Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual page 951

MS-RPC:ERR:SHORT-MSG
MS-RPC:LOC-SVC-OF
MS-RPC:LSASS:MAL-OPCODE
MS-RPC:LSASS:OVERSIZED-FRAG
MS-RPC:MSRPC-ISYSACTIVATE-RACE
MS-RPC:NOOP-SLIDE-RPC-REQ
MS-RPC:SAMR-ACCESS-DENIED
MS-RPC:SAMR-ACCESS-REQUEST
Copyright © 2010, Juniper Networks, Inc.
This protocol anomaly is an incomplete MSRPC message.
This signature detects attempts to exploit a flaw in the
Windows DCE RPC Locator service. This service is turned on
by default on all Windows NT 4 and Windows 2000 Domain
Controllers, or can be turned on manually on all Windows
NT, 2000, and XP systems. Attackers can deny the service
of the locator, causing network-wide outages, or take control
of the service and run code of choice.
This signature detects attempts to exploit a known
vulnerability in Microsoft Windows LSASS (Local Security
Authority Subsystem Service). Attackers may remotely run
arbitrary code on the target system. Note: This vulnerability
is exploited by many worms.
This signature detects attempts to remotely attack a known
vulnerability in the Microsoft Windows LSASS (Local Security
Authority Subsystem Service). A successful attack could run
code of an attacker's choice on the target system. By
supplying an oversized fragment to the LSASS service, a
buffer can be overflowed that can result in remote code
execution.
This protocol anomaly is too many DCE/RPC
ISystemActivate requests. Excessive requests can cause a
denial-of-service (DoS) in the RPCSS module.
This signature detects Unicode NOOP sleds in an RPC
request. Because these patterns are usually malicious, they
might indicate an attack.
This signature detects failed attempts to connect to the
Security Account Manager Remote (SAMR) service on
Windows. Attackers may be probing your server for
vulnerabilities, as a successful login to this service provides
important information such as administrator account details,
default domain names, open users, and active groups.
However, because system administrators also use the SAMR
service legitimately, this signature may also detect
non-malicious activity.
This signature detects attempts to connect to the Security
Account Manager Remote (SAMR) service on Windows.
Attackers may be probing your server for vulnerabilities, as
a successful login to this service provides important
information such as administrator account details, default
domain names, open users, and active groups. However,
because system administrators also use the SAMR service
legitimately, this signature may also detect non-malicious
activity.
Appendix E: Log Entries
high sos5.1.0
high sos5.1.0
critical sos5.1.0
critical sos5.1.0
high sos5.1.0
medium sos5.1.0
info sos5.1.0
low sos5.1.0
901