Connectivity problems on the DCERPC traffic
- Allowing other interfaces beside EPM over port 135 by checking the "Allow DCE-RPC interfaces other than End-Point Mapper (such as DCOM) on Port 135" checkbox under the "DCOM - General Settings" protection will not allow other interfaces beside EPM.
- The "Unallowed UUID in a multi UUID Bind/Alter context request" message in the IPS log.
- If the "MS-RPC - General Settings" protection is set to action Prevent, then the packet will be dropped as well.
- Setting the protection to 'Detect' allows DCOM traffic on port 135, but DCOM protections are not enforced over DCOM traffic.
Code limitation in the
$FWDIR/lib/dcom.def file. If the check for the multiple UUID binds fails, then the Rule Base should be scanned, but it is not.
Note: To view this solution you need to