5591:1 SMB: Windows Share Enumeration

Unanswered Question
Apr 3rd, 2007
User Badges:

We're getting alarms with Victim address = n/a and attacker/victim port = n/a for this signature.

We've tried to change the Event count key to "Attacker and victim addresses" and/or "Attacker and victim addresses and ports" but there are still alot of n/a alarms.

This is causing some problems since we cannot create a "SigEvent Action Filter" for destination ip n/a ( Is there a way to either tune this signature into not producing alarms with n/a or add a "SigEvent Action Filter" for destination ip n/a?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
wsulym Tue, 04/03/2007 - 11:24
User Badges:
  • Cisco Employee,

Is this maybe a summary alert you are seeing and trying to filter? When I look at 5591-1 off a 5.1.5 s278 sensor (default settings), I see the following in the alert:

signature: description=SMB: Windows Share Enumeration id=5591 version=S262

subsigId: 1

sigDetails: SMB: Windows Share Enumeration


vlan: 0



addr: locality=OUT

port: 445


addr: locality=OUT

port: 10166

Can you provide cli output of the alert you are using to attempt to create a filter. If you'd rather not paste that into the forum, you can send it direct to me at [email protected]


This Discussion