topic [133:27:2] dcerpc2: Connection-oriented DCE/RPC in Network Security

[133:27:2] dcerpc2: Connection-oriented DCE/RPC

samnagbankok1 — Sun, 10 Mar 2019 13:35:05 GMT

I have a lot of mail alert from FireSIGHT systems detail as bellow :

[133:27:2] dcerpc2: Connection-oriented DCE/RPC - Invalid major version [Impact: Potentially Vulnerable] From "10.31.246.51" at Thu Mar 31 01:23:52 2016 UTC [Classification: Pornography was Detected] [Priority: 2] {tcp} 10.32.3.78:6004->10.16.3.30:55450

can help me to verify and fix this.

Thank you

Nathakorn S.

Re: [133:27:2] dcerpc2: Connection-oriented DCE/RPC

evan.chadwick1 — Tue, 19 Jun 2018 20:38:24 GMT

What did you do in the end?
You can apply a suppression which will ignore for what you enter.

Would't it be nice if there could be a little more information about this.

Perhaps a suggestion as to what a good major version would be perhaps?

If it could highlight the particular header that is not equal to 5 would be helpful.

Perhaps like, "if you ensure all users have teamviewer x.x installed this will avert hitting this rule.

Re: [133:27:2] dcerpc2: Connection-oriented DCE/RPC

ddevecka — Wed, 20 Jun 2018 17:33:21 GMT

I am having this issues as well. Pretty much out of the blue. The traffic is going to internal intranet sites. I check the machines and they aren't opening a browser so I am not sure where the traffic is coming from. Does anyone have any further information. I really want to know what has tripped this all the sudden.

Re: [133:27:2] dcerpc2: Connection-oriented DCE/RPC

evan.chadwick1 — Wed, 20 Jun 2018 20:35:06 GMT

in your case being internal, you might say to yourself, i don't need/want to protect at a preprocessor level for internal flows. You could create a rule in the ACL to apply a different IPS policy that disables the rule (just for internal to internal). Or you could add suppression rules for internal destinations.

My eg, is internal to outbound, so I do want to leave it in place.