5591:1 SMB: Windows Share Enumeration

Unanswered Question
Apr 3rd, 2007

We're getting alarms with Victim address = n/a and attacker/victim port = n/a for this signature.

We've tried to change the Event count key to "Attacker and victim addresses" and/or "Attacker and victim addresses and ports" but there are still alot of n/a alarms.

This is causing some problems since we cannot create a "SigEvent Action Filter" for destination ip n/a (0.0.0.0). Is there a way to either tune this signature into not producing alarms with n/a or add a "SigEvent Action Filter" for destination ip n/a?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
wsulym Tue, 04/03/2007 - 11:24

Is this maybe a summary alert you are seeing and trying to filter? When I look at 5591-1 off a 5.1.5 s278 sensor (default settings), I see the following in the alert:

signature: description=SMB: Windows Share Enumeration id=5591 version=S262

subsigId: 1

sigDetails: SMB: Windows Share Enumeration

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=OUT 171.71.84.149

port: 445

target:

addr: locality=OUT 10.25.80.156

port: 10166

Can you provide cli output of the alert you are using to attempt to create a filter. If you'd rather not paste that into the forum, you can send it direct to me at [email protected]

Actions

This Discussion