Rule

--
Sid
133-22

--
Summary:
This event is generated when the dcerpc2 preprocessor detects anomalous network traffic.

--
Impact:
Unknown. This is an indication of anomalous behaviour between networked assets.

--
Detailed Information:
This event is generated when the dcerpc2 preprocessor detects anomalous network traffic.

With AndX command chaining it is possible to chain multiple Tree Connect AndX commands within the same request. There is, however, only one place in the SMB header to return a tree handle (or Tid).  Windows does not allow this behavior, however Samba does. This is anomalous behavior and the preprocessor will generate this event if it happens.

This event can be controlled using the ((dce2)) configuration options.

--
Affected Systems:
All systems using NetBIOS DCERPC or SMB file and print sharing

--
Attack Scenarios:
 

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:


--
Contributors:
Sourcefire Vulnerability Research Team


--
Additional References:


--
