DCE-RPC Problem

[the-k33n]

Hi, i have a strange problem withe smartdefence.
Maybe somebody can point me into the right direction.

Smartview tracker logs the following.

Number: 1247628
Date: 12Sep2007
Time: 16:35:08
Product: SmartDefense
Attack Name: DCE-RPC Enforcement Violation
Attack Information: UUID is not allowed through the Rule Base
Interface: eth0
Origin: gatede
Type: Log
Action: Monitor Only
Service: rpc (135)
Source: 192.168.0.32
Destination: exchangeserver(10.150.150.74)
Protocol: tcp
Source Port: 1954
Information: DCE-RPC Interface UID: 1544f5e0-613c-11d1-93df-00c04fd7bd09


I have a rule that allows exactly that DCE-Service.
Nevertheless that service is blocked?
Can you tell me why?


Thanks in advance Mario.

[Henrik]

Hi,

Sometimes smartdefence don't log all the dce-rpc as it should so try to use the "all dce-rpc" insted, this will give you all the dce-rpc protocols that are getting used for this session and when you goth them all you could put this in to the rule base insted.

This is at leased how I usually how I go around this

[mcnallym]

This is a 50-50 call as to wether is Microsoft or Check Point. There are some knowledgebase articles on Check Point and Microsoft about this. Microsoft have messed about with the DCE-RPC for Exchange on Windows 2003 SP1.

What version of Check Point are you on.

From my understanding either upgrade the Windows to 2003SP2 or upgrade your Check Point to NGX and the latest HFA's to resolve this along with getting a SMARTDefense update.

[the-k33n]

Hi,
i have also tried #sk25562 but it didn`t help neither.
I think i will do an upgrade at the weekend and see what will happen.

Thanks for your help.

Mario