Sudden Windows DCOM Overflow flood

Unanswered Question
Jun 25th, 2008

Today, ips-4250-sx (not-in-line) upgraded from v6.0(4)E1 to 6.0(5)E2. (S335) to (S339)

1st appearance & flood of red alerts,

all internal sources and destinations:

1) Windows DCOM Overflow 0&1 subsigs:

(1100src/100dst=86k total hits)

2) Netware LSASS CIFS.NLM Driver Overflow: (145src/140dst=2.5k total hits)

3) Print Spooler Service Overflow: (140src/75dst=2.4k total hits)

- hit accumulation in 7hrs since upgrade

Is there some signature tweaking to be done? or is it TAC time?

Anybody else experience this?

-thanks for any advise

Will

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rnaydenov Wed, 06/25/2008 - 23:25

I had the same issue. Just disabled the new signature and wait for better days. as of the new signature sets 341 I see 3 new signatures already disabled. I guess with the next update these new that give us headache will be tuned also

soc_admin Thu, 06/26/2008 - 00:36

Hi Will,

Yes same signatures are firing after S339 and Engine Update! I am quite sure that these are False positives because Windows DCOM BO fires against Domain Controller (I checked and they are healty). Moreover these sig.s started firing just after the update!

I think Cisco is going to tune S339 sig.s.

Anybody else experience this?

Marco

shivapd Thu, 06/26/2008 - 06:43

Hi Will,

The IPS team is aware of this issue and investigating. An upcoming sig update will address these sigs.

- Shiva

wgorman Thu, 06/26/2008 - 07:24

Shiva,

What is your recommendation?

disable or not

What is the ETA for the sig update?

thanks.

-Will

craiwill Fri, 06/27/2008 - 11:12

We believe we've identified an engine issue that affects signatures 5588-0,1 and 6769-0. It looks like the easiest work around is to just add the parameter smb command: 37 to the signatures. Due to the nature of the issue detection should not be affected in a negative way. We plan to ship this change in a signature update next week.

Farrukh Haroon Fri, 08/29/2008 - 05:29

All of these were fixed in S342 I think:

The S342 signature update contains the following modified signature:

PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS

5.x, 6.x 5565.4 Print Spooler Service Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 5588.0 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 5588.1 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 6769.0 Netware LSASS CIFS.NLM Driver Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

regards

Farrukh

Actions

This Discussion