I'm seeing lots of SMB Authorization Failure events being reported to MARS from IPS signature 5606/0. I strongly suspect that these events are false but I don't know a lot about SMB. The Event Type Details in MARS states "This signature detects when three or more consecutive failed Windows NT (or Samba) user authentication within a single SMB session..." However, the Event Count parameter of 5606/0 is set to the default of 1. Should this be bumped up to 3 or am I smoking dope? Should I be looking at other areas of the signature definition?
Any help would be appreciated.