Hello to all,
I am receiving an abundance of these particular type of alerts. --
133:59:1] dcerpc2: SMB - Nextcommand specified in SMB2 header is beyond payload boundary
[133:27:2] dcerpc2: Connection-oriented DCE/RPC - Invalid major version
How can assess this issue considering it appears to be a false positive. That being said, upon monitoring the IPs of communication, it appears to be between a server and workstation within my clients company. I am also trying to decipher whether or not these are in-fact false positives and that someone is not rdp onto another workstation internally and trying to communicate with others. I am stuck between trying to white-list the IP or suppress them, and am having a difficult time trying to do so. I want to white-list a particular IP for a particular alert, I do not want to white-list an IP and have nothing alerted.
Would this incorporate me having to create a rule?
Any thoughts?
Thanks guys