5591:1 SMB: Windows Share Enumeration

Unanswered Question
Apr 3rd, 2007
User Badges:

We're getting alarms with Victim address = n/a and attacker/victim port = n/a for this signature.

We've tried to change the Event count key to "Attacker and victim addresses" and/or "Attacker and victim addresses and ports" but there are still alot of n/a alarms.


This is causing some problems since we cannot create a "SigEvent Action Filter" for destination ip n/a (0.0.0.0). Is there a way to either tune this signature into not producing alarms with n/a or add a "SigEvent Action Filter" for destination ip n/a?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
wsulym Tue, 04/03/2007 - 11:24
User Badges:
  • Cisco Employee,

Is this maybe a summary alert you are seeing and trying to filter? When I look at 5591-1 off a 5.1.5 s278 sensor (default settings), I see the following in the alert:


signature: description=SMB: Windows Share Enumeration id=5591 version=S262

subsigId: 1

sigDetails: SMB: Windows Share Enumeration

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=OUT 171.71.84.149

port: 445

target:

addr: locality=OUT 10.25.80.156

port: 10166



Can you provide cli output of the alert you are using to attempt to create a filter. If you'd rather not paste that into the forum, you can send it direct to me at [email protected]



Actions

This Discussion