False Positive - RPC (Remote Procedure Call) to the Internet (Kuery)

Gary_Blackwell · May 5, 2020, 3:02pm

There is a built-in detection rule watching for TCP traffic on port 135 to the Internet.

network.transport: tcp and destination.port: 135 and (network.direction: outbound or (source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)))

However, this rule has triggered with traffic from local source IP 192.168.1.4 to destination 192.168.1.125 on port 135.

Thanks,
Gary

Gary_Blackwell · May 5, 2020, 3:22pm

I answered my own question.

Frank_Hassanabad · May 6, 2020, 8:46pm

Thanks for finding it and posting the solution to your own thread. Appreciate it!

system · June 3, 2020, 8:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.