Sudden Windows DCOM Overflow flood

Unanswered Question
Jun 25th, 2008
User Badges:

Today, ips-4250-sx (not-in-line) upgraded from v6.0(4)E1 to 6.0(5)E2. (S335) to (S339)


1st appearance & flood of red alerts,

all internal sources and destinations:

1) Windows DCOM Overflow 0&1 subsigs:

(1100src/100dst=86k total hits)

2) Netware LSASS CIFS.NLM Driver Overflow: (145src/140dst=2.5k total hits)

3) Print Spooler Service Overflow: (140src/75dst=2.4k total hits)

- hit accumulation in 7hrs since upgrade


Is there some signature tweaking to be done? or is it TAC time?


Anybody else experience this?


-thanks for any advise


Will




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rnaydenov Wed, 06/25/2008 - 23:25
User Badges:

I had the same issue. Just disabled the new signature and wait for better days. as of the new signature sets 341 I see 3 new signatures already disabled. I guess with the next update these new that give us headache will be tuned also

soc_admin Thu, 06/26/2008 - 00:36
User Badges:

Hi Will,


Yes same signatures are firing after S339 and Engine Update! I am quite sure that these are False positives because Windows DCOM BO fires against Domain Controller (I checked and they are healty). Moreover these sig.s started firing just after the update!

I think Cisco is going to tune S339 sig.s.


Anybody else experience this?


Marco

shivapd Thu, 06/26/2008 - 06:43
User Badges:
  • Cisco Employee,

Hi Will,


The IPS team is aware of this issue and investigating. An upcoming sig update will address these sigs.


- Shiva

wgorman Thu, 06/26/2008 - 07:24
User Badges:

Shiva,

What is your recommendation?

disable or not

What is the ETA for the sig update?


thanks.


-Will

andytmn Fri, 06/27/2008 - 06:37
User Badges:

I got the same problem after upgrade to 5.1.7E2.

craiwill Fri, 06/27/2008 - 11:12
User Badges:
  • Cisco Employee,

We believe we've identified an engine issue that affects signatures 5588-0,1 and 6769-0. It looks like the easiest work around is to just add the parameter smb command: 37 to the signatures. Due to the nature of the issue detection should not be affected in a negative way. We plan to ship this change in a signature update next week.

david.enenkel Fri, 08/29/2008 - 05:12
User Badges:

How about No.3 the Print Spooler Overflow. Sig 5565. Same workaround ?

Farrukh Haroon Fri, 08/29/2008 - 05:29
User Badges:
  • Red, 2250 points or more

All of these were fixed in S342 I think:


The S342 signature update contains the following modified signature:

PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS

5.x, 6.x 5565.4 Print Spooler Service Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 5588.0 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 5588.1 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 6769.0 Netware LSASS CIFS.NLM Driver Overflow SERVICE-SMB-ADVANCED High True CSCsq99671


regards


Farrukh

Actions

This Discussion