I was approached by IPS team indicating Orion (SAM) is querying some servers and triggering these alerts and blocking the traffic.
The target servers are successfully monitored.
Has anyone else seen this or know why SAM might be doing this?
Also researching the possibility that the polling engine has a virus or something as well...
description of "vulnerability" is:
Description
This filter detects a fragmented MS-RPC request. While supported by Microsoft operating systems, application-level RPC fragmentation is not normal in legitimate traffic, and is used only by attackers who are attempting to evade inline network defense systems such as IDSes and IPSes. References: Microsoft Security Bulletin MS03-001: http://www.microsoft.com/technet/security/bulletin/MS03-001.mspx Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/security/bulletin/MS03-026.asp Microsoft Security Bulletin MS03-039 http://www.microsoft.com/technet/security/bulletin/MS03-039.asp Microsoft Security Bulletin MS04-011 http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx Microsoft Security Bulletin MS05-039 http://www.microsoft.com/technet/security/bulletin/MS05-039.asp Microsoft Security Bulletin MS08-067 http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx