As of Wednesday, our SSM IPS system starting picking up a large amount of hits against rules 3327/8, 5799/6, and 6131/6 (sig set 364). These rules are related to the MS Server Serivce, MS RPC, and UPnP services. All of these came from our VPN users in to our internal DC's, file, and print servers. At first, we immediately blocked these users from the network and began incident investigation procedures as it seemed as if these machines were attempting to compromised internal hosts using the MS08-067 vulnerability released last week. Our initial investigation of some of the machines involved and of the network traffic between these machines and the internal hosts showed no signs of malicious activity. Also, the timing of the alerts - all alerts started right around 2pm EST on Wednesday and continue till today for the majority of VPNed Windows hosts - suggest that this is not malicious activity, but rather a false positive condition in the signature.
Our question is: What could have caused a system to arbitrarily start throwing alerts for this type of traffic? We are trying to determine whether this is a "problem" with our IPS in that it just happens to have started flagging this traffic as malicious or if there is something on our internal systems that may have changed to cause a behavioral change that is now seen by the IPS signatures as malicious while truly not being such. I'm not an SMB or RPC protocol expert, so some of this is beyond by realm of knowledge. It does appear from the packet captures, though, that the connections to named pipes, which is what seems to be triggering most of these alerts, comes arbitrarily in the middle of normal SMB activity such as file reads and searches.
If any one has any light they can shed on this or any other similar experiences it would be greatly appreciated.