MARS "Win SMB Enum Shr DoS" & Rule to Ignore?

Unanswered Question
May 24th, 2007
User Badges:
  • Bronze, 100 points or more

I am tuning some Unconfirmed False Positives (UFP). We have a fair number of the 'Windows SMB Enum Share DoS' events in the UFP list. They don't appear to be too frequent but there are some. I am thinking I'd like to have a rule that says "if there are less than 'x' occurences to a particular dest IP within 'y' minutes, ignore this" but it doesn't look like this can be done.


Any ideas? TIA


Paul

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mhellman Fri, 05/25/2007 - 04:50
User Badges:
  • Blue, 1500 points or more

Research the vulnerability and the signature. This isn't a DOS in the sense the it detects a flood of traffic. It detects the exploit, which results in a DOS. These are very likely false positives, but you should verify. If they are false positives, given that this is a 5 year old vulnerability...I would recommend just disabled/retiring the sig.

Actions

This Discussion