an example of using Universal Payload Analysis to parse the DCE/RPC protocol, store metrics for the activity, and chart that activity over time.
DCE/RPC is short for Distributed Computing Environment / Remote Procedure Calls. As the name implies, it is an RPC system for distributed environments and is used by systems such as HP OpenView Operations and Microsoft Exchange/Outlook (MAPI/RPC). For more information on DCE/RPC, see the Wikipedia article on the protocol.
What You Get
- Triggers (1): DCERPC Payload Analysis
- Pages (2): UPA - DCERPC (dev) and UPA - DCERPC (net)
- Dashboards (1): DCERPC (UPA)
There are a few caveats of which to be aware:
- DCE/RPC is used as a base for many other protocols (including proprietary ones) and as such the payloads of those protocols may include binary or encrypted blobs. The trigger included in this bundle only handles the base DCE/RPC protocol and any extensions on top of that are left to the user to implement.
- Keep in mind that this bundle is just an example of what Universal Payload Analysis can do.
- We have not tested it at any amount of scale.
In the full product, import the bundle -- enable and assign the trigger and pages to whatever devices you'd like to monitor for DCE/RPC Activity. Once some DCE/RPC traffic traverses the network, the chart on the UPA - DCERPC pages and DCERPC (UPA) dashboard should show activity.