I have this log entry from SEP:
2011-04-05T10:52:37+02:00 SymantecServer SomeServer: SomePC,[SID: 23179]
OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.
Traffic has been blocked from this application: C:\WINDOWS\system32\ntoskrnl.exe,
Local: 10.90.27.172,
Local: 000000000000,
Remote: ,
Remote: 10.90.27.220,
Remote: 000000000000,Inbound,TCP,
Intrusion ID: 0,
Begin: 2011-04-05 10:28:37,
End: 2011-04-05 10:28:37,
Occurrences: 1,
Application: C:/WINDOWS/system32/ntoskrnl.exe,
Location: Default,
User: 123456,
Domain: SomeDomain
I want to confirm I understand this correctly. This is TCP inbound communication. Iow the remote IP 10.90.27.220 is trying to expose some vulnerability on the local machine: 10.90.27.172
So we should be more worried about the remote machine than the local machine. Or is it the other way round?