Rule

--
Sid
133-18

--
Summary:
This event is generated when the dcerpc2 preprocessor detects anomalous network traffic.

--
Impact:
Unknown. This is an indication of anomalous behaviour between networked assets.

--
Detailed Information:
This event is generated when the dcerpc2 preprocessor detects anomalous network traffic.

For the Tree Connect command (and not the Tree Connect AndX command), the preprocessor has to queue the requests up and wait for a server response to determine whether or not an IPC share was successfully connected to (which is what the preprocessor is interested in). Unlike the Tree Connect AndX response, there is no indication in the Tree Connect response as to whether the share is IPC or not. There should be under normal circumstances no more than a few pending tree connects at a time and the preprocessor will generate this event if this number is excessive.

This event can be controlled using the ((dce2)) configuration options.

--
Affected Systems:
All systems using NetBIOS DCERPC or SMB file and print sharing

--
Attack Scenarios:
 

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:


--
Contributors:
Sourcefire Vulnerability Research Team


--
Additional References:


--
