MS-RPC: Evasion Technique (7)
This signature detects packets containing known evasion techniques that affect the SMB, DCE RPC, and MS RPC protocols. These packets should not be seen in normal traffic and indicate attempts to evade network defense systems by sending invalid, out of order, or heavily fragmented communication. Due to potential false-positives in some older MS-RPC services, this signature should only be used to inspect traffic going to and from the Internet on WAN links. This signature should NOT be used to monitor traffic between internal servers/clients on a LAN or inter-office WAN.
Extended Description
Successful exploitation would allow an attacker to bypass the intrusion detection system and access the vulnerable machine in a network. As a result of this, the attacker can completely compromise the vulnerable system, depending on the severity of the vulnerability being exploited.
Short Name
MS-RPC:EVASION:SMALL-REQ-FRAG
Severity
Major
Recommended
False
Recommended Action
None
Category
MS-RPC
Keywords
(7) Evasion Technique
Release Date
04/25/2006
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Occasionally