Rule

--
Sid
133-2

--
Summary:
This event is generated when the dcerpc2 preprocessor detects anomalous network traffic.

--
Impact:
Unknown. This is an indication of anomalous behaviour between networked assets.

--
Detailed Information:
This event is generated when the dcerpc2 preprocessor detects anomalous network traffic.

An invalid NetBIOS Session Service type was specified in the header.  Valid types are Message, Request (only from client), Positive Response (only from server), Negative Response (only from server), Retarget Response (only from server) and Keep Alive.

This event can be controlled using the ((dce2)) configuration options.

--
Affected Systems:
All systems using NetBIOS DCERPC or SMB file and print sharing

--
Attack Scenarios:
An attacker would need to specially craft a NetBIOS session and use a non-valid header

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:


--
Contributors:
Sourcefire Vulnerability Research Team


--
Additional References:


--
