Rule

--
Sid
133-16

--
Summary:
This event is generated when the dcerpc2 preprocessor detects anomalous network traffic.

--
Impact:
Unknown. This is an indication of anomalous behaviour between networked assets.

--
Detailed Information:
This event is generated when the dcerpc2 preprocessor detects anomalous network traffic.

The preprocessor will generate this event if the byte count specified in the SMB command header is less than the data size specified in the SMB command.  (The byte count must always be greater than or equal to the data size.).

This event can be controlled using the ((dce2)) configuration options.

--
Affected Systems:
All systems using NetBIOS DCERPC or SMB file and print sharing

--
Attack Scenarios:
An attacker would need to specially craft a packet with the byte count in the SMB command header being smaller than the data size indicated in the SMB command.

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:


--
Contributors:
Sourcefire Vulnerability Research Team


--
Additional References:


--
